Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I-worm/vb.gk


  • This topic is locked This topic is locked
29 replies to this topic

#1 HighlyIntensive

HighlyIntensive

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Location:Lahore
  • Local time:09:04 AM

Posted 02 July 2008 - 03:44 AM

DEAR ALL,
THIS IS THE FIRST TIME I AM POSTING A TOPIC HERE. NORMALLY I JUST GO THROUGH DIFFERENT THREADS AND FIND THE SOLUTION. BUT THIS TIME I'VE BEEN TRYING MYSELF FOR 3-4 DAYS BUT THE PROBLEM IS JUST GETTING WORSE. I HAVE AVG INSTALLED. I'VE RUN IT MANY TIMES IN NORMAL MODE (ALSO BY TURNING OFF SYSTEM RESTORE) AND SAFE MODE. IT DETECTS THOUSANDS OF DIFFERENT VIRUSES AND SOBER WORMS, MOST OF THEM ARE THE I-WORM/VB.GK. IT DELETES THEM BUT MOMENTS LATER MY COMPUTER AGAIN HAS THOUSANDS OF THEM. I'VE ALREADY DONE THE FOLLOWING REPEATEDLY
(1) RUN ATF CLEANER
(2) RUN SUPER ANTISPYWARE (IT NORMALLY DETECTS 02 TROJAN DOWNLOADERS AND SOME ADWARE COOKIES)
(3) RUN SPYBOT S&D IN SAFE MODE (IT HAS DETECTED MANY PROBLEMS AND RECTIFIED THEM)
(4) SCANNED THE COMPUTER REMOTELY WITH ESET NOD32 FROM A NETWORK COMPUTER. IT ALSO REMOVES THOUSANDS OF THESE VIRUSES EACH TIME BUT THEY KEEP COMING BACK.
(5) RUN MALWAREBYTES ANITMALWARE. IT ALSO REMOVES SOME 20 - 25 ITEMS EACH TIME
(6) RUN THE SYMANTEC WORM REMOVAL TOOL. IT FOUND NOTHING
(7) RUN THE WEBROOT FREE SPYSWEEPER. IT FOUND NOTHING
NOW THE WORM IS WORKING EVEN MORE QUICKLY AND REPLICATES ITSELF WITHIN MINUTES INTO THOUSANDS.
SOME OF MY COMPUTER FILES WERE ALSO AUTOMATICALLY DELETED TODAY.
THERE IS ALWAYS A POPUP ERROR AT STARTUP. "WINDOWS CANNOT FIND EKSPLORASI.EXE." ETC
DURING THE HIJACKTHIS LOG THE FOLLOWING POPUP CAME. " YOU PROBABLY HAVE A LARGE AMOUNT OF HIJACKED DOMAINS. ITS BETTER TO DELETE THE FILE ITSELF THEN TO FIX EACH ITEM. IF THE SAME IP ADDRESS IS FOUND ON ALL 01 ITEMS, DELETE THE HOSTS FILE WHICH IS LOCATED AT ........". I DIDNT DO ANYTHING ABOUT IT YET.

PLEASE HELP AS I AM WORRIED I WILL LOSE LOTS OF FILES OTHERWISE.

PLEASE FIND BELOW THE MAIN.TXT LOG AND EXTRA.TXT LOG RESPECTIVELY FROM DSS

Deckard's System Scanner v20071014.68
Run by AHS on 2008-07-02 14:11:05
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 2 Restore Point(s) --
2: 2008-07-02 09:11:11 UTC - RP4 - Deckard's System Scanner Restore Point
1: 2008-07-02 07:53:54 UTC - RP3 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as AHS.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:14:12 PM, on 7/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Plaxo\3.12.0.48\PlaxoHelper_en.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Plaxo\3.12.0.48\PlaxoSysTray.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\AHS\Desktop\dss.exe
\Ahs\HiJackThis\AHS.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe "C:\WINDOWS\eksplorasi.exe"
O1 - Hosts: <HTML><HEAD><TITLE>Yahoo!</TITLE>
O1 - Hosts: </HEAD><BODY BGCOLOR=white vlink=blue>
O1 - Hosts: <!-- following code added by server. PLEASE REMOVE -->
O1 - Hosts: <!-- preceding code added by server. PLEASE REMOVE --><center>
O1 - Hosts: <table width=675 cellpadding=0 cellspacing=2 border=0>
O1 - Hosts: <tr>
O1 - Hosts: <td width=1% valign=top><a href="http://www.yahoo.com"><img src=http://us.i1.yimg.com/us.yimg.com/i/yahoo.gif width=147 height=31 border=0 alt="Yahoo"></a></td>
O1 - Hosts: <td align=right><font face=arial size=-1><a href="/404/*http://www.yahoo.com">Yahoo!</a> - <a href="http://help.yahoo.com">Help</a></font><hr size=1 noshade></td>
O1 - Hosts: </tr>
O1 - Hosts: </table>
O1 - Hosts: <br>
O1 - Hosts: <table border=0 width=675 cellspacing=0 cellpadding=3>
O1 - Hosts: <tr>
O1 - Hosts: <td bgcolor=003399 colspan=2>
O1 - Hosts: <font face=Arial size=+1 color=white><b>Sorry, the page you requested was not found.</b></font>
O1 - Hosts: </td>
O1 - Hosts: </tr></table>
O1 - Hosts: <br>
O1 - Hosts: <table border=0 width=675 cellspacing=0 cellpadding=1>
O1 - Hosts: <tr>
O1 - Hosts: <td valign=top width=229 bgcolor=ffffff>
O1 - Hosts: <table width="100%" cellpadding=1 cellspacing=0 border=0 bgcolor=dcdcdc><tr>
O1 - Hosts: <td valign=top align=center><table width="100%" cellpadding=3 cellspacing=0 border=0 bgcolor=ffffff>
O1 - Hosts: <tr bgcolor=dcdcdc><td><font face=arial><b>Search Yahoo!</b></font></td></tr>
O1 - Hosts: <tr bgcolor=white><td valign=top align=center>
O1 - Hosts: <form action="http://search.yahoo.com/search">
O1 - Hosts: <input size="14" name="p" value="">&nbsp;
O1 - Hosts: <input type="SUBMIT" value="Search">
O1 - Hosts: <font face=arial size=-2>•&nbsp;<a href="http://search.yahoo.com/search/options?p=">advanced search</a> •&nbsp;<a href="http://buzz.yahoo.com">most popular</a></font>
O1 - Hosts: </form></td></tr></table>
O1 - Hosts: <table width=100% border=0 cellspacing=0 cellpadding=3 bgcolor=ffffff>
O1 - Hosts: <tr bgcolor=ccccff><td>
O1 - Hosts: <FONT face=arial size=+1>Yahoo! Web Hosting</font>
O1 - Hosts: </td></tr>
O1 - Hosts: <tr><td>
O1 - Hosts: <a href=http://webhosting.yahoo.com/ps/wh/prod/><img align=left src=http://us.i1.yimg.com/us.yimg.com/i/us/wh/gr/j_advan48.gif width=48 height=48 border=0 alt="Yahoo! Web Hosting"></a>
O1 - Hosts: <font face=arial size=-1>Yahoo! Web Hosting has <a href="http://webhosting.yahoo.com/ps/wh/prod/">three affordable plans</a> to meet your needs - starting at just $11.95.
O1 - Hosts: </td></tr>
O1 - Hosts: <tr><td align=right>
O1 - Hosts: <b><font face=arial size=-1><a href=http://webhosting.yahoo.com/ps/wh/prod/>Learn more...</a></font></b>
O1 - Hosts: </td></tr>
O1 - Hosts: </table>
O1 - Hosts: </td></tr></table>
O1 - Hosts: </td>
O1 - Hosts: <td width=1>&nbsp;</td>
O1 - Hosts: <td valign=top align=center width=445>
O1 - Hosts: <FONT size="1">[AD]</FONT>
O1 - Hosts: <noscript>
O1 - Hosts: <FONT size="1">[AD]</FONT>
O1 - Hosts: </noscript>
O1 - Hosts: </td>
O1 - Hosts: </tr>
O1 - Hosts: </table>
O1 - Hosts: <br>
O1 - Hosts: <table cellpadding=0 cellspacing=0 border=0 width=675><tr><td bgcolor=a0b8c8>
O1 - Hosts: <table cellpadding=1 cellspacing=1 border=0 width="100%">
O1 - Hosts: <tr valign=top bgcolor=ffffff><td align=center>
O1 - Hosts: <font face=arial size=-2><A
O1 - Hosts: href="http://rd.yahoo.com/footer/?http://address.yahoo.com/">Address Book</A> · <A
O1 - Hosts: href="http://rd.yahoo.com/footer/?http://alerts.yahoo.com/">Alerts</A> · <A
O1 - Hosts: href="http://rd.yahoo.com/footer/?http://auctions.yahoo.com/">Auctions</A> · <A
O1 - Hosts: href="http://rd.yahoo.com/footer/?http://billpay.yahoo.com/">Bill Pay</A> · <A
O1 - Hosts: href="http://rd.yahoo.com/footer/?http://bookmarks.yahoo.com/">Bookmarks</A> · <A
O1 - Hosts: href="http://rd.yahoo.com/footer/?http://briefcase.yahoo.com/">Briefcase</A> · <A
O1 - Hosts: href="http://rd.yahoo.com/footer/?http://broadcast.yahoo.com/">Broadcast</A> · <A
O1 - Hosts: href="http://rd.yahoo.com/footer/?http://calendar.yahoo.com/">Calendar</A> · <A
O1 - Hosts: href="http://rd.yahoo.com/footer/?http://chat.yahoo.com/">Chat</A> · <A
O1 - Hosts: href="http://rd.yahoo.com/footer/?http://classifieds.yahoo.com/">Classifieds</A> · <A
O1 - Hosts: href="http://rd.yahoo.com/footer/?http://clubs.yahoo.com/">Clubs</A> · <A
O1 - Hosts: href="http://rd.yahoo.com/footer/?http://companion.yahoo.com/">Companion</A> · <A
O1 - Hosts: href="http://rd.yahoo.com/footer/?http://experts.yahoo.com/">Experts</A> · <A
O1 - Hosts: href="http://rd.yahoo.com/footer/?http://games.yahoo.com/">Games</A> · <A
O1 - Hosts: href="http://rd.yahoo.com/footer/?http://greetings.yahoo.com/">Greetings</A> · <A
O1 - Hosts: href="http://rd.yahoo.com/footer/?http://geocities.yahoo.com/">Home Pages</A> · <A
O1 - Hosts: href="http://rd.yahoo.com/footer/?http://invites.yahoo.com/">Invites</A> · <A
O1 - Hosts: href="http://rd.yahoo.com/footer/?http://mail.yahoo.com/">Mail</A> · <A
O1 - Hosts: href="http://rd.yahoo.com/footer/?http://maps.yahoo.com/">Maps</A> · <A
O1 - Hosts: href="http://rd.yahoo.com/footer/?http://members.yahoo.com/">Member Directory</A> · <A
O1 - Hosts: href="http://rd.yahoo.com/footer/?http://messenger.yahoo.com/">Messenger</A> · <A
O1 - Hosts: href="http://rd.yahoo.com/footer/?http://my.yahoo.com/">My Yahoo!</A> · <A
O1 - Hosts: href="http://rd.yahoo.com/footer/?http://news.yahoo.com/">News</A> · <A
O1 - Hosts: href="http://rd.yahoo.com/footer/?http://paydirect.yahoo.com/">PayDirect</A> · <A
O1 - Hosts: href="http://rd.yahoo.com/footer/?http://people.yahoo.com/">People Search</A> · <A
O1 - Hosts: href="http://rd.yahoo.com/footer/?http://personals.yahoo.com/">Personals</A> · <A
O1 - Hosts: href="http://rd.yahoo.com/footer/?http://photos.yahoo.com/">Photos</A> · <A
O1 - Hosts: href="http://rd.yahoo.com/footer/?http://shopping.yahoo.com/">Shopping</A> · <A
O1 - Hosts: href="http://rd.yahoo.com/footer/?http://sports.yahoo.com/">Sports</A> · <A
O1 - Hosts: href="http://rd.yahoo.com/footer/?http://finance.yahoo.com/">Stock Quotes</A> · <A
O1 - Hosts: href="http://rd.yahoo.com/footer/?http://tv.yahoo.com/">TV</A> · <A
O1 - Hosts: href="http://rd.yahoo.com/footer/?http://travel.yahoo.com/">Travel</A> · <A
O1 - Hosts: href="http://rd.yahoo.com/footer/?http://weather.yahoo.com/">Weather</A> · <A
O1 - Hosts: href="http://rd.yahoo.com/footer/?http://www.yahooligans.com/">Yahooligans</A> · <A
O1 - Hosts: href="http://rd.yahoo.com/footer/?http://yp.yahoo.com/">Yellow Pages</A> · <A
O1 - Hosts: href="http://rd.yahoo.com/footer/?http://docs.yahoo.com/docs/family/more.html">more...</A>
O1 - Hosts: </font></td></tr></table></td></tr></table>
O1 - Hosts: <p><center><hr noshade size=1 width="675"><table border=0 cellpadding=0 cellspacing=0><tr><td align=center valign=bottom width="100%"><font size="-2" face=arial>Copyright &copy; 2003 <a href="http://www.yahoo.com" target="_top">Yahoo! Inc.</a> All rights reserved.<br><b>NOTICE: We collect personal information on this site. To learn more about how we use your information, see our <a href="http://privacy.yahoo.com/privacy/us/" target="_top">Yahoo Privacy Policy</a></b></font></td></tr></table></center>
O1 - Hosts: </center>
O1 - Hosts: <!-- error 404 -->
O1 - Hosts: </body>
O1 - Hosts: </html>
O1 - Hosts: <!-- text below generated by server. PLEASE REMOVE --></object></layer></div></span></style></noscript></table></script></applet>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7FAEB6C7-34F6-4542-A458-9ABB984AAE6D} - C:\WINDOWS\system32\vtUnmJBT.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [lavasoftFeedBack] "E:\FIXING THE COMPUTER\ad-aware 2007\feedback.exe" /dump:os_startup
O4 - HKLM\..\Run: [lavasoftMonitor] E:\FIXING~1\AD-AWA~1\op_mon.exe /tray /noservice
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\3.12.0.48\PlaxoHelper_en.exe -a
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [PlaxoSysTray] "C:\Program Files\Plaxo\3.12.0.48\PlaxoSysTray.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{0C8F005C-A2A7-4058-8270-6E95F16ED726}: NameServer = 203.128.3.18,203.128.7.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{42B677DB-F848-44F2-9685-5891ECC33242}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{9D1C394C-001F-447D-B368-7648456FAE13}: NameServer = 203.128.3.18 203.128.7.10
O17 - HKLM\System\CS1\Services\Tcpip\..\{0C8F005C-A2A7-4058-8270-6E95F16ED726}: NameServer = 203.128.3.18,203.128.7.10
O17 - HKLM\System\CS2\Services\Tcpip\..\{0C8F005C-A2A7-4058-8270-6E95F16ED726}: NameServer = 203.128.3.18,203.128.7.10
O17 - HKLM\System\CS3\Services\Tcpip\..\{0C8F005C-A2A7-4058-8270-6E95F16ED726}: NameServer = 203.128.3.18,203.128.7.10
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: rnopbfgt - {EC35C6B6-F9AB-4415-A4C0-C9A3810EA782} - C:\WINDOWS\rnopbfgt.dll (file missing)
O21 - SSODL: xkefqtgs - {6EC0A2CF-31B8-4B32-A4E5-8FBF1A9E7A72} - C:\WINDOWS\xkefqtgs.dll (file missing)
O23 - Service: Lavasoft Client Security Service (acssrv) - Unknown owner - E:\FIXING~1\AD-AWA~1\acs.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O24 - Desktop Component 0: Privacy Protection - (no file)

--
End of file - 15297 bytes

-- File Associations -----------------------------------------------------------

.reg - exefile - DefaultIcon - %1
.reg - exefile - shell\open\command - "%1" %*
.reg - exefile - shell\edit\command - unable to read value
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 acssrv (Lavasoft Client Security Service) - e:\fixing~1\ad-awa~1\acs.exe (file missing)
S2 CLTNetCnService (Symantec Lic NetConnect service) - "c:\program files\common files\symantec shared\ccsvchst.exe" /h cccommon (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Modem
Device ID: PCI\VEN_134D&DEV_7896&SUBSYS_0001150D&REV_02\4&1E46F438&0&20F0
Manufacturer:
Name: PCI Modem
PNP Device ID: PCI\VEN_134D&DEV_7896&SUBSYS_0001150D&REV_02\4&1E46F438&0&20F0
Service:


-- Scheduled Tasks -------------------------------------------------------------

2008-07-01 15:35:49 396 --a------ C:\WINDOWS\Tasks\At1.job


-- Files created between 2008-06-02 and 2008-07-02 -----------------------------

2008-06-17 16:16:36 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-12 11:26:28 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-06-11 20:51:08 0 dr-h----- C:\Documents and Settings\AHS\Recent
2008-06-11 20:04:49 344 --ahs---- C:\WINDOWS\system32\TBJmnUtv.ini2
2008-06-11 18:53:13 0 d-------- C:\Documents and Settings\AHS\Application Data\TmpRecentIcons
2008-06-11 18:19:41 0 d-------- C:\Documents and Settings\AHS\Application Data\Malwarebytes
2008-06-11 18:19:39 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-11 18:19:38 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-03 16:01:11 0 d-------- C:\WINDOWS\{10022D38-A411-4B13-A746-C2A4F4EC7344}
2008-06-03 15:59:46 0 d-------- C:\WINDOWS\system32\appmgmt


-- Find3M Report ---------------------------------------------------------------

2008-07-02 13:27:38 0 d-------- C:\Documents and Settings\AHS\Application Data\AVG7
2008-07-02 13:25:43 0 d-------- C:\Program Files\Plaxo
2008-07-01 17:05:13 7 ---hs---- C:\AUTOEXEC.BAT
2008-06-17 16:17:01 0 d-------- C:\Documents and Settings\AHS\Application Data\SUPERAntiSpyware.com
2008-06-17 16:16:36 0 d-------- C:\Program Files\Common Files
2008-05-08 16:19:47 2204 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-03 15:17:29 0 d-------- C:\Documents and Settings\AHS\Application Data\Sun
2008-05-03 15:15:59 0 d-------- C:\Program Files\Java
2008-05-03 15:10:33 0 d-------- C:\Program Files\Common Files\Java
2008-04-24 08:10:34 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-04-12 17:35:44 0 --a------ C:\WINDOWS\nsreg.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7FAEB6C7-34F6-4542-A458-9ABB984AAE6D}]
C:\WINDOWS\system32\vtUnmJBT.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [03/13/2007 12:02 PM C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [03/13/2007 12:02 PM C:\WINDOWS\SkyTel.exe]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [03/13/2007 12:05 PM]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [03/13/2007 12:05 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [04/12/2008 05:34 PM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [04/26/2008 12:01 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"lavasoftFeedBack"="E:\FIXING THE COMPUTER\ad-aware 2007\feedback.exe" []
"lavasoftMonitor"="E:\FIXING~1\AD-AWA~1\op_mon.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 09:24 PM]
"PlaxoUpdate"="C:\Program Files\Plaxo\3.12.0.48\PlaxoHelper_en.exe" [05/06/2008 11:12 AM]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [05/02/2006 03:51 PM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [04/18/2008 09:09 AM]
"PlaxoSysTray"="C:\Program Files\Plaxo\3.12.0.48\PlaxoSysTray.exe" [05/06/2008 11:12 AM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [06/30/2008 09:01 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=1 (0x1)
"DisableCMD"=0 (0x0)
"DisableTaskMgr"=0 (0x0)
"NoDispCPL"=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableCMD"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"=1 (0x1)
"NoRemoteRecursiveEvents"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=1 (0x1)
"NoStartMenuMorePrograms"=0 (0x0)
"NoSetFolders"=0 (0x0)
"StartMenuLogOff"=0 (0x0)
"NoToolbarCustomize"=0 (0x0)
"NoFolderOptions"=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoFolderOptions"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [06/30/2008 09:01 PM 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"rnopbfgt"= {EC35C6B6-F9AB-4415-A4C0-C9A3810EA782} - C:\WINDOWS\rnopbfgt.dll [ ]
"xkefqtgs"= {6EC0A2CF-31B8-4B32-A4E5-8FBF1A9E7A72} - C:\WINDOWS\xkefqtgs.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="Explorer.exe \"C:\WINDOWS\eksplorasi.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\vtUnmJBT

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Usnsvc usnsvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ae2d6aca-eb33-11dc-8e88-0019d1fd82fc}]
AutoRun\command- setupSNK.exe




-- Hosts -----------------------------------------------------------------------

<HTML><HEAD><TITLE>Yahoo!</TITLE>
</HEAD><BODY BGCOLOR=white vlink=blue>
<!-- following code added by server. PLEASE REMOVE -->
<!-- preceding code added by server. PLEASE REMOVE --><center>
<table width=675 cellpadding=0 cellspacing=2 border=0>
<tr>
<td width=1% valign=top><a href="http://www.yahoo.com"><img src=http://us.i1.yimg.com/us.yimg.com/i/yahoo.gif width=147 height=31 border=0 alt="Yahoo"></a></td>
<td align=right><font face=arial size=-1><a href="/404/*http://www.yahoo.com">Yahoo!</a> - <a href="http://help.yahoo.com">Help</a></font><hr size=1 noshade></td>
</tr>
</table>

11 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-07-02 14:14:47 ------------









Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 3.00GHz
CPU 1: Intel® Pentium® 4 CPU 3.00GHz
Percentage of Memory in Use: 46%
Physical Memory (total/avail): 757.5 MiB / 402.2 MiB
Pagefile Memory (total/avail): 1855.59 MiB / 1464.59 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1920.98 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 7.09 GiB total, 2.18 GiB free.
D: is Fixed (FAT32) - 7.53 GiB total, 5.94 GiB free.
E: is Fixed (FAT32) - 7.53 GiB total, 5.09 GiB free.
F: is Fixed (FAT32) - 7.53 GiB total, 7.17 GiB free.
G: is Fixed (FAT32) - 7.53 GiB total, 0.28 GiB free.
J: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST340015A - 37.27 GiB - 5 partitions
\PARTITION0 (bootable) - Installable File System - 7.09 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 30.18 GiB - D: - E: - F: - G:



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
UpdatesDisableNotify is set.

FW: Lavasoft Personal Firewall v6.0 (Lavasoft) Disabled
AV: AVG 7.5.523 v7.5.523 (Grisoft) Disabled

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\AHS\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=AHS-42E3B7DBE51
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\AHS
LOGONSERVER=\\AHS-42E3B7DBE51
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\Intel\DMIX;
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 6 Stepping 5, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0605
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\AHS\LOCALS~1\Temp
TMP=C:\DOCUME~1\AHS\LOCALS~1\Temp
USERDOMAIN=AHS-42E3B7DBE51
USERNAME=AHS
USERPROFILE=C:\Documents and Settings\AHS
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI


-- User Profiles ---------------------------------------------------------------

AHS (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
ACDSee 8 --> MsiExec.exe /I{AE80641A-0C8D-4670-A518-B4EC154B1027}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0.8 --> MsiExec.exe /X{AC76BA86-7AD7-1033-7B44-A70800000002}
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
High Definition Audio Driver Package - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2 --> "\\Ahs\HiJackThis\HijackThis.exe" /uninstall
hp LaserJet 1000 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{975C8028-51D8-44A9-9585-82E9810FE96A}\setup.exe"
Intel® Graphics Media Accelerator Driver --> C:\WINDOWS\system32\igxpun.exe -uninstall
Intel® PRO Network Connections 11.2.0.69 --> MsiExec.exe /i{2222B364-0854-4265-B32E-A142DB9DC7BB} ARPREMOVE=1
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Lavasoft Personal Firewall --> "E:\FIXING THE COMPUTER\ad-aware 2007\unins000.exe"
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (2.0) --> C:\Program Files\Mozilla Firefox\uninstall\uninst.exe
Plaxo Toolbar for Windows --> C:\Program Files\Plaxo\3.12.0.48\uninstall.exe
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\setup.exe" -l0x9 -removeonly
Searchkut Toolbar --> regsvr32 /u /s "C:\Program Files\Searchkut\Toolbar\Searchkut.dll"
Searchkut Toolbar 1.1 --> C:\Program Files\Searchkut\Toolbar\uninst.exe
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Winamp AudioPlayer --> MsiExec.exe /X{29CABA12-1F35-4D5A-B059-E48C13DAA498}
Windows Live Messenger --> MsiExec.exe /I{7A837109-E671-470D-B489-F1EBE471D220}
Windows Live Sign-in Assistant --> MsiExec.exe /I{F652D238-5F29-42D5-BAF3-0115EF977EC2}
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG


-- Application Event Log -------------------------------------------------------

Event Record #/Type697 / Warning
Event Submitted/Written: 07/02/2008 01:17:31 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type692 / Warning
Event Submitted/Written: 07/02/2008 00:06:03 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type682 / Warning
Event Submitted/Written: 07/01/2008 08:06:49 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type675 / Warning
Event Submitted/Written: 07/01/2008 04:31:46 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type666 / Warning
Event Submitted/Written: 07/01/2008 03:30:28 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type18144 / Warning
Event Submitted/Written: 07/02/2008 01:43:46 PM
Event ID/Source: 8021 / BROWSER
Event Description:
The browser was unable to retrieve a list of servers from the browser master \\CPQ25779171731 on the network \Device\NetBT_Tcpip_{0C8F005C-A2A7-4058-8270-6E95F16ED726}.
The data is the error code.

Event Record #/Type18142 / Error
Event Submitted/Written: 07/02/2008 01:26:31 PM
Event ID/Source: 31008 / ipnathlp
Event Description:
The DNS proxy agent was unable to read the local list of name-resolution
servers from the registry.
The data is the error code.

Event Record #/Type18120 / Error
Event Submitted/Written: 07/02/2008 01:24:26 PM
Event ID/Source: 11 / PlugPlayManager
Event Description:
The device Root\LEGACY_SSIDRV\0000 disappeared from the system without first being prepared for removal.

Event Record #/Type18119 / Error
Event Submitted/Written: 07/02/2008 01:24:26 PM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The Webroot Spy Sweeper Engine service terminated unexpectedly. It has done this 1 time(s).

Event Record #/Type18118 / Error
Event Submitted/Written: 07/02/2008 01:24:26 PM
Event ID/Source: 11 / PlugPlayManager
Event Description:
The device Root\LEGACY_SSHRMD\0000 disappeared from the system without first being prepared for removal.



-- End of Deckard's System Scanner: finished at 2008-07-02 14:14:47 ------------





THANKYOU,
FARHAN
Your future depends on your dreams, so go to sleep

BC AdBot (Login to Remove)

 


#2 HighlyIntensive

HighlyIntensive
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Location:Lahore
  • Local time:09:04 AM

Posted 02 July 2008 - 05:09 AM

JUST RAN THE AVG ANTIVIRUS SCAN AGAIN. THIS TIME IT SHOWED THOUSANDS OF WIN32/CHIR.B@mm VIRUSES.

ALSO FORGOT TO WRITE ONE THING. I CANNOT USE A FIREWALL ON THIS COMPUTER. BECAUSE IF I DO, THE NETWORK COMPUTERS CANNOT USE THE INTERNET AS THIS COMPUTER IS THE MAIN COMPUTER AND 01 OTHER COMPUTER SHARES INTERNET WITH IT. ALSO CANNOT ACCESS FILES FROM THE 2ND COMPUTER AND VICE VERSA IF I THE FIREWALL IS TURNED ON. IS THERE ANY WAY I CAN USE THE INTERNET AND ACCESS FILES BY TURNING THE FIREWALL ON??

I'M ANXIOUSLY WAITING FOR HELP......
Your future depends on your dreams, so go to sleep

#3 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:04 PM

Posted 02 July 2008 - 11:41 AM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe "C:\WINDOWS\eksplorasi.exe"
O2 - BHO: (no name) - {7FAEB6C7-34F6-4542-A458-9ABB984AAE6D} - C:\WINDOWS\system32\vtUnmJBT.dll (file missing)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O21 - SSODL: rnopbfgt - {EC35C6B6-F9AB-4415-A4C0-C9A3810EA782} - C:\WINDOWS\rnopbfgt.dll (file missing)
O21 - SSODL: xkefqtgs - {6EC0A2CF-31B8-4B32-A4E5-8FBF1A9E7A72} - C:\WINDOWS\xkefqtgs.dll (file missing)
O24 - Desktop Component 0: Privacy Protection - (no file)



Reboot your computer.



Flush your system restore, this will delete any restore points that you have but it will also make sure that any malware hiding in system restore will be booted off.

Turn off System Restore:
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Check Turn off System Restore.
  • Click Apply, and then click OK.
Restart your computer, turn it back on and create a restore point.

Create a restore point:
  • Click Start and point to All Programs.
  • Mouse over Accessories, then System Tools, and select System Restore.
  • In the System Restore wizard, select the box next the text labeled "Create a
    restore point" and click the Next button.
  • Type a description for your new restore point. Something like "After
    cleanup". Click Create and you're done.


=============


Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.



==============


Since you already have Malwarebytes installed, please run a new scan with it and post the resulting log in your next reply.
Also post a new log from DSS.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#4 HighlyIntensive

HighlyIntensive
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Location:Lahore
  • Local time:09:04 AM

Posted 03 July 2008 - 01:27 AM

DEAR SAM,

THANX A LOT FOR YOUR TIME AND EFFORT.

DID EVERYTHING AS AS INSTRUCTED.

PLEASE FIND BELOW THE MALWAREBYTES LOG. THE DSS LOG WILL FOLLOW IN THE NEXT REPLY...

Malwarebytes' Anti-Malware 1.19
Database version: 918
Windows 5.1.2600 Service Pack 2

12:23:04 PM 7/3/2008
mbam-log-7-3-2008 (12-23-03).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|)
Objects scanned: 68774
Time elapsed: 18 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
Your future depends on your dreams, so go to sleep

#5 HighlyIntensive

HighlyIntensive
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Location:Lahore
  • Local time:09:04 AM

Posted 03 July 2008 - 01:33 AM

PLEASE FIND BELOW MY DSS LOG. THIS TIME IT ONLY GAVE THE MAIN.TXT LOG.

Deckard's System Scanner v20071014.68
Run by AHS on 2008-07-03 12:27:46
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as AHS.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:28:40 PM, on 7/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Plaxo\3.12.0.48\PlaxoHelper_en.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Plaxo\3.12.0.48\PlaxoSysTray.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\AHS\Desktop\dss.exe
\Ahs\HiJackThis\AHS.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O1 - Hosts: <HTML><HEAD><TITLE>Yahoo!</TITLE>
O1 - Hosts: </HEAD><BODY BGCOLOR=white vlink=blue>
O1 - Hosts: <!-- following code added by server. PLEASE REMOVE -->
O1 - Hosts: <!-- preceding code added by server. PLEASE REMOVE --><center>
O1 - Hosts: <table width=675 cellpadding=0 cellspacing=2 border=0>
O1 - Hosts: <tr>
O1 - Hosts: <td width=1% valign=top><a href="http://www.yahoo.com"><img src=http://us.i1.yimg.com/us.yimg.com/i/yahoo.gif width=147 height=31 border=0 alt="Yahoo"></a></td>
O1 - Hosts: <td align=right><font face=arial size=-1><a href="/404/*http://www.yahoo.com">Yahoo!</a> - <a href="http://help.yahoo.com">Help</a></font><hr size=1 noshade></td>
O1 - Hosts: </tr>
O1 - Hosts: </table>
O1 - Hosts: <br>
O1 - Hosts: <table border=0 width=675 cellspacing=0 cellpadding=3>
O1 - Hosts: <tr>
O1 - Hosts: <td bgcolor=003399 colspan=2>
O1 - Hosts: <font face=Arial size=+1 color=white><b>Sorry, the page you requested was not found.</b></font>
O1 - Hosts: </td>
O1 - Hosts: </tr></table>
O1 - Hosts: <br>
O1 - Hosts: <table border=0 width=675 cellspacing=0 cellpadding=1>
O1 - Hosts: <tr>
O1 - Hosts: <td valign=top width=229 bgcolor=ffffff>
O1 - Hosts: <table width="100%" cellpadding=1 cellspacing=0 border=0 bgcolor=dcdcdc><tr>
O1 - Hosts: <td valign=top align=center><table width="100%" cellpadding=3 cellspacing=0 border=0 bgcolor=ffffff>
O1 - Hosts: <tr bgcolor=dcdcdc><td><font face=arial><b>Search Yahoo!</b></font></td></tr>
O1 - Hosts: <tr bgcolor=white><td valign=top align=center>
O1 - Hosts: <form action="http://search.yahoo.com/search">
O1 - Hosts: <input size="14" name="p" value="">&nbsp;
O1 - Hosts: <input type="SUBMIT" value="Search">
O1 - Hosts: <font face=arial size=-2>•&nbsp;<a href="http://search.yahoo.com/search/options?p=">advanced search</a> •&nbsp;<a href="http://buzz.yahoo.com">most popular</a></font>
O1 - Hosts: </form></td></tr></table>
O1 - Hosts: <table width=100% border=0 cellspacing=0 cellpadding=3 bgcolor=ffffff>
O1 - Hosts: <tr bgcolor=ccccff><td>
O1 - Hosts: <FONT face=arial size=+1>Yahoo! Web Hosting</font>
O1 - Hosts: </td></tr>
O1 - Hosts: <tr><td>
O1 - Hosts: <a href=http://webhosting.yahoo.com/ps/wh/prod/><img align=left src=http://us.i1.yimg.com/us.yimg.com/i/us/wh/gr/j_advan48.gif width=48 height=48 border=0 alt="Yahoo! Web Hosting"></a>
O1 - Hosts: <font face=arial size=-1>Yahoo! Web Hosting has <a href="http://webhosting.yahoo.com/ps/wh/prod/">three affordable plans</a> to meet your needs - starting at just $11.95.
O1 - Hosts: </td></tr>
O1 - Hosts: <tr><td align=right>
O1 - Hosts: <b><font face=arial size=-1><a href=http://webhosting.yahoo.com/ps/wh/prod/>Learn more...</a></font></b>
O1 - Hosts: </td></tr>
O1 - Hosts: </table>
O1 - Hosts: </td></tr></table>
O1 - Hosts: </td>
O1 - Hosts: <td width=1>&nbsp;</td>
O1 - Hosts: <td valign=top align=center width=445>
O1 - Hosts: <FONT size="1">[AD]</FONT>
O1 - Hosts: <noscript>
O1 - Hosts: <FONT size="1">[AD]</FONT>
O1 - Hosts: </noscript>
O1 - Hosts: </td>
O1 - Hosts: </tr>
O1 - Hosts: </table>
O1 - Hosts: <br>
O1 - Hosts: <table cellpadding=0 cellspacing=0 border=0 width=675><tr><td bgcolor=a0b8c8>
O1 - Hosts: <table cellpadding=1 cellspacing=1 border=0 width="100%">
O1 - Hosts: <tr valign=top bgcolor=ffffff><td align=center>
O1 - Hosts: <font face=arial size=-2><A
O1 - Hosts: href="http://rd.yahoo.com/footer/?http://address.yahoo.com/">Address Book</A> · <A
O1 - Hosts: href="http://rd.yahoo.com/footer/?http://alerts.yahoo.com/">Alerts</A> · <A
O1 - Hosts: href="http://rd.yahoo.com/footer/?http://auctions.yahoo.com/">Auctions</A> · <A
O1 - Hosts: href="http://rd.yahoo.com/footer/?http://billpay.yahoo.com/">Bill Pay</A> · <A
O1 - Hosts: href="http://rd.yahoo.com/footer/?http://bookmarks.yahoo.com/">Bookmarks</A> · <A
O1 - Hosts: href="http://rd.yahoo.com/footer/?http://briefcase.yahoo.com/">Briefcase</A> · <A
O1 - Hosts: href="http://rd.yahoo.com/footer/?http://broadcast.yahoo.com/">Broadcast</A> · <A
O1 - Hosts: href="http://rd.yahoo.com/footer/?http://calendar.yahoo.com/">Calendar</A> · <A
O1 - Hosts: href="http://rd.yahoo.com/footer/?http://chat.yahoo.com/">Chat</A> · <A
O1 - Hosts: href="http://rd.yahoo.com/footer/?http://classifieds.yahoo.com/">Classifieds</A> · <A
O1 - Hosts: href="http://rd.yahoo.com/footer/?http://clubs.yahoo.com/">Clubs</A> · <A
O1 - Hosts: href="http://rd.yahoo.com/footer/?http://companion.yahoo.com/">Companion</A> · <A
O1 - Hosts: href="http://rd.yahoo.com/footer/?http://experts.yahoo.com/">Experts</A> · <A
O1 - Hosts: href="http://rd.yahoo.com/footer/?http://games.yahoo.com/">Games</A> · <A
O1 - Hosts: href="http://rd.yahoo.com/footer/?http://greetings.yahoo.com/">Greetings</A> · <A
O1 - Hosts: href="http://rd.yahoo.com/footer/?http://geocities.yahoo.com/">Home Pages</A> · <A
O1 - Hosts: href="http://rd.yahoo.com/footer/?http://invites.yahoo.com/">Invites</A> · <A
O1 - Hosts: href="http://rd.yahoo.com/footer/?http://mail.yahoo.com/">Mail</A> · <A
O1 - Hosts: href="http://rd.yahoo.com/footer/?http://maps.yahoo.com/">Maps</A> · <A
O1 - Hosts: href="http://rd.yahoo.com/footer/?http://members.yahoo.com/">Member Directory</A> · <A
O1 - Hosts: href="http://rd.yahoo.com/footer/?http://messenger.yahoo.com/">Messenger</A> · <A
O1 - Hosts: href="http://rd.yahoo.com/footer/?http://my.yahoo.com/">My Yahoo!</A> · <A
O1 - Hosts: href="http://rd.yahoo.com/footer/?http://news.yahoo.com/">News</A> · <A
O1 - Hosts: href="http://rd.yahoo.com/footer/?http://paydirect.yahoo.com/">PayDirect</A> · <A
O1 - Hosts: href="http://rd.yahoo.com/footer/?http://people.yahoo.com/">People Search</A> · <A
O1 - Hosts: href="http://rd.yahoo.com/footer/?http://personals.yahoo.com/">Personals</A> · <A
O1 - Hosts: href="http://rd.yahoo.com/footer/?http://photos.yahoo.com/">Photos</A> · <A
O1 - Hosts: href="http://rd.yahoo.com/footer/?http://shopping.yahoo.com/">Shopping</A> · <A
O1 - Hosts: href="http://rd.yahoo.com/footer/?http://sports.yahoo.com/">Sports</A> · <A
O1 - Hosts: href="http://rd.yahoo.com/footer/?http://finance.yahoo.com/">Stock Quotes</A> · <A
O1 - Hosts: href="http://rd.yahoo.com/footer/?http://tv.yahoo.com/">TV</A> · <A
O1 - Hosts: href="http://rd.yahoo.com/footer/?http://travel.yahoo.com/">Travel</A> · <A
O1 - Hosts: href="http://rd.yahoo.com/footer/?http://weather.yahoo.com/">Weather</A> · <A
O1 - Hosts: href="http://rd.yahoo.com/footer/?http://www.yahooligans.com/">Yahooligans</A> · <A
O1 - Hosts: href="http://rd.yahoo.com/footer/?http://yp.yahoo.com/">Yellow Pages</A> · <A
O1 - Hosts: href="http://rd.yahoo.com/footer/?http://docs.yahoo.com/docs/family/more.html">more...</A>
O1 - Hosts: </font></td></tr></table></td></tr></table>
O1 - Hosts: <p><center><hr noshade size=1 width="675"><table border=0 cellpadding=0 cellspacing=0><tr><td align=center valign=bottom width="100%"><font size="-2" face=arial>Copyright &copy; 2003 <a href="http://www.yahoo.com" target="_top">Yahoo! Inc.</a> All rights reserved.<br><b>NOTICE: We collect personal information on this site. To learn more about how we use your information, see our <a href="http://privacy.yahoo.com/privacy/us/" target="_top">Yahoo Privacy Policy</a></b></font></td></tr></table></center>
O1 - Hosts: </center>
O1 - Hosts: <!-- error 404 -->
O1 - Hosts: </body>
O1 - Hosts: </html>
O1 - Hosts: <!-- text below generated by server. PLEASE REMOVE --></object></layer></div></span></style></noscript></table></script></applet>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [lavasoftFeedBack] "E:\FIXING THE COMPUTER\ad-aware 2007\feedback.exe" /dump:os_startup
O4 - HKLM\..\Run: [lavasoftMonitor] E:\FIXING~1\AD-AWA~1\op_mon.exe /tray /noservice
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\3.12.0.48\PlaxoHelper_en.exe -a
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [PlaxoSysTray] "C:\Program Files\Plaxo\3.12.0.48\PlaxoSysTray.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{0C8F005C-A2A7-4058-8270-6E95F16ED726}: NameServer = 203.128.3.18,203.128.7.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{42B677DB-F848-44F2-9685-5891ECC33242}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{9D1C394C-001F-447D-B368-7648456FAE13}: NameServer = 203.128.3.18 203.128.7.10
O17 - HKLM\System\CS1\Services\Tcpip\..\{0C8F005C-A2A7-4058-8270-6E95F16ED726}: NameServer = 203.128.3.18,203.128.7.10
O17 - HKLM\System\CS2\Services\Tcpip\..\{0C8F005C-A2A7-4058-8270-6E95F16ED726}: NameServer = 203.128.3.18,203.128.7.10
O17 - HKLM\System\CS3\Services\Tcpip\..\{0C8F005C-A2A7-4058-8270-6E95F16ED726}: NameServer = 203.128.3.18,203.128.7.10
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Client Security Service (acssrv) - Unknown owner - E:\FIXING~1\AD-AWA~1\acs.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O24 - Desktop Component 0: Privacy Protection - (no file)

--
End of file - 14388 bytes

-- Files created between 2008-06-03 and 2008-07-03 -----------------------------

2008-07-02 15:51:15 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-07-02 15:51:15 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-07-02 15:51:15 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-07-02 15:51:15 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-07-02 15:51:15 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-07-02 15:51:15 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-07-02 15:51:15 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-07-02 15:51:15 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-07-02 15:51:15 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-07-02 15:51:15 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-07-02 15:51:15 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-07-02 15:51:15 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-07-02 15:51:15 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-07-02 15:51:15 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-06-17 16:16:36 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-12 11:26:28 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-06-11 20:51:08 0 dr-h----- C:\Documents and Settings\AHS\Recent
2008-06-11 20:04:49 344 --ahs---- C:\WINDOWS\system32\TBJmnUtv.ini2
2008-06-11 18:53:13 0 d-------- C:\Documents and Settings\AHS\Application Data\TmpRecentIcons
2008-06-11 18:19:41 0 d-------- C:\Documents and Settings\AHS\Application Data\Malwarebytes
2008-06-11 18:19:39 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-11 18:19:38 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-03 16:01:11 0 d-------- C:\WINDOWS\{10022D38-A411-4B13-A746-C2A4F4EC7344}
2008-06-03 15:59:46 0 d-------- C:\WINDOWS\system32\appmgmt


-- Find3M Report ---------------------------------------------------------------

2008-07-03 11:57:28 0 d-------- C:\Program Files\Plaxo
2008-07-03 11:12:20 0 d-------- C:\Documents and Settings\AHS\Application Data\AVG7
2008-07-01 17:05:13 7 ---hs---- C:\AUTOEXEC.BAT
2008-06-17 16:17:01 0 d-------- C:\Documents and Settings\AHS\Application Data\SUPERAntiSpyware.com
2008-06-17 16:16:36 0 d-------- C:\Program Files\Common Files
2008-05-08 16:19:47 2204 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-03 15:17:29 0 d-------- C:\Documents and Settings\AHS\Application Data\Sun
2008-05-03 15:15:59 0 d-------- C:\Program Files\Java
2008-05-03 15:10:33 0 d-------- C:\Program Files\Common Files\Java
2008-04-24 08:10:34 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-04-12 17:35:44 0 --a------ C:\WINDOWS\nsreg.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [03/13/2007 12:02 PM C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [03/13/2007 12:02 PM C:\WINDOWS\SkyTel.exe]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [03/13/2007 12:05 PM]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [03/13/2007 12:05 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [04/12/2008 05:34 PM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [04/26/2008 12:01 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"lavasoftFeedBack"="E:\FIXING THE COMPUTER\ad-aware 2007\feedback.exe" []
"lavasoftMonitor"="E:\FIXING~1\AD-AWA~1\op_mon.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 09:24 PM]
"PlaxoUpdate"="C:\Program Files\Plaxo\3.12.0.48\PlaxoHelper_en.exe" [05/06/2008 11:12 AM]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [05/02/2006 03:51 PM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [04/18/2008 09:09 AM]
"PlaxoSysTray"="C:\Program Files\Plaxo\3.12.0.48\PlaxoSysTray.exe" [05/06/2008 11:12 AM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [06/30/2008 09:01 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
"DisableCMD"=0 (0x0)
"DisableTaskMgr"=0 (0x0)
"NoDispCPL"=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableCMD"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"=1 (0x1)
"NoRemoteRecursiveEvents"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=1 (0x1)
"NoStartMenuMorePrograms"=0 (0x0)
"NoSetFolders"=0 (0x0)
"StartMenuLogOff"=0 (0x0)
"NoToolbarCustomize"=0 (0x0)
"NoFolderOptions"=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoFolderOptions"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [06/30/2008 09:01 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\vtUnmJBT

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Usnsvc usnsvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ae2d6aca-eb33-11dc-8e88-0019d1fd82fc}]
AutoRun\command- setupSNK.exe




-- End of Deckard's System Scanner: finished at 2008-07-03 12:29:34 ------------



PLEASE LET ME KNOW WHAT NEEDS TO BE DONE FURTHER......
Your future depends on your dreams, so go to sleep

#6 HighlyIntensive

HighlyIntensive
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Location:Lahore
  • Local time:09:04 AM

Posted 03 July 2008 - 01:54 AM

SORRY I FORGOT TO GIVE YOU THE BELOW INFO

MY WINDOWS IS XP SP2
I AM USING INTERNET EXPLORER
I HAVE ALL THE WINDOWS UPDATES INSTALLED AND ALSO KEEP UPDATING MY ANTIVIRUS AND MALWAREBYTES AND SUPER ANTISPYWARE REGULARLY
I JUST RAN 02 SCANS WITH ESET NOD32 (FROM MY NETWORK COMPUTER), AFTER FOLLOWING THE INSTRUCTIONS GIVEN BY YOU:
1ST COMPLETE SCAN REMOVED SOME 833 VIRUSES
2ND COMPLETE SCAN STILL CONTINUING AND HAS REMOVED SOME 600+ VIRUSES ALREADY

MOST OF THE VIRUSES ARE FROM MY D DRIVE AND F DRIVE WHEREAS THE WINDOWS AND ALL MY PROGRAM FILES ARE ON C DRIVE. ON THE D DRIVE AND F DRIVE I HAVE SOME IMPORTANT OFFICE DATA WHICH GOES BACK A FEW YEARS.

MY NETWORK COMPUTER IS ABSOLUTELY SAFE FROM ANY SORT OF VIRUS OR MALWARE OR SPYWARE. RUNNING WITHOUT ANY PROBLEMS.

JUST THOUGHT THIS INFORMATION MIGHT BE HELPFUL
Your future depends on your dreams, so go to sleep

#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:04 PM

Posted 03 July 2008 - 10:36 AM

It doesn't bother me as much as it does some other people, but I would be remiss in not mentioning that by typing in all caps it symbolizes that you are yelling. Some find it to be very offensive, or even rude. Just a quick lesson in Internet etiquette. :thumbsup:

I must admit that I am very puzzled by all the viruses that your antivirus is finding. I do see a few remnants of an old infection that we do need to take care of, but I'm not seeing anything like what you are describing. Is there a log from your virus scan that you can post for me?


Please download ComboFix and save it to your desktop.
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#8 HighlyIntensive

HighlyIntensive
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Location:Lahore
  • Local time:09:04 AM

Posted 04 July 2008 - 02:06 AM

Dear Sam,

I apologize for the CAPS thingy but I had no idea it would offend someone. I am in a habit of typing like that cuz I just save myself from pressing the Shift button again and again. But anyways, you can see that I have taken strong notice of your advice..... :thumbsup:

Please find below my Combofix Log. This is the first time that Combofix has rebooted the machine whereas I have used it several times before (I mean over the past years). In my next reply you will find my AVG antivirus Log.

ComboFix 08-07-03.3 - AHS 2008-07-04 12:42:10.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.398 [GMT 5:00]
Running from: C:\Documents and Settings\AHS\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\TBJmnUtv.ini
C:\WINDOWS\system32\TBJmnUtv.ini2

.
((((((((((((((((((((((((( Files Created from 2008-06-04 to 2008-07-04 )))))))))))))))))))))))))))))))
.

2008-07-02 15:51 . 2008-07-02 15:51 <DIR> d-------- C:\Documents and Settings\Administrator
2008-07-02 14:10 . 2008-07-02 14:10 <DIR> d-------- C:\Deckard
2008-06-18 18:14 . 2008-06-18 18:14 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-17 16:16 . 2008-06-17 16:16 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-16 15:57 . 2008-06-16 15:57 244 --ah----- C:\sqmnoopt11.sqm
2008-06-16 15:57 . 2008-06-16 15:57 232 --ah----- C:\sqmdata11.sqm
2008-06-12 11:26 . 2008-06-30 21:01 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-06-11 19:56 . 2008-06-11 19:57 184 --a------ C:\WINDOWS\wininit.ini
2008-06-11 18:26 . 2008-06-11 18:26 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-06-11 18:19 . 2008-06-30 17:27 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-11 18:19 . 2008-06-11 18:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-11 18:19 . 2008-06-11 18:19 <DIR> d-------- C:\Documents and Settings\AHS\Application Data\Malwarebytes
2008-06-11 18:19 . 2008-06-28 14:16 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-11 18:19 . 2008-06-28 14:16 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-11 09:25 . 2008-04-14 16:01 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 09:25 . 2008-04-14 16:01 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-04 14:57 . 2008-06-04 14:57 244 --ah----- C:\sqmnoopt10.sqm
2008-06-04 14:57 . 2008-06-04 14:57 232 --ah----- C:\sqmdata10.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-04 07:46 --------- d-----w C:\Program Files\Plaxo
2008-07-04 04:18 --------- d-----w C:\Documents and Settings\AHS\Application Data\AVG7
2008-06-17 11:17 --------- d-----w C:\Documents and Settings\AHS\Application Data\SUPERAntiSpyware.com
2008-05-10 07:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-08 10:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-08 10:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
.

((((((((((((((((((((((((((((( snapshot@2008-06-03_15.56.36.67 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-03 10:04:47 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-04 07:46:23 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-14 11:01:02 272,128 ------w C:\WINDOWS\Driver Cache\i386\bthport.sys
+ 2005-10-20 15:02:28 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2008-06-17 11:17:05 29,696 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF11.exe
+ 2008-06-17 11:17:05 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-06-17 11:17:05 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
- 2000-08-31 03:00:00 28,160 ----a-w C:\WINDOWS\Nircmd.exe
+ 2000-08-31 03:00:00 28,672 ----a-w C:\WINDOWS\Nircmd.exe
- 2008-02-16 08:59:34 1,023,488 ----a-w C:\WINDOWS\system32\browseui.dll
+ 2008-04-21 07:03:56 1,023,488 ----a-w C:\WINDOWS\system32\browseui.dll
- 2008-02-16 08:59:35 151,040 ----a-w C:\WINDOWS\system32\cdfview.dll
+ 2008-04-21 07:03:56 151,040 ----a-w C:\WINDOWS\system32\cdfview.dll
- 2008-02-16 08:59:35 1,054,208 ----a-w C:\WINDOWS\system32\danim.dll
+ 2008-04-21 07:03:57 1,054,208 ----a-w C:\WINDOWS\system32\danim.dll
- 2008-02-16 08:59:34 1,023,488 -c--a-w C:\WINDOWS\system32\dllcache\browseui.dll
+ 2008-04-21 07:03:56 1,023,488 -c--a-w C:\WINDOWS\system32\dllcache\browseui.dll
- 2008-02-16 08:59:35 151,040 -c--a-w C:\WINDOWS\system32\dllcache\cdfview.dll
+ 2008-04-21 07:03:56 151,040 -c--a-w C:\WINDOWS\system32\dllcache\cdfview.dll
- 2008-02-16 08:59:35 1,054,208 -c--a-w C:\WINDOWS\system32\dllcache\danim.dll
+ 2008-04-21 07:03:57 1,054,208 -c--a-w C:\WINDOWS\system32\dllcache\danim.dll
- 2008-02-16 08:59:35 357,888 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
+ 2008-04-21 07:03:57 357,888 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
- 2008-02-16 08:59:35 205,312 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
+ 2008-04-21 07:03:57 205,312 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
- 2008-02-16 08:59:35 55,808 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
+ 2008-04-21 07:03:57 55,808 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
- 2008-02-15 09:23:37 18,432 -c--a-w C:\WINDOWS\system32\dllcache\iedw.exe
+ 2008-04-17 10:52:54 18,432 -c--a-w C:\WINDOWS\system32\dllcache\iedw.exe
- 2008-02-16 08:59:35 251,392 -c--a-w C:\WINDOWS\system32\dllcache\iepeers.dll
+ 2008-04-21 07:03:58 251,392 -c--a-w C:\WINDOWS\system32\dllcache\iepeers.dll
- 2008-02-16 08:59:35 96,256 -c--a-w C:\WINDOWS\system32\dllcache\inseng.dll
+ 2008-04-21 07:03:58 96,256 -c--a-w C:\WINDOWS\system32\dllcache\inseng.dll
- 2008-02-16 08:59:35 16,384 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2008-04-21 07:03:58 16,384 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
- 2008-02-16 22:29:38 3,059,712 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
+ 2008-04-21 07:03:59 3,059,712 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
- 2008-02-16 08:59:37 449,024 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
+ 2008-04-21 07:03:59 449,024 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
- 2008-02-16 08:59:37 146,432 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
+ 2008-04-21 07:03:59 146,432 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
- 2008-02-16 08:59:37 532,480 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
+ 2008-04-21 07:03:59 532,480 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
- 2008-02-16 08:59:37 39,424 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
+ 2008-04-21 07:03:59 39,424 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
- 2007-10-29 22:43:03 1,287,680 -c--a-w C:\WINDOWS\system32\dllcache\quartz.dll
+ 2008-05-07 05:18:48 1,287,680 -c--a-w C:\WINDOWS\system32\dllcache\quartz.dll
- 2006-07-13 08:48:58 202,240 -c--a-w C:\WINDOWS\system32\dllcache\rmcast.sys
+ 2008-05-08 12:28:49 202,752 -c--a-w C:\WINDOWS\system32\dllcache\rmcast.sys
- 2008-02-16 08:59:38 1,494,528 -c--a-w C:\WINDOWS\system32\dllcache\shdocvw.dll
+ 2008-04-21 07:04:00 1,494,528 -c--a-w C:\WINDOWS\system32\dllcache\shdocvw.dll
- 2008-02-16 08:59:38 474,112 -c--a-w C:\WINDOWS\system32\dllcache\shlwapi.dll
+ 2008-04-21 07:04:00 474,112 -c--a-w C:\WINDOWS\system32\dllcache\shlwapi.dll
- 2008-02-16 08:59:38 615,936 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
+ 2008-04-21 07:04:00 615,936 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
- 2008-02-16 08:59:39 659,456 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
+ 2008-04-21 07:04:00 659,456 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
- 2008-02-16 08:59:35 357,888 ----a-w C:\WINDOWS\system32\dxtmsft.dll
+ 2008-04-21 07:03:57 357,888 ----a-w C:\WINDOWS\system32\dxtmsft.dll
- 2008-02-16 08:59:35 205,312 ----a-w C:\WINDOWS\system32\dxtrans.dll
+ 2008-04-21 07:03:57 205,312 ----a-w C:\WINDOWS\system32\dxtrans.dll
- 2008-02-16 08:59:35 55,808 ----a-w C:\WINDOWS\system32\extmgr.dll
+ 2008-04-21 07:03:57 55,808 ----a-w C:\WINDOWS\system32\extmgr.dll
- 2008-02-16 08:59:35 251,392 ----a-w C:\WINDOWS\system32\iepeers.dll
+ 2008-04-21 07:03:58 251,392 ----a-w C:\WINDOWS\system32\iepeers.dll
- 2008-02-16 08:59:35 96,256 ----a-w C:\WINDOWS\system32\inseng.dll
+ 2008-04-21 07:03:58 96,256 ----a-w C:\WINDOWS\system32\inseng.dll
- 2008-02-16 08:59:35 16,384 ----a-w C:\WINDOWS\system32\jsproxy.dll
+ 2008-04-21 07:03:58 16,384 ----a-w C:\WINDOWS\system32\jsproxy.dll
- 2008-05-09 21:35:04 16,863,864 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-05-29 23:35:12 17,486,968 ----a-w C:\WINDOWS\system32\MRT.exe
- 2008-02-16 22:29:38 3,059,712 ----a-w C:\WINDOWS\system32\mshtml.dll
+ 2008-04-21 07:03:59 3,059,712 ----a-w C:\WINDOWS\system32\mshtml.dll
- 2008-02-16 08:59:37 449,024 ----a-w C:\WINDOWS\system32\mshtmled.dll
+ 2008-04-21 07:03:59 449,024 ----a-w C:\WINDOWS\system32\mshtmled.dll
- 2008-02-16 08:59:37 146,432 ----a-w C:\WINDOWS\system32\msrating.dll
+ 2008-04-21 07:03:59 146,432 ----a-w C:\WINDOWS\system32\msrating.dll
- 2008-02-16 08:59:37 532,480 ----a-w C:\WINDOWS\system32\mstime.dll
+ 2008-04-21 07:03:59 532,480 ----a-w C:\WINDOWS\system32\mstime.dll
- 2008-02-16 08:59:37 39,424 ----a-w C:\WINDOWS\system32\pngfilt.dll
+ 2008-04-21 07:03:59 39,424 ----a-w C:\WINDOWS\system32\pngfilt.dll
- 2007-10-29 22:43:03 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
+ 2008-05-07 05:18:48 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
- 2008-02-16 08:59:38 1,494,528 ----a-w C:\WINDOWS\system32\shdocvw.dll
+ 2008-04-21 07:04:00 1,494,528 ----a-w C:\WINDOWS\system32\shdocvw.dll
- 2008-02-16 08:59:38 474,112 ----a-w C:\WINDOWS\system32\shlwapi.dll
+ 2008-04-21 07:04:00 474,112 ----a-w C:\WINDOWS\system32\shlwapi.dll
- 2006-12-10 09:10:02 14,640 ------w C:\WINDOWS\system32\spmsg.dll
+ 2007-11-30 11:18:51 17,272 ----a-w C:\WINDOWS\system32\spmsg.dll
- 2008-02-16 08:59:38 615,936 ----a-w C:\WINDOWS\system32\urlmon.dll
+ 2008-04-21 07:04:00 615,936 ----a-w C:\WINDOWS\system32\urlmon.dll
- 2008-02-16 08:59:39 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
+ 2008-04-21 07:04:00 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
- 2008-02-15 09:06:21 351,744 ----a-w C:\WINDOWS\system32\xpsp3res.dll
+ 2008-04-17 10:37:04 351,744 ----a-w C:\WINDOWS\system32\xpsp3res.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PlaxoUpdate"="C:\Program Files\Plaxo\3.12.0.48\PlaxoHelper_en.exe" [2008-05-06 11:12 293447]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2006-05-02 15:51 3334144]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-18 09:09 68856]
"PlaxoSysTray"="C:\Program Files\Plaxo\3.12.0.48\PlaxoSysTray.exe" [2008-05-06 11:12 20480]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-06-30 21:01 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-03-13 12:05 114688]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-03-13 12:05 94208]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-04-12 17:34 185896]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-26 12:01 579584]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"RTHDCPL"="RTHDCPL.EXE" [2007-03-13 12:02 16116224 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2007-03-13 12:02 2879488 C:\WINDOWS\SkyTel.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-04-26 11:47 219136]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableCMD"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-06-30 21:01 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=e:\fixing~1\ad-awa~1\wl_hook.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\msncall.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R1 SandBox;SandBox;C:\WINDOWS\system32\DRIVERS\SandBox.sys [2008-03-12 12:31]
R3 afw;Lavasoft firewall driver;C:\WINDOWS\system32\DRIVERS\afw.sys [2008-02-28 14:32]
R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 04:01]
S2 acssrv;Lavasoft Client Security Service;E:\FIXING~1\AD-AWA~1\acs.exe []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ae2d6aca-eb33-11dc-8e88-0019d1fd82fc}]
\Shell\AutoRun\command - setupSNK.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-07-03 12:08:00 C:\WINDOWS\Tasks\At1.job"
- C:\Documents and Settings\AHS\Templates\Brengkolang.com
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{10022D38-A411-4B13-A746-C2A4F4EC7344} - (no file)
HKLM-Run-lavasoftFeedBack - E:\FIXING THE COMPUTER\ad-aware 2007\feedback.exe


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-04 12:47:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-07-04 12:51:20 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-04 07:51:15
ComboFix2.txt 2008-06-03 10:57:10

Pre-Run: 2,241,961,984 bytes free
Post-Run: 2,252,414,976 bytes free

237 --- E O F --- 2008-06-11 13:26:27
Your future depends on your dreams, so go to sleep

#9 HighlyIntensive

HighlyIntensive
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Location:Lahore
  • Local time:09:04 AM

Posted 04 July 2008 - 02:23 AM

This is a fresh AVG Log from a scan which was done just a few hours before running Combofix. I cannot post the complete Log because it comprises of about 614 pages of word. I am posting here only a few of the scan results and a few of the action taken results. Also, I am not sure if this is the right way to do it so please let me know if you would still like to look at the complete log (if it even fits here). The viruses are always a .exe file made inside a folder with the same folder name. The viruses comprise of mostly the I-WORM/vb.gk, Chir.B and Brontok. So, The more folders I have the more viruses I have. This scan shown below detected 2812 viruses. The scan after this (only 15 mins later detected some 1500+ viruses). The longer time I do not run a virus scan, the more folders it replicates and as said this is done within minutes and now its making me go :thumbsup:

Some Virus Scan Results

</rec>
<rec time="2008/07/04 09:18:50" user="AHS" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
<rec time="2008/07/04 09:39:49" user="AHS" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">D:\D.exe</attr>
<attr name="type">@EID_Id_vir</attr>
<attr name="what">I-Worm/VB.GK</attr>
</rec>
<rec time="2008/07/04 09:39:51" user="AHS" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">D:\Data Ch.IRFAN AHMAD.exe</attr>
<attr name="type">@EID_Id_vir</attr>
<attr name="what">I-Worm/VB.GK</attr>
</rec>
<rec time="2008/07/04 09:39:54" user="AHS" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">D:\ZSK\ZSK.exe</attr>
<attr name="type">@EID_Id_vir</attr>
<attr name="what">I-Worm/VB.GK</attr>
</rec>
<rec time="2008/07/04 09:39:57" user="AHS" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">D:\ZSK\OPEN HOUSE - SEMINAR 2007\OPEN HOUSE - SEMINAR 2007.exe</attr>
<attr name="type">@EID_Id_vir</attr>
<attr name="what">I-Worm/VB.GK</attr>
</rec>
<rec time="2008/07/04 09:39:58" user="AHS" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">D:\ZSK\Invitations for ZSK Seminar\Invitations for ZSK Seminar.exe</attr>
<attr name="type">@EID_Id_vir</attr>
<attr name="what">I-Worm/VB.GK</attr>
</rec>
<rec time="2008/07/04 09:40:00" user="AHS" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">D:\ZSK\VIP Processing\VIP Processing.exe</attr>
<attr name="type">@EID_Id_vir</attr>
<attr name="what">I-Worm/VB.GK</attr>
</rec>
<rec time="2008/07/04 09:40:02" user="AHS" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">D:\ZSK\VIP Processing\16.10.06\16.10.06`.exe</attr>
<attr name="type">@EID_Id_vir</attr>
<attr name="what">I-Worm/VB.GK</attr>
</rec>
<rec time="2008/07/04 09:40:04" user="AHS" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">D:\ZSK\The National Silk & Reyon\The National Silk & Reyon.exe</attr>
<attr name="type">@EID_Id_vir</attr>
<attr name="what">I-Worm/VB.GK</attr>
</rec>
<rec time="2008/07/04 09:40:06" user="AHS" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">D:\ZSK\Silko Emb\Silko Emb.exe</attr>
<attr name="type">@EID_Id_vir</attr>
<attr name="what">I-Worm/VB.GK</attr>
</rec>
<rec time="2008/07/04 09:40:08" user="AHS" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">D:\ZSK\Seven Seas\Seven Seas.exe</attr>
<attr name="type">@EID_Id_vir</attr>
<attr name="what">I-Worm/VB.GK</attr>
</rec>
<rec time="2008/07/04 09:40:10" user="AHS" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">D:\ZSK\Seven Seas\04.01.07\04.01.07`.exe</attr>
<attr name="type">@EID_Id_vir</attr>
<attr name="what">I-Worm/VB.GK</attr>
</rec>
<rec time="2008/07/04 09:40:11" user="AHS" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">D:\ZSK\Sana Fabrics\Sana Fabrics.exe</attr>
<attr name="type">@EID_Id_vir</attr>
<attr name="what">I-Worm/VB.GK</attr>
</rec>
<rec time="2008/07/04 09:40:13" user="AHS" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">D:\ZSK\SADIQ WOOLLEN\SADIQ WOOLLEN.exe</attr>
<attr name="type">@EID_Id_vir</attr>
<attr name="what">I-Worm/VB.GK</attr>
</rec>
<rec time="2008/07/04 09:40:15" user="AHS" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">D:\ZSK\SADAQAT TEXTILE\SADAQAT TEXTILE.exe</attr>
<attr name="type">@EID_Id_vir</attr>
<attr name="what">I-Worm/VB.GK</attr>
</rec>
<rec time="2008/07/04 09:40:17" user="AHS" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">D:\ZSK\SADAQAT TEXTILE\SPARE PARTS\SPARE PARTS.exe</attr>
<attr name="type">@EID_Id_vir</attr>
<attr name="what">I-Worm/VB.GK</attr>
</rec>
<rec time="2008/07/04 09:40:19" user="AHS" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">D:\ZSK\SADAQAT TEXTILE\SPARE PARTS\29.03.06\29.03.06`.exe</attr>
<attr name="type">@EID_Id_vir</attr>
<attr name="what">I-Worm/VB.GK</attr>
</rec>
<rec time="2008/07/04 09:40:21" user="AHS" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">D:\ZSK\SADAQAT TEXTILE\SPARE PARTS\18.01.07\18.01.07`.exe</attr>
<attr name="type">@EID_Id_vir</attr>
<attr name="what">I-Worm/VB.GK</attr>
</rec>
<rec time="2008/07/04 09:40:22" user="AHS" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">D:\ZSK\SADAQAT TEXTILE\SPARE PARTS\10.05.07\10.05.07`.exe</attr>
<attr name="type">@EID_Id_vir</attr>
<attr name="what">I-Worm/VB.GK</attr>
</rec>
<rec time="2008/07/04 09:40:24" user="AHS" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">D:\ZSK\SADAQAT TEXTILE\SPARE PARTS\02.05.07\02.05.07`.exe</attr>
<attr name="type">@EID_Id_vir</attr>
<attr name="what">I-Worm/VB.GK</attr>
</rec>
<rec time="2008/07/04 09:40:26" user="AHS" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">D:\ZSK\SADAQAT TEXTILE\SPARE PARTS\1.22.08\1.22.08`.exe</attr>
<attr name="type">@EID_Id_vir</attr>
<attr name="what">I-Worm/VB.GK</attr>
</rec>
<rec time="2008/07/04 09:40:28" user="AHS" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">D:\ZSK\SADAQAT TEXTILE\31.03.06\31.03.06`.exe</attr>
<attr name="type">@EID_Id_vir</attr>
<attr name="what">I-Worm/VB.GK</attr>
</rec>
<rec time="2008/07/04 09:40:30" user="AHS" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">D:\ZSK\SADAQAT TEXTILE\29.03.06\29.03.06`.exe</attr>
<attr name="type">@EID_Id_vir</attr>
<attr name="what">I-Worm/VB.GK</attr>
</rec>
<rec time="2008/07/04 09:40:32" user="AHS" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">D:\ZSK\SADAQAT TEXTILE\27.03.06\27.03.06`.exe</attr>
<attr name="type">@EID_Id_vir</attr>
<attr name="what">I-Worm/VB.GK</attr>
</rec>
<rec time="2008/07/04 09:40:33" user="AHS" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">D:\ZSK\SADAQAT TEXTILE\01.04.06\01.04.06`.exe</attr>
<attr name="type">@EID_Id_vir</attr>
<attr name="what">I-Worm/VB.GK</attr>
</rec>
<rec time="2008/07/04 09:40:35" user="AHS" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">D:\ZSK\SADAQAT TEXTILE\25.01.06\25.01.06`.exe</attr>
<attr name="type">@EID_Id_vir</attr>
<attr name="what">I-Worm/VB.GK</attr>
</rec>
<rec time="2008/07/04 09:40:37" user="AHS" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">D:\ZSK\SADAQAT TEXTILE\08.02.08\08.02.08`.exe</attr>
<attr name="type">@EID_Id_vir</attr>
<attr name="what">I-Worm/VB.GK</attr>
</rec>
<rec time="2008/07/04 09:40:39" user="AHS" source="Virus">
<value>@HL_ReportFind</value>


Some actions taken by AVG

<rec time="2008/07/04 11:18:42" user="AHS" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">2812</attr>
</rec>
<rec time="2008/07/04 11:18:49" user="AHS" source="Virus">
<value>@HL_ActionTaken</value>
<attr name="filename">D:\D.exe</attr>
<attr name="action">@HL_ActCleaned</attr>
</rec>
<rec time="2008/07/04 11:18:49" user="AHS" source="Virus">
<value>@HL_ActionTaken</value>
<attr name="filename">D:\Data Ch.IRFAN AHMAD.exe</attr>
<attr name="action">@HL_ActCleaned</attr>
</rec>
<rec time="2008/07/04 11:18:49" user="AHS" source="Virus">
<value>@HL_ActionTaken</value>
<attr name="filename">D:\ZSK\ZSK.exe</attr>
<attr name="action">@HL_ActCleaned</attr>
</rec>
<rec time="2008/07/04 11:18:49" user="AHS" source="Virus">
<value>@HL_ActionTaken</value>
<attr name="filename">D:\ZSK\OPEN HOUSE - SEMINAR 2007\OPEN HOUSE - SEMINAR 2007.exe</attr>
<attr name="action">@HL_ActCleaned</attr>
</rec>
<rec time="2008/07/04 11:18:49" user="AHS" source="Virus">
<value>@HL_ActionTaken</value>
<attr name="filename">D:\ZSK\Invitations for ZSK Seminar\Invitations for ZSK Seminar.exe</attr>
<attr name="action">@HL_ActCleaned</attr>
</rec>
<rec time="2008/07/04 11:18:50" user="AHS" source="Virus">
<value>@HL_ActionTaken</value>
<attr name="filename">D:\ZSK\VIP Processing\VIP Processing.exe</attr>
<attr name="action">@HL_ActCleaned</attr>
</rec>
<rec time="2008/07/04 11:18:50" user="AHS" source="Virus">
<value>@HL_ActionTaken</value>
<attr name="filename">D:\ZSK\VIP Processing\16.10.06\16.10.06`.exe</attr>
<attr name="action">@HL_ActCleaned</attr>
</rec>
<rec time="2008/07/04 11:18:50" user="AHS" source="Virus">
<value>@HL_ActionTaken</value>
<attr name="filename">D:\ZSK\The National Silk & Reyon\The National Silk & Reyon.exe</attr>
<attr name="action">@HL_ActCleaned</attr>
</rec>
<rec time="2008/07/04 11:18:50" user="AHS" source="Virus">
<value>@HL_ActionTaken</value>
<attr name="filename">D:\ZSK\Silko Emb\Silko Emb.exe</attr>
<attr name="action">@HL_ActCleaned</attr>
</rec>
<rec time="2008/07/04 11:18:50" user="AHS" source="Virus">
<value>@HL_ActionTaken</value>
<attr name="filename">D:\ZSK\Seven Seas\Seven Seas.exe</attr>
<attr name="action">@HL_ActCleaned</attr>
</rec>
<rec time="2008/07/04 11:18:50" user="AHS" source="Virus">
<value>@HL_ActionTaken</value>
<attr name="filename">D:\ZSK\Seven Seas\04.01.07\04.01.07`.exe</attr>
<attr name="action">@HL_ActCleaned</attr>
</rec>
<rec time="2008/07/04 11:18:50" user="AHS" source="Virus">
<value>@HL_ActionTaken</value>
<attr name="filename">D:\ZSK\Sana Fabrics\Sana Fabrics.exe</attr>
<attr name="action">@HL_ActCleaned</attr>
</rec>
<rec time="2008/07/04 11:18:50" user="AHS" source="Virus">
<value>@HL_ActionTaken</value>
<attr name="filename">D:\ZSK\SADIQ WOOLLEN\SADIQ WOOLLEN.exe</attr>
<attr name="action">@HL_ActCleaned</attr>
</rec>
<rec time="2008/07/04 11:18:50" user="AHS" source="Virus">
<value>@HL_ActionTaken</value>
<attr name="filename">D:\ZSK\SADAQAT TEXTILE\SADAQAT TEXTILE.exe</attr>
<attr name="action">@HL_ActCleaned</attr>
</rec>
<rec time="2008/07/04 11:18:50" user="AHS" source="Virus">
<value>@HL_ActionTaken</value>
<attr name="filename">D:\ZSK\SADAQAT TEXTILE\SPARE PARTS\SPARE PARTS.exe</attr>
<attr name="action">@HL_ActCleaned</attr>
</rec>
<rec time="2008/07/04 11:18:50" user="AHS" source="Virus">
<value>@HL_ActionTaken</value>
<attr name="filename">D:\ZSK\SADAQAT TEXTILE\SPARE PARTS\29.03.06\29.03.06`.exe</attr>
<attr name="action">@HL_ActCleaned</attr>
</rec>
<rec time="2008/07/04 11:18:50" user="AHS" source="Virus">
<value>@HL_ActionTaken</value>
<attr name="filename">D:\ZSK\SADAQAT TEXTILE\SPARE PARTS\18.01.07\18.01.07`.exe</attr>
<attr name="action">@HL_ActCleaned</attr>
</rec>
<rec time="2008/07/04 11:18:50" user="AHS" source="Virus">
<value>@HL_ActionTaken</value>
<attr name="filename">D:\ZSK\SADAQAT TEXTILE\SPARE PARTS\10.05.07\10.05.07`.exe</attr>
<attr name="action">@HL_ActCleaned</attr>
</rec>
<rec time="2008/07/04 11:18:50" user="AHS" source="Virus">
<value>@HL_ActionTaken</value>
<attr name="filename">D:\ZSK\SADAQAT TEXTILE\SPARE PARTS\02.05.07\02.05.07`.exe</attr>
<attr name="action">@HL_ActCleaned</attr>
</rec>
<rec time="2008/07/04 11:18:50" user="AHS" source="Virus">
<value>@HL_ActionTaken</value>
<attr name="filename">D:\ZSK\SADAQAT TEXTILE\SPARE PARTS\1.22.08\1.22.08`.exe</attr>
<attr name="action">@HL_ActCleaned</attr>
</rec>
<rec time="2008/07/04 11:18:51" user="AHS" source="Virus">
<value>@HL_ActionTaken</value>
<attr name="filename">D:\ZSK\SADAQAT TEXTILE\31.03.06\31.03.06`.exe</attr>
<attr name="action">@HL_ActCleaned</attr>
</rec>
<rec time="2008/07/04 11:18:51" user="AHS" source="Virus">
<value>@HL_ActionTaken</value>
<attr name="filename">D:\ZSK\SADAQAT TEXTILE\29.03.06\29.03.06`.exe</attr>
<attr name="action">@HL_ActCleaned</attr>
</rec>
<rec time="2008/07/04 11:18:51" user="AHS" source="Virus">
<value>@HL_ActionTaken</value>
<attr name="filename">D:\ZSK\SADAQAT TEXTILE\27.03.06\27.03.06`.exe</attr>
<attr name="action">@HL_ActCleaned</attr>
</rec>
<rec time="2008/07/04 11:18:51" user="AHS" source="Virus">
<value>@HL_ActionTaken</value>
<attr name="filename">D:\ZSK\SADAQAT TEXTILE\01.04.06\01.04.06`.exe</attr>
<attr name="action">@HL_ActCleaned</attr>
</rec>
<rec time="2008/07/04 11:18:51" user="AHS" source="Virus">
<value>@HL_ActionTaken</value>
<attr name="filename">D:\ZSK\SADAQAT TEXTILE\25.01.06\25.01.06`.exe</attr>
<attr name="action">@HL_ActCleaned</attr>
</rec>
<rec time="2008/07/04 11:18:51" user="AHS" source="Virus">
<value>@HL_ActionTaken</value>
<attr name="filename">D:\ZSK\SADAQAT TEXTILE\08.02.08\08.02.08`.exe</attr>
<attr name="action">@HL_ActCleaned</attr>
</rec>
<rec time="2008/07/04 11:18:51" user="AHS" source="Virus">
<value>@HL_ActionTaken</value>
<attr name="filename">D:\ZSK\SADAQAT TEXTILE\14.02.08\14.02.08`.exe</attr>
<attr name="action">@HL_ActCleaned</attr>
</rec>
<rec time="2008/07/04 11:18:51" user="AHS" source="Virus">
<value>@HL_ActionTaken</value>
<attr name="filename">D:\ZSK\National Emb\National Emb.exe</attr>
<attr name="action">@HL_ActCleaned</attr>
</rec>
<rec time="2008/07/04 11:18:51" user="AHS" source="Virus">
<value>@HL_ActionTaken</value>
<attr name="filename">D:\ZSK\National Emb\31.10.06\31.10.06`.exe</attr>
<attr name="action">@HL_ActCleaned</attr>
</rec>
<rec time="2008/07/04 11:18:51" user="AHS" source="Virus">
<value>@HL_ActionTaken</value>
<attr name="filename">D:\ZSK\National Emb\30.03.07\30.03.07`.exe</attr>
<attr name="action">@HL_ActCleaned</attr>
</rec>
<rec time="2008/07/04 11:18:51" user="AHS" source="Virus">
<value>@HL_ActionTaken</value>
<attr name="filename">D:\ZSK\National Emb\12.02.07\12.02.07`.exe</attr>
<attr name="action">@HL_ActCleaned</attr>
</rec>
<rec time="2008/07/04 11:18:51" user="AHS" source="Virus">
<value>@HL_ActionTaken</value>
<attr name="filename">D:\ZSK\National Emb\7.06.07\7.06.07`.exe</attr>
<attr name="action">@HL_ActCleaned</attr>
</rec>
<rec time="2008/07/04 11:18:51" user="AHS" source="Virus">
<value>@HL_ActionTaken</value>
<attr name="filename">D:\ZSK\Mughal Textile\Mughal Textile.exe</attr>
<attr name="action">@HL_ActCleaned</attr>
</rec>
<rec time="2008/07/04 11:18:51" user="AHS" source="Virus">
<value>@HL_ActionTaken</value>
<attr name="filename">D:\ZSK\Mughal Textile\Old\Old.exe</attr>
Your future depends on your dreams, so go to sleep

#10 HighlyIntensive

HighlyIntensive
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Location:Lahore
  • Local time:09:04 AM

Posted 04 July 2008 - 02:37 AM

I always forget something. The Combofix removed my Spybot S&D. Is this normal?

Also, as I mentioned in my first post some of my files were deleted by itself. After running Combofix I realized that all my vanished desktop shortcuts came back but the original files didn't. So I got back only empty shortcuts to my deleted files.

Am I writing too much???...... :thumbsup:
Your future depends on your dreams, so go to sleep

#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:04 PM

Posted 04 July 2008 - 09:44 AM

The caps thing never bothers me as much because I know it's a time saver more than anything else. But it's a real pet peeve of some.

I have not experienced Combofix removing Spybot before. That's new to me. What happened? How do you know Combofix did it?


Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\Tasks\At1.job
    C:\Documents and Settings\AHS\Templates\Brengkolang.com
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



Tell me more about your D:\ drive. It's obviously infected badly.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#12 HighlyIntensive

HighlyIntensive
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Location:Lahore
  • Local time:09:04 AM

Posted 05 July 2008 - 12:33 AM

Well, regarding Spybot......It was working fine before I ran Combofix. After running Combofix the desktop icon for Spybot went blank and didnt work anymore. I thought it was gone but after checking it in my programs folder I found it again. So only the desktop icon was gone. Sorry for the confusion.

The OTMoveIt2 Log is given below. Seems like it didn't do much. It didn't ask for a reboot. :thumbsup:




C:\WINDOWS\Tasks\At1.job moved successfully.
File/Folder C:\Documents and Settings\AHS\Templates\Brengkolang.com not found.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07052008_110129



What more can I tell about my D Drive. Well, remember the files I told you which got deleted by themselves. They were in E Drive in a folder by the name of "My Documents". But the viruses are more in D & F Drive with D having the major share. Its like 65% of the viruses are detected from D and the rest from the other drives out of which then F has more than the others. I guess I have more than 400 folders in D drive. Since yesterday now 2 viruses are being made in each folder. In some folders there are even 03. One of them is a .eml file. the other 2 are .exe files. The .eml virus is identified by the anitivirus as "Win32/Chir.B@mm" and the .exe files are identified mostly as "I-Worm/VB.GK" and sometimes as "Brontok". Once in a while it also identifies the viruses as "Worm/Autorun.Y" (which is normally only found in F:\3wcxx91.cmd) and "Worm/Delf.CYB" (which is normally only found in the System Volume Information folder).

Please let me know if you would like to have some specific information besides the above. I don't know what information might be helpful.

Thanks for your efforts.
Your future depends on your dreams, so go to sleep

#13 HighlyIntensive

HighlyIntensive
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Location:Lahore
  • Local time:09:04 AM

Posted 05 July 2008 - 06:54 AM

Again forgot something. I will not be able to post a reply or follow any instructions given by you until monday 07.07.08 afternoon, as this is my Office computer and luckily we have Sundays off. :thumbsup:
Your future depends on your dreams, so go to sleep

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:04 PM

Posted 05 July 2008 - 10:57 AM

This is a nasty infection. There are some removal tools that have been created, but they are not always very effective.


Let's try a couple things.

Download this tool to your D:\ drive and run it.
http://www.bitdefender.com/site/Downloads/...FreeRemovalTool


Then download this tool and run it, then click Go.
http://www.sophos.com/support/cleaners/brontgui.com


And finally download this tool and run it.
http://download.bleepingcomputer.com/sUBs/CleanX-II.exe

It will create a log that you can post here in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 HighlyIntensive

HighlyIntensive
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Location:Lahore
  • Local time:09:04 AM

Posted 07 July 2008 - 09:28 AM

Well, I don't know what happened but since Saturday afternoon the viruses have somehow stopped and now there is not even a single one. Except that the pop-up error at startup which says "Windows cannot find eksplorasi.exe". I downloaded all three tools in D: and scanned with them but they too found nothing. But the second tool did show me some file names & folder names which Brontok might make to keep its data. I found lots of them in the following area

C:/Documentsand settings/AHS/localsettings/ApplicationData

The folders were all empty but I deleted them (as they had the word Brontok in their names in one way or the other eg. Bron.mail.tok & bron.sent.tok etc etc). There were some text notepad files with similar names which I also manually deleted. But these I already did before too about 1-2 weeks ago. The localsettings folder is always hidden (should it be??) so I don't check it too often.

I don't know if the viruses are hibernating or they are really gone. I scanned my computer since Saturday afternoon atleast 5-6 times. Nothing showed up. The LOG for the CleanX-II is given below

#######################################################################

Brontok Worm Removal Tool - (Version - 06.09.17B)
by sUBs

#######################################################################

Current date: Mon 07/07/2008 Current time: 20:14:33.56

=== PRE RUN ANALYSIS ===================================


=== POST RUN ANALYSIS ==================================



NOTE
The post-run analysis portion should be empty. If it's not, reboot and run the tool a second time.
20:14:52.64

======================================================


Please let me know whats to be done about the error message at startup for "eksplorasi.exe"

Also anything else you recommend.

I can never be thankful enough Sam. Have a nice evening!!!
Your future depends on your dreams, so go to sleep




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users