Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Fatal Error 0xc0000022 Then> Warning! Spyware Detected On Ur Computer.


  • This topic is locked This topic is locked
50 replies to this topic

#1 hookedforever

hookedforever

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:philippines
  • Local time:04:08 PM

Posted 02 July 2008 - 09:16 AM

HI!

Hope you could help me with my problem.
Last night, I downloaded a java update ( i guess it's Java™ 6 update 5). the update took a long time and as soon as i finished it, a lot of trojans (something like SHeur, fakealert.k, i really can't

remember the other ones .sorry.) were detected by my AVG 7.5 Email Server Edition. i tried healing each and every one of them and avg said that they had been healed. but for like every 5 minutes

especially when i open another Firefox window, avg would start popping out alerts about those trojans. i tried putting them to quarantine because i thought that might help but it didn't. Then this morning when my sister opened my laptop, she said that AVG again detected those trojan so she just healed them and then the laptop restarted. When the LAN is connected, it would show the BSOD saying:


Stop c000021a {Fatal System Error}
The session manager initialization system process terminated unexpectedly with a status of 0xc0000022 (0x00000000, 0x0000000)
The system has been shut down.


But, when i disconnect the internet, the laptop just keeps on restarting. i then search for possible solutions on the internet through my other computer and it seemed that there weren't any definite solution. i got so desperate that i just wanted to find a way to just save the files on my laptop. i tried running my laptop on safe mode with networking because it asked for a password when i tried logging in on "safe mode". i was able to connect on the internet while on safe mode with networking and then i downloaded the Microsoft Windows Malicious Software Removal Tool. i then saw this post on some thread saying that i should uninstall my AVG so i did and it worked. The laptop was back to normal mode. This text file pops up every startup "blphcepbj0ev7g.scr" and this window too:


Can not find script file "C:\documents and settings\administrator\local settings\temp\.tt4.tmp.vbs".



I then ran the Malware Removal Tool and it detected around 77 threats, around 3 were not totally healed. (sorry i don't have a copy of the result). The tool asked me to run my antivirus before


restarting to complete the process but since i uninstalled it already, i downloaded AVG Free but the installation kept on rolling back. It gave this message:

Local machine: installation failed
Installation:
Error: Action failed for file avgmfx86.sys: starting service....
Error 0x80070002

I then tried Panda Antivirus+Firewall 2007 and after installing it, a threat was healed and then i was asked to restart.

I was so happy because the computer started in Normal mode but i was shocked when a blue screen saying "Warning! Spyware detected on ur computer. Install antivirus or spyware remover to clean ur

computer." It also became my Wallpaper. The text file "blphcepbj0ev7g.scr" still opens and the window saying: Can not find script file "C:\documents and settings\administrator\local settings\temp\.tt4.tmp.vbs" also appears. But this time my laptop was very very slow and Panda wouldn't work anymore so i just uninstalled it.

i also tried enabling firewall since it was a requirement before posting but i couldn't.

Now I don't really know if my problem became worse because of the methods i did. Please help me. I really don't know what more to do. I don't want to resort to reprogramming my laptop. I don't

want to loose my files and I really really can't afford to pay someone to program it.

Here are the required files:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Deckard's System Scanner v20071014.68
Run by Administrator on 2008-07-02 21:18:58
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; System Restore is disabled (service is not running).


-- Last 5 Restore Point(s) --
24: 2008-07-03 00:06:20 UTC - RP24 - Installed AVG Free 8.0
23: 2008-07-02 09:32:13 UTC - RP23 - Restore Operation
22: 2008-07-02 09:22:19 UTC - RP22 - Restore Operation
21: 2008-07-02 03:16:55 UTC - RP21 - Installed Java™ 6 Update 5
20: 2008-07-01 06:08:19 UTC - RP20 - Last known good configuration


-- First Restore Point --
1: 2008-07-01 06:07:21 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 126 MiB (512 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-07-02 21:36:51
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\CameraFixer.exe
C:\WINDOWS\tsnpstd3.exe
C:\WINDOWS\vsnpstd3.exe
C:\WINDOWS\system32\lphcepbj0ev7g.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\NOTEPAD.EXE
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myhpf.co.uk/mypage.asp?OrgID=125218
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R3 - URLSearchHook: Yahoo! ¤u¨ă¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O2 - BHO: C:\WINDOWS\system32\hdxjd4g.dll - {B5AC49A2-94F2-42BD-F434-2604812C897D} - C:\WINDOWS\system32\hdxjd4g.dll
O2 - BHO: C:\WINDOWS\system32\djki397g.dll - {B5AF0562-94F3-42BD-F434-2604812C797D} - C:\WINDOWS\system32\djki397g.dll
O3 - Toolbar: Yahoo! ¤u¨ă¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O4 - HKLM\..\Run: [CameraFixer] C:\WINDOWS\CameraFixer.exe
O4 - HKLM\..\Run: [tsnpstd3] C:\WINDOWS\tsnpstd3.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [lphcepbj0ev7g] C:\WINDOWS\system32\lphcepbj0ev7g.exe
O4 - HKLM\..\Run: [SMrhcapbj0ev7g] C:\Program Files\rhcapbj0ev7g\rhcapbj0ev7g.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlhr] RunDll32.exe %SystemRoot%\System32\AdvPack.Dll,LaunchINFSection %SystemRoot%\inf\nlite.inf,C (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlhr] RunDll32.exe %SystemRoot%\System32\AdvPack.Dll,LaunchINFSection %SystemRoot%\inf\nlite.inf,C (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [msvecurity] C:\WINDOWS\msvecurity.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Hhjg5jfd93dftdf] C:\WINDOWS\TEMP\winlagon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Windows update loader] C:\Windows\xpupdate.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [autoload] C:\Documents and Settings\LocalService\Local Settings\Application Data\cftmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [InstallProgram] C:\WINDOWS\TEMP\lprn32.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Service Pack 1] C:\WINDOWS\system32\vedxg6ame4.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Brave-Sentry] C:\Program Files\BraveSentry\BraveSentry.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlhr] RunDll32.exe %SystemRoot%\System32\AdvPack.Dll,LaunchINFSection %SystemRoot%\inf\nlite.inf,C (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [msvecurity] C:\WINDOWS\msvecurity.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Hhjg5jfd93dftdf] C:\WINDOWS\TEMP\winlagon.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Windows update loader] C:\Windows\xpupdate.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [autoload] C:\Documents and Settings\LocalService\Local Settings\Application Data\cftmon.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [InstallProgram] C:\WINDOWS\TEMP\lprn32.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Service Pack 1] C:\WINDOWS\system32\vedxg6ame4.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Brave-Sentry] C:\Program Files\BraveSentry\BraveSentry.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlhr] RunDll32.exe %SystemRoot%\System32\AdvPack.Dll,LaunchINFSection %SystemRoot%\inf\nlite.inf,C (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll
O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{08DEFBAF-8C03-4A64-9615-A52E6774408E}: NameServer = 66.93.87.2
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{33B00AD3-10D1-47B7-ACCF-DDBE9246973A}: NameServer = 66.93.87.2
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{9B888C2C-27CF-45F6-BBF0-A29EE52D6356}: NameServer = 66.93.87.2
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - Winlogon Notify: crypt - C:\WINDOWS\system32\crypts.dll
O20 - Winlogon Notify: fccaXQhg - C:\WINDOWS\system32\fccaXQhg.dll (file missing)
O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\system32\WinCtrl32.dll
O21 - SSODL: nqHIBFLbqf - {606FD787-CAC5-7D2D-C387-DABE79CDEE95} - C:\WINDOWS\system32\xso.dll (file missing)
O22 - SharedTaskScheduler: Hkjr94jdfdgj - {B5AC49A2-94F2-42BD-F434-2604812C897D} - C:\WINDOWS\system32\hdxjd4g.dll
O22 - SharedTaskScheduler: Hjkfj93dffd - {B5AF0562-94F3-42BD-F434-2604812C797D} - C:\WINDOWS\system32\djki397g.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG8\avgwdsvc.exe
O23 - Service: CcEvtSvc - Unknown owner - C:\WINDOWS\system32\CcEvtSvc.exe
O23 - Service: FCI - Unknown owner - C:\WINDOWS\system32\svchost.exe:ext.exe
O23 - Service: Google Online Services - Unknown owner - C:\Documents and Settings\Administrator\ie_updates3r.exe -A
O23 - Service: ICF - Unknown owner - C:\WINDOWS\system32\svchost.exe:exe.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe


--
End of file - 12857 bytes

-- File Associations -----------------------------------------------------------

.bat - batfile - shell\edit\command - C:\WINDOWS\system32\NOTEPAD2.EXE %1
.cmd - cmdfile - shell\edit\command - C:\WINDOWS\system32\NOTEPAD2.EXE %1
.inf - inffile - shell\open\command - C:\WINDOWS\system32\NOTEPAD2.EXE %1
.ini - inifile - shell\open\command - C:\WINDOWS\system32\NOTEPAD2.EXE %1
.reg - regfile - shell\edit\command - C:\WINDOWS\system32\NOTEPAD2.EXE %1
.scr - AutoCADScriptFile - shell\open\command - C:\WINDOWS\NOTEPAD.EXE "%1"
.txt - txtfile - shell\open\command - C:\WINDOWS\system32\NOTEPAD2.EXE %1
.vbs - VBSFile - shell\edit\command - C:\WINDOWS\system32\Notepad2.exe %1


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 Vch40 - c:\windows\system32\drivers\vch40.sys
R0 Winye05 - c:\windows\system32\drivers\winye05.sys
R3 tcpsr - c:\windows\system32\drivers\tcpsr.sys (file missing)

S0 BTHidMgr (Bluetooth HID Manager Service) - c:\windows\system32\drivers\bthidmgr.sys <Not Verified; IVT Corporation; BlueSoleil©>
S1 ShldDrv (Panda File Shield Driver) - c:\windows\system32\drivers\shldrv51.sys (file missing)
S2 PavProc (Panda Process Protection Driver) - c:\windows\system32\drivers\pavproc.sys (file missing)
S3 BlueletAudio (Bluetooth Audio Service) - c:\windows\system32\drivers\blueletaudio.sys <Not Verified; IVT Corporation; Windows ® 2000 DDK driver>
S3 BT (Bluetooth PAN Network Adapter) - c:\windows\system32\drivers\btnetdrv.sys <Not Verified; IVT Corporation; BlueSoleil>
S3 Btcsrusb (Bluetooth USB For Bluetooth Service) - c:\windows\system32\drivers\btcusb.sys <Not Verified; IVT Corporation; Bluetooth USB Device Driver>
S3 BTHidEnum (Bluetooth HID Enumerator) - c:\windows\system32\drivers\vbtenum.sys
S3 SNPSTD3 (USB PC Camera (SNPSTD3)) - c:\windows\system32\drivers\snpstd3.sys <Not Verified; ; PC Camera driver>
S3 VComm (Virtual Serial port driver) - c:\windows\system32\drivers\vcomm.sys <Not Verified; IVT Corporation; BlueSoleil>
S3 VcommMgr (Bluetooth VComm Manager Service) - c:\windows\system32\drivers\vcommmgr.sys <Not Verified; IVT Corporation; BlueSoleil>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R3 ServiceLayer - "c:\program files\pc connectivity solution\servicelayer.exe" <Not Verified; Nokia.; PC Connectivity Solution>

S2 CcEvtSvc - c:\windows\system32\ccevtsvc.exe -k netsvcs
S2 FCI - c:\windows\system32\svchost.exe:ext.exe
S2 Google Online Services - c:\documents and settings\administrator\ie_updates3r.exe -a (file missing)
S2 ICF - c:\windows\system32\svchost.exe:exe.exe
S2 PavPrSrv (Panda Process Protection Service) - "c:\program files\common files\panda software\pavshld\pavprsrv.exe" (file missing)
S2 Schedule (Task Scheduler) - c:\windows\system32\drivers\spools.exe (file missing)
S3 Scarbmg -


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\ABECC68004603
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\ABECC68004603
Service: NIC1394

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Intel® PRO/100 VE Network Connection
Device ID: PCI\VEN_8086&DEV_2449&SUBSYS_30138086&REV_03\4&13B53951&0&40F0
Manufacturer: Intel
Name: Intel® PRO/100 VE Network Connection
PNP Device ID: PCI\VEN_8086&DEV_2449&SUBSYS_30138086&REV_03\4&13B53951&0&40F0
Service: E100B

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Modem
Device ID: PCI\VEN_8086&DEV_2446&SUBSYS_80DF104D&REV_03\3&61AAA01&0&FE
Manufacturer:
Name: PCI Modem
PNP Device ID: PCI\VEN_8086&DEV_2446&SUBSYS_80DF104D&REV_03\3&61AAA01&0&FE
Service:


-- Files created between 2008-06-02 and 2008-07-02 -----------------------------

2008-07-02 20:54:26 0 d-------- C:\Documents and Settings\Administrator\Application Data\AVGTOOLBAR
2008-07-02 19:23:06 0 d-------- C:\Program Files\Panda Software
2008-07-02 19:13:41 0 d-------- C:\Program Files\Common Files\Panda Software
2008-07-02 17:02:35 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-02 17:01:46 0 d-------- C:\Program Files\AVG
2008-07-02 17:01:40 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-02 16:04:04 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-07-02 12:17:19 0 d--hs---- C:\WINDOWS\CSC
2008-07-02 11:02:32 40960 --a------ C:\WINDOWS\winlogon.exe
2008-07-02 11:02:28 40 --a------ C:\WINDOWS\file.bat
2008-07-02 11:00:45 0 d-------- C:\Documents and Settings\LocalService\Start Menu
2008-07-02 11:00:34 87552 --a------ C:\WINDOWS\system32\CcEvtSvc.exe
2008-07-02 11:00:17 22590 --a------ C:\WINDOWS\system32\dllgh8jkd1q7.exe
2008-07-02 11:00:17 0 --a------ C:\1617942406
2008-07-02 11:00:08 0 d-------- C:\Program Files\rhcapbj0ev7g
2008-07-02 11:00:03 22154 --a------ C:\WINDOWS\system32\dllgh8jkd1q6.exe
2008-07-02 11:00:03 41984 --a------ C:\WINDOWS\17PHolmes27.exe
2008-07-02 10:59:58 20992 --a------ C:\WINDOWS\system32\vedxga4m1et4.exe
2008-07-02 10:59:58 21874 --a------ C:\WINDOWS\system32\dllgh8jkd1q5.exe
2008-07-02 10:58:10 0 d-------- C:\Program Files\BraveSentry
2008-07-02 10:58:09 44406 --a------ C:\WINDOWS\system32\dllgh8jkd1q2.exe
2008-07-02 10:57:35 26624 --a------ C:\WINDOWS\system32\vedxg4am1et2.exe
2008-07-02 10:57:33 25088 --a------ C:\WINDOWS\system32\vedxg6ame4.exe
2008-07-02 10:57:33 17782 --a------ C:\WINDOWS\system32\dllgh8jkd1q1.exe
2008-07-02 10:57:24 8780 --a------ C:\WINDOWS\system32\vedxga5me3.exe
2008-07-02 10:57:16 25084 --a------ C:\WINDOWS\system32\vedxga1me4t1.exe
2008-07-02 10:57:15 13312 --a------ C:\WINDOWS\system32\maxpaynowti.exe
2008-07-02 10:57:12 3 --a------ C:\WINDOWS\system32\dllgh8jkd1q8.exe
2008-07-02 10:57:04 0 d-------- C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd
2008-07-02 10:57:00 41984 --a------ C:\WINDOWS\system32\vedxga4me1.exe
2008-07-02 10:56:59 60928 --a------ C:\WINDOWS\system32\blphcepbj0ev7g.scr <Not Verified; Sysinternals; Sysinternals Blue Screen>
2008-07-02 10:56:42 31744 --a------ C:\WINDOWS\system32\crypts.dll
2008-07-02 10:56:31 5120 --a------ C:\Documents and Settings\LocalService\ftpdll.dll
2008-07-02 10:56:30 5120 --a------ C:\WINDOWS\system32\ftpdll.dll
2008-07-02 10:56:19 109056 --a------ C:\WINDOWS\system32\lphcepbj0ev7g.exe
2008-07-02 10:56:15 1086512 --a------ C:\Documents and Settings\LocalService\Application Data\Install.dat
2008-07-02 10:56:13 48502 --a------ C:\WINDOWS\xpupdate.exe
2008-07-02 10:55:58 15360 --a------ C:\WINDOWS\system32\WinCtrl32.dll
2008-07-02 10:55:41 0 dr------- C:\Documents and Settings\LocalService\My Documents
2008-07-02 10:55:39 26686 --a------ C:\WINDOWS\system32\dflgh8jkd2q7.exe
2008-07-02 10:55:35 26250 --a------ C:\WINDOWS\system32\dflgh8jkd2q6.exe
2008-07-02 10:55:30 25970 --a------ C:\WINDOWS\system32\dflgh8jkd2q5.exe
2008-07-02 10:55:28 48502 --a------ C:\WINDOWS\system32\dflgh8jkd2q2.exe
2008-07-02 10:55:26 10 --a------ C:\WINDOWS\system32\kr_done1
2008-07-02 10:55:23 21878 --a------ C:\WINDOWS\system32\dflgh8jkd2q1.exe
2008-07-02 10:55:21 17 --a------ C:\WINDOWS\system32\dflgh8jkd2q8.exe
2008-07-02 10:55:16 10000 --a------ C:\WINDOWS\system32\djki397g.dll
2008-07-02 10:55:11 10000 --a------ C:\WINDOWS\system32\hdxjd4g.dll
2008-07-02 03:01:39 6144 --a------ C:\WINDOWS\system32\goht738.exe
2008-07-02 02:46:58 28672 --a------ C:\WINDOWS\system32\goht701.exe
2008-07-01 20:08:33 30208 --a------ C:\WINDOWS\system32\drivers\Vch40.sys
2008-07-01 20:08:18 41472 --a------ C:\WINDOWS\system32\goht734.exe
2008-07-01 20:06:32 58 --a------ C:\WINDOWS\system32\goht265.exe
2008-07-01 15:11:00 119296 --a------ C:\WINDOWS\msvecurity.exe
2008-07-01 15:09:48 8192 --a------ C:\WINDOWS\system32\goht534.exe
2008-06-30 23:07:08 38824 --ahs---- C:\WINDOWS\system32\QYxHgfii.ini2
2008-06-30 22:53:10 0 d-------- C:\Program Files\PCHealthCenter
2008-06-25 10:49:01 0 d-------- C:\WINDOWS\Sun
2008-06-21 17:27:26 0 d-------- C:\Documents and Settings\Administrator\Application Data\BearShare
2008-06-21 17:26:01 0 d-------- C:\Program Files\BearShare Applications
2008-06-19 15:56:59 4007835 --a------ C:\Documents and Settings\Administrator\Desktop(3)
2008-06-19 15:56:52 2742692 --a------ C:\Documents and Settings\Administrator\Desktop(2)
2008-06-18 18:27:46 4456448 --a------ C:\Documents and Settings\Administrator\ntuser.dat
2008-06-16 19:22:40 338 --a------ C:\Program Files\Setupinf.dat
2008-06-16 19:22:37 246972 --a------ C:\Program Files\FPFntDat.bin
2008-06-16 19:22:36 279781 --a------ C:\Program Files\BarRes.dat
2008-06-16 19:10:54 0 d-------- C:\Spedia
2008-06-16 18:48:12 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2008-06-13 14:20:40 0 d-------- C:\Program Files\QuickFix
2008-06-08 12:02:53 0 d-------- C:\WINDOWS\system32\appmgmt
2008-06-05 03:15:05 0 d-------- C:\Documents and Settings\Administrator\Application Data\ShoppingReport
2008-06-05 03:14:51 0 d-------- C:\Program Files\ShoppingReport
2008-06-04 15:25:52 0 d-------- C:\Program Files\Free PDF Downloader
2008-06-03 15:34:14 180224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2008-06-03 15:34:14 765952 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-06-03 15:34:13 0 d-------- C:\Program Files\Xvid


-- Find3M Report ---------------------------------------------------------------

2008-07-02 20:07:10 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-02 19:13:41 0 d-------- C:\Program Files\Common Files
2008-07-02 18:34:00 0 d-------- C:\Program Files\Java
2008-07-02 15:45:40 0 d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-07-02 11:00:04 17408 --a------ C:\WINDOWS\system32\svchost.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-06-26 02:37:04 0 d-------- C:\Documents and Settings\Administrator\Application Data\uTorrent
2008-06-24 23:21:32 5853 --a------ C:\WINDOWS\mozver.dat
2008-06-24 21:59:27 0 d-------- C:\Program Files\Google
2008-06-08 12:01:50 0 d-------- C:\Program Files\Common Files\Autodesk Shared
2008-06-01 19:27:41 0 d-------- C:\Program Files\uTorrent
2008-06-01 04:39:34 0 d-------- C:\Documents and Settings\Administrator\Application Data\Google
2008-06-01 04:35:39 0 --a------ C:\WINDOWS\nsreg.dat
2008-06-01 04:35:28 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2008-05-28 16:55:56 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-05-28 14:18:33 0 dr-h----- C:\Documents and Settings\Administrator\Application Data\yahoo!
2008-05-28 13:59:25 0 d-------- C:\Program Files\Yahoo!
2008-05-28 13:43:20 0 d-------- C:\Program Files\Chikka
2008-05-27 22:40:13 4096 --a------ C:\WINDOWS\d3dx.dat
2008-05-27 22:39:11 0 d-------- C:\Documents and Settings\Administrator\Application Data\GameHouse
2008-05-27 22:38:49 0 d-------- C:\Program Files\GameHouse
2008-05-25 22:34:24 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2008-05-14 11:11:10 356352 --a------ C:\WINDOWS\eSellerateEngine.dll <Not Verified; eSellerate Inc.; eSellerateEngine>
2008-05-12 21:19:48 0 d-------- C:\Program Files\Video-AVI to GIF-JPEG
2008-05-05 01:49:57 0 d-------- C:\Documents and Settings\Administrator\Application Data\Nokia
2008-05-04 10:54:49 0 d-------- C:\Program Files\DIFX
2008-05-04 10:52:54 0 d-------- C:\Program Files\Common Files\PCSuite
2008-05-04 10:52:16 0 d-------- C:\Program Files\Common Files\Nokia
2008-05-04 10:51:18 0 d-------- C:\Program Files\Nokia
2008-05-04 10:49:17 0 d-------- C:\Documents and Settings\Administrator\Application Data\PC Suite
2008-05-04 10:48:53 0 d-------- C:\Program Files\PC Connectivity Solution


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B5AC49A2-94F2-42BD-F434-2604812C897D}]
07/02/2008 10:55 AM 10000 --a------ C:\WINDOWS\system32\hdxjd4g.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B5AF0562-94F3-42BD-F434-2604812C797D}]
07/02/2008 10:55 AM 10000 --a------ C:\WINDOWS\system32\djki397g.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CameraFixer"="C:\WINDOWS\CameraFixer.exe" [10/03/2005 12:23 PM]
"tsnpstd3"="C:\WINDOWS\tsnpstd3.exe" [11/04/2005 04:05 PM]
"snpstd3"="C:\WINDOWS\vsnpstd3.exe" [09/05/2005 04:55 PM]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [03/23/2007 01:20 PM]
"lphcepbj0ev7g"="C:\WINDOWS\system32\lphcepbj0ev7g.exe" [07/02/2008 10:56 AM]
"SMrhcapbj0ev7g"="C:\Program Files\rhcapbj0ev7g\rhcapbj0ev7g.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 02:11 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Free Download Manager"="C:\Program Files\Free Download Manager\fdm.exe" []
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [08/30/2007 05:43 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"nlsf"=cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll"
"nlhr"=RunDll32.exe %SystemRoot%\System32\AdvPack.Dll,LaunchINFSection %SystemRoot%\inf\nlite.inf,C
"tscuninstall"=%systemroot%\system32\tscupgrd.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"TaskSwitchXP"=C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
"Free Download Manager"=C:\Program Files\Free Download Manager\fdm.exe -autorun
"Nokia.PCSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
"msvecurity"=C:\WINDOWS\msvecurity.exe
"Hhjg5jfd93dftdf"=C:\WINDOWS\TEMP\winlagon.exe
"Windows update loader"=C:\Windows\xpupdate.exe
"autoload"=C:\Documents and Settings\LocalService\Local Settings\Application Data\cftmon.exe
"ntuser"=C:\WINDOWS\system32\drivers\spools.exe
"InstallProgram"=C:\WINDOWS\TEMP\lprn32.exe
"Service Pack 1"=C:\WINDOWS\system32\vedxg6ame4.exe
"Brave-Sentry"=C:\Program Files\BraveSentry\BraveSentry.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [3/9/2008 4:18:17 PM]
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart17.exe [3/5/2006 5:43:54 AM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 2:01:04 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=1 (0x1)
"NoDispBackgroundPage"=1 (0x1)
"NoDispScrSavPage"=1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)
"NoDispBackgroundPage"=1 (0x1)
"NoDispScrSavPage"=1 (0x1)
"Wallpaper"=C:\WINDOWS\desktop.html

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"=1 (0x1)
"ForceClassicControlPanel"=1 (0x1)
"NoRemoteRecursiveEvents"=1 (0x1)
"MemCheckBoxInRunDlg"=1 (0x1)
"DisableCAD"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSharedDocuments"=1 (0x1)
"ClearRecentDocsOnExit"=1 (0x1)
"NoRecentDocsMenu"=1 (0x1)
"NoRecentDocsHistory"=1 (0x1)
"NoInstrumentation"=1 (0x1)
"NoSMHelp"=1 (0x1)
"NoSaveSettings"=0 (0x0)
"DisableCAD"=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSharedDocuments"=1 (0x1)
"ClearRecentDocsOnExit"=1 (0x1)
"NoRecentDocsMenu"=1 (0x1)
"NoRecentDocsHistory"=1 (0x1)
"NoInstrumentation"=1 (0x1)
"NoSMHelp"=1 (0x1)
"NoActiveDesktop"=0 (0x0)
"ForceActiveDesktopOn"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{B5AC49A2-94F2-42BD-F434-2604812C897D}"= C:\WINDOWS\system32\hdxjd4g.dll [07/02/2008 10:55 AM 10000]
"{B5AF0562-94F3-42BD-F434-2604812C797D}"= C:\WINDOWS\system32\djki397g.dll [07/02/2008 10:55 AM 10000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{84C53226-C282-41FE-A4B4-8F05CC5EC24B}"= C:\WINDOWS\system32\fccaXQhg.dll [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"nqHIBFLbqf"= {606FD787-CAC5-7D2D-C387-DABE79CDEE95} - C:\WINDOWS\system32\xso.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crypt]
crypts.dll 07/02/2008 10:56 AM 31744 C:\WINDOWS\system32\crypts.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccaXQhg]
fccaXQhg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WinCtrl32]
WinCtrl32.dll 07/02/2008 08:07 PM 15360 C:\WINDOWS\system32\WinCtrl32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\iifgHxYQ

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\System Reserved]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Vch40.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winye05.sys]
@="Driver"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{04dae2b1-f7be-11dc-bd86-08004628ffc6}]
Auto\command- G:\RECYCLER.exe
AutoRun\command- G:\RECYCLER.exe
explore\Command- vuts0e.cmd
open\Command- vuts0e.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5e4db760-f157-11dc-bd66-08004628ffc6}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d419bec0-ee96-11dc-bd59-08004628ffc6}]
AutoRun\command- SilentSoftech.exe
explore\command- SilentSoftech.exe
open\command- SilentSoftech.exe
var1\command- SilentSoftech.exe




-- End of Deckard's System Scanner: finished at 2008-07-02 21:41:14 ------------



<<<EXTRA.TXT>>>>

Attached File  extra.txt   10.85KB   34 downloads

Edited by hookedforever, 02 July 2008 - 10:42 AM.


BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:08 AM

Posted 02 July 2008 - 11:32 AM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:



Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\system32\dllgh8jkd1q7.exe
    C:\Program Files\rhcapbj0ev7g
    C:\WINDOWS\system32\dllgh8jkd1q6.exe
    C:\WINDOWS\17PHolmes27.exe
    C:\WINDOWS\system32\vedxga4m1et4.exe
    C:\WINDOWS\system32\dllgh8jkd1q5.exe
    C:\Program Files\BraveSentry
    C:\WINDOWS\system32\dllgh8jkd1q2.exe
    C:\WINDOWS\system32\vedxg4am1et2.exe
    C:\WINDOWS\system32\vedxg6ame4.exe
    C:\WINDOWS\system32\dllgh8jkd1q1.exe
    C:\WINDOWS\system32\vedxga5me3.exe
    C:\WINDOWS\system32\vedxga1me4t1.exe
    C:\WINDOWS\system32\maxpaynowti.exe
    C:\WINDOWS\system32\dllgh8jkd1q8.exe
    C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd
    C:\WINDOWS\system32\vedxga4me1.exe
    C:\WINDOWS\system32\blphcepbj0ev7g.scr 
    C:\WINDOWS\system32\crypts.dll
    C:\Documents and Settings\LocalService\ftpdll.dll
    C:\WINDOWS\system32\ftpdll.dll
    C:\WINDOWS\system32\lphcepbj0ev7g.exe
    C:\Documents and Settings\LocalService\Application Data\Install.dat
    C:\WINDOWS\xpupdate.exe
    C:\WINDOWS\system32\WinCtrl32.dll
    C:\WINDOWS\system32\dflgh8jkd2q7.exe
    C:\WINDOWS\system32\dflgh8jkd2q6.exe
    C:\WINDOWS\system32\dflgh8jkd2q5.exe
    C:\WINDOWS\system32\dflgh8jkd2q2.exe
    C:\WINDOWS\system32\dflgh8jkd2q1.exe
    C:\WINDOWS\system32\dflgh8jkd2q8.exe
    C:\WINDOWS\system32\djki397g.dll
    C:\WINDOWS\system32\hdxjd4g.dll
    C:\WINDOWS\system32\goht738.exe
    C:\WINDOWS\system32\goht701.exe
    C:\WINDOWS\system32\drivers\Vch40.sys
    C:\WINDOWS\system32\goht734.exe
    C:\WINDOWS\system32\goht265.exe
    C:\WINDOWS\msvecurity.exe
    C:\WINDOWS\system32\goht534.exe
    C:\WINDOWS\system32\QYxHgfii.ini2
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Also post a new log from DSS.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 hookedforever

hookedforever
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:philippines
  • Local time:04:08 PM

Posted 02 July 2008 - 12:04 PM

Thank you for the quick reply!



Here's the OTMoveIt2 log which popped out after restarting the laptop:





File/Folder C:\WINDOWS\system32\dllgh8jkd1q7.exe not found.
File/Folder C:\Program Files\rhcapbj0ev7g not found.
File/Folder C:\WINDOWS\system32\dllgh8jkd1q6.exe not found.
File/Folder C:\WINDOWS\17PHolmes27.exe not found.
File/Folder C:\WINDOWS\system32\vedxga4m1et4.exe not found.
File/Folder C:\WINDOWS\system32\dllgh8jkd1q5.exe not found.
File/Folder C:\Program Files\BraveSentry not found.
File/Folder C:\WINDOWS\system32\dllgh8jkd1q2.exe not found.
File/Folder C:\WINDOWS\system32\vedxg4am1et2.exe not found.
File/Folder C:\WINDOWS\system32\vedxg6ame4.exe not found.
File/Folder C:\WINDOWS\system32\dllgh8jkd1q1.exe not found.
File/Folder C:\WINDOWS\system32\vedxga5me3.exe not found.
File/Folder C:\WINDOWS\system32\vedxga1me4t1.exe not found.
File/Folder C:\WINDOWS\system32\maxpaynowti.exe not found.
File/Folder C:\WINDOWS\system32\dllgh8jkd1q8.exe not found.
File/Folder C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd not found.
File/Folder C:\WINDOWS\system32\vedxga4me1.exe not found.
File/Folder C:\WINDOWS\system32\blphcepbj0ev7g.scr not found.
File/Folder C:\WINDOWS\system32\crypts.dll not found.
File/Folder C:\Documents and Settings\LocalService\ftpdll.dll not found.
File/Folder C:\WINDOWS\system32\ftpdll.dll not found.
File/Folder C:\WINDOWS\system32\lphcepbj0ev7g.exe not found.
File/Folder C:\Documents and Settings\LocalService\Application Data\Install.dat not found.
File/Folder C:\WINDOWS\xpupdate.exe not found.
File/Folder C:\WINDOWS\system32\WinCtrl32.dll not found.
File/Folder C:\WINDOWS\system32\dflgh8jkd2q7.exe not found.
File/Folder C:\WINDOWS\system32\dflgh8jkd2q6.exe not found.
File/Folder C:\WINDOWS\system32\dflgh8jkd2q5.exe not found.
File/Folder C:\WINDOWS\system32\dflgh8jkd2q2.exe not found.
File/Folder C:\WINDOWS\system32\dflgh8jkd2q1.exe not found.
File/Folder C:\WINDOWS\system32\dflgh8jkd2q8.exe not found.
File/Folder C:\WINDOWS\system32\djki397g.dll not found.
File/Folder C:\WINDOWS\system32\hdxjd4g.dll not found.
C:\WINDOWS\system32\goht738.exe moved successfully.
C:\WINDOWS\system32\goht701.exe moved successfully.
File move failed. C:\WINDOWS\system32\drivers\Vch40.sys scheduled to be moved on reboot.
C:\WINDOWS\system32\goht734.exe moved successfully.
C:\WINDOWS\system32\goht265.exe moved successfully.
C:\WINDOWS\msvecurity.exe moved successfully.
C:\WINDOWS\system32\goht534.exe moved successfully.
C:\WINDOWS\system32\QYxHgfii.ini2 moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07032008_004732

Files moved on Reboot...
File move failed. C:\WINDOWS\system32\drivers\Vch40.sys scheduled to be moved on reboot.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Im sorry but i did your instructions twice. When i first tried doing it, the window disappeared so i did it again...i looked at c:\_OTMoveIt\MovedFiles and now there are 2 folders (07032008_004456 and 07032008_004732), 07032008_004732.log and 07032008_004732.res.

By the way, "blphcepbj0ev7g.scr" and Can not find script file "C:\documents and settings\administrator\local settings\temp\.tt4.tmp.vbs". didn't show up after restart. :thumbsup:

Now here's the DSS (MAIN only, no EXTRA...):




Deckard's System Scanner v20071014.68
Run by Administrator on 2008-07-03 00:58:42
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 80% (more than 75%).
Total Physical Memory: 126 MiB (512 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-07-03 01:01:43
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\system32\CcEvtSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\WINDOWS\CameraFixer.exe
C:\WINDOWS\tsnpstd3.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\sysrest32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myhpf.co.uk/mypage.asp?OrgID=125218
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R3 - URLSearchHook: Yahoo! ¤u¨ă¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O2 - BHO: C:\WINDOWS\system32\hdxjd4g.dll - {B5AC49A2-94F2-42BD-F434-2604812C897D} - C:\WINDOWS\system32\hdxjd4g.dll (file missing)
O2 - BHO: C:\WINDOWS\system32\djki397g.dll - {B5AF0562-94F3-42BD-F434-2604812C797D} - C:\WINDOWS\system32\djki397g.dll (file missing)
O3 - Toolbar: Yahoo! ¤u¨ă¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O4 - HKLM\..\Run: [CameraFixer] C:\WINDOWS\CameraFixer.exe
O4 - HKLM\..\Run: [tsnpstd3] C:\WINDOWS\tsnpstd3.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [lphcepbj0ev7g] C:\WINDOWS\system32\lphcepbj0ev7g.exe
O4 - HKLM\..\Run: [SMrhcapbj0ev7g] C:\Program Files\rhcapbj0ev7g\rhcapbj0ev7g.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [sysrest32.exe] C:\WINDOWS\system32\sysrest32.exe
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlhr] RunDll32.exe %SystemRoot%\System32\AdvPack.Dll,LaunchINFSection %SystemRoot%\inf\nlite.inf,C (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlhr] RunDll32.exe %SystemRoot%\System32\AdvPack.Dll,LaunchINFSection %SystemRoot%\inf\nlite.inf,C (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [msvecurity] C:\WINDOWS\msvecurity.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Hhjg5jfd93dftdf] C:\WINDOWS\TEMP\winlagon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Windows update loader] C:\Windows\xpupdate.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [autoload] C:\Documents and Settings\LocalService\Local Settings\Application Data\cftmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [InstallProgram] C:\WINDOWS\TEMP\lprn32.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Service Pack 1] C:\WINDOWS\system32\vedxg6ame4.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Brave-Sentry] C:\Program Files\BraveSentry\BraveSentry.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlhr] RunDll32.exe %SystemRoot%\System32\AdvPack.Dll,LaunchINFSection %SystemRoot%\inf\nlite.inf,C (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [msvecurity] C:\WINDOWS\msvecurity.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Hhjg5jfd93dftdf] C:\WINDOWS\TEMP\winlagon.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Windows update loader] C:\Windows\xpupdate.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [autoload] C:\Documents and Settings\LocalService\Local Settings\Application Data\cftmon.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [InstallProgram] C:\WINDOWS\TEMP\lprn32.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Service Pack 1] C:\WINDOWS\system32\vedxg6ame4.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Brave-Sentry] C:\Program Files\BraveSentry\BraveSentry.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlhr] RunDll32.exe %SystemRoot%\System32\AdvPack.Dll,LaunchINFSection %SystemRoot%\inf\nlite.inf,C (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll
O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{08DEFBAF-8C03-4A64-9615-A52E6774408E}: NameServer = 66.93.87.2
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{33B00AD3-10D1-47B7-ACCF-DDBE9246973A}: NameServer = 66.93.87.2
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{9B888C2C-27CF-45F6-BBF0-A29EE52D6356}: NameServer = 66.93.87.2
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - Winlogon Notify: crypt - C:\WINDOWS\system32\crypts.dll (file missing)
O20 - Winlogon Notify: fccaXQhg - C:\WINDOWS\system32\fccaXQhg.dll (file missing)
O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\system32\WinCtrl32.dll
O21 - SSODL: nqHIBFLbqf - {606FD787-CAC5-7D2D-C387-DABE79CDEE95} - C:\WINDOWS\system32\xso.dll (file missing)
O22 - SharedTaskScheduler: Hkjr94jdfdgj - {B5AC49A2-94F2-42BD-F434-2604812C897D} - C:\WINDOWS\system32\hdxjd4g.dll (file missing)
O22 - SharedTaskScheduler: Hjkfj93dffd - {B5AF0562-94F3-42BD-F434-2604812C797D} - C:\WINDOWS\system32\djki397g.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG8\avgwdsvc.exe
O23 - Service: CcEvtSvc - Unknown owner - C:\WINDOWS\system32\CcEvtSvc.exe
O23 - Service: FCI - Unknown owner - C:\WINDOWS\system32\svchost.exe:ext.exe
O23 - Service: Google Online Services - Unknown owner - C:\Documents and Settings\Administrator\ie_updates3r.exe -A
O23 - Service: ICF - Unknown owner - C:\WINDOWS\system32\svchost.exe:exe.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe


--
End of file - 13061 bytes

-- Files created between 2008-06-03 and 2008-07-03 -----------------------------

2008-07-03 01:01:31 0 d-------- C:\Program Files\Trend Micro
2008-07-03 00:54:07 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-07-03 00:39:22 15360 --a------ C:\WINDOWS\system32\WinCtrl32.dll
2008-07-02 23:48:04 15328 --a------ C:\WINDOWS\system32\sysrest.sys
2008-07-02 23:48:03 23040 --a------ C:\WINDOWS\system32\sysrest32.exe
2008-07-02 20:54:26 0 d-------- C:\Documents and Settings\Administrator\Application Data\AVGTOOLBAR
2008-07-02 19:23:06 0 d-------- C:\Program Files\Panda Software
2008-07-02 19:13:41 0 d-------- C:\Program Files\Common Files\Panda Software
2008-07-02 17:02:35 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-02 17:01:46 0 d-------- C:\Program Files\AVG
2008-07-02 17:01:40 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-02 12:17:19 0 d--hs---- C:\WINDOWS\CSC
2008-07-02 11:02:32 40960 --a------ C:\WINDOWS\winlogon.exe
2008-07-02 11:02:28 40 --a------ C:\WINDOWS\file.bat
2008-07-02 11:00:45 0 d-------- C:\Documents and Settings\LocalService\Start Menu
2008-07-02 11:00:34 87552 --a------ C:\WINDOWS\system32\CcEvtSvc.exe
2008-07-02 11:00:17 0 --a------ C:\1617942406
2008-07-02 10:55:41 0 dr------- C:\Documents and Settings\LocalService\My Documents
2008-07-02 10:55:26 10 --a------ C:\WINDOWS\system32\kr_done1
2008-07-01 20:08:33 30208 --a------ C:\WINDOWS\system32\drivers\Vch40.sys
2008-06-30 22:53:10 0 d-------- C:\Program Files\PCHealthCenter
2008-06-25 10:49:01 0 d-------- C:\WINDOWS\Sun
2008-06-21 17:27:26 0 d-------- C:\Documents and Settings\Administrator\Application Data\BearShare
2008-06-21 17:26:01 0 d-------- C:\Program Files\BearShare Applications
2008-06-19 15:56:59 4007835 --a------ C:\Documents and Settings\Administrator\Desktop(3)
2008-06-19 15:56:52 2742692 --a------ C:\Documents and Settings\Administrator\Desktop(2)
2008-06-18 18:27:46 4456448 --a------ C:\Documents and Settings\Administrator\ntuser.dat
2008-06-16 19:22:40 338 --a------ C:\Program Files\Setupinf.dat
2008-06-16 19:22:37 246972 --a------ C:\Program Files\FPFntDat.bin
2008-06-16 19:22:36 279781 --a------ C:\Program Files\BarRes.dat
2008-06-16 19:10:54 0 d-------- C:\Spedia
2008-06-16 18:48:12 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2008-06-13 14:20:40 0 d-------- C:\Program Files\QuickFix
2008-06-08 12:02:53 0 d-------- C:\WINDOWS\system32\appmgmt
2008-06-05 03:15:05 0 d-------- C:\Documents and Settings\Administrator\Application Data\ShoppingReport
2008-06-05 03:14:51 0 d-------- C:\Program Files\ShoppingReport
2008-06-04 15:25:52 0 d-------- C:\Program Files\Free PDF Downloader
2008-06-03 15:34:14 180224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2008-06-03 15:34:14 765952 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-06-03 15:34:13 0 d-------- C:\Program Files\Xvid


-- Find3M Report ---------------------------------------------------------------

2008-07-02 20:07:10 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-02 19:13:41 0 d-------- C:\Program Files\Common Files
2008-07-02 18:34:00 0 d-------- C:\Program Files\Java
2008-07-02 15:45:40 0 d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-07-02 11:00:04 17408 --a------ C:\WINDOWS\system32\svchost.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-06-26 02:37:04 0 d-------- C:\Documents and Settings\Administrator\Application Data\uTorrent
2008-06-24 23:21:32 5853 --a------ C:\WINDOWS\mozver.dat
2008-06-24 21:59:27 0 d-------- C:\Program Files\Google
2008-06-08 12:01:50 0 d-------- C:\Program Files\Common Files\Autodesk Shared
2008-06-01 19:27:41 0 d-------- C:\Program Files\uTorrent
2008-06-01 04:39:34 0 d-------- C:\Documents and Settings\Administrator\Application Data\Google
2008-06-01 04:35:39 0 --a------ C:\WINDOWS\nsreg.dat
2008-06-01 04:35:28 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2008-05-28 16:55:56 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-05-28 14:18:33 0 dr-h----- C:\Documents and Settings\Administrator\Application Data\yahoo!
2008-05-28 13:59:25 0 d-------- C:\Program Files\Yahoo!
2008-05-28 13:43:20 0 d-------- C:\Program Files\Chikka
2008-05-27 22:40:13 4096 --a------ C:\WINDOWS\d3dx.dat
2008-05-27 22:39:11 0 d-------- C:\Documents and Settings\Administrator\Application Data\GameHouse
2008-05-27 22:38:49 0 d-------- C:\Program Files\GameHouse
2008-05-25 22:34:24 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2008-05-14 11:11:10 356352 --a------ C:\WINDOWS\eSellerateEngine.dll <Not Verified; eSellerate Inc.; eSellerateEngine>
2008-05-12 21:19:48 0 d-------- C:\Program Files\Video-AVI to GIF-JPEG
2008-05-05 01:49:57 0 d-------- C:\Documents and Settings\Administrator\Application Data\Nokia
2008-05-04 10:54:49 0 d-------- C:\Program Files\DIFX
2008-05-04 10:52:54 0 d-------- C:\Program Files\Common Files\PCSuite
2008-05-04 10:52:16 0 d-------- C:\Program Files\Common Files\Nokia
2008-05-04 10:51:18 0 d-------- C:\Program Files\Nokia
2008-05-04 10:49:17 0 d-------- C:\Documents and Settings\Administrator\Application Data\PC Suite
2008-05-04 10:48:53 0 d-------- C:\Program Files\PC Connectivity Solution


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B5AC49A2-94F2-42BD-F434-2604812C897D}]
C:\WINDOWS\system32\hdxjd4g.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B5AF0562-94F3-42BD-F434-2604812C797D}]
C:\WINDOWS\system32\djki397g.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CameraFixer"="C:\WINDOWS\CameraFixer.exe" [10/03/2005 12:23 PM]
"tsnpstd3"="C:\WINDOWS\tsnpstd3.exe" [11/04/2005 04:05 PM]
"snpstd3"="C:\WINDOWS\vsnpstd3.exe" [09/05/2005 04:55 PM]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [03/23/2007 01:20 PM]
"lphcepbj0ev7g"="C:\WINDOWS\system32\lphcepbj0ev7g.exe" []
"SMrhcapbj0ev7g"="C:\Program Files\rhcapbj0ev7g\rhcapbj0ev7g.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 02:11 AM]
"sysrest32.exe"="C:\WINDOWS\system32\sysrest32.exe" [07/02/2008 11:47 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Free Download Manager"="C:\Program Files\Free Download Manager\fdm.exe" []
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [08/30/2007 05:43 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"nlsf"=cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll"
"nlhr"=RunDll32.exe %SystemRoot%\System32\AdvPack.Dll,LaunchINFSection %SystemRoot%\inf\nlite.inf,C
"tscuninstall"=%systemroot%\system32\tscupgrd.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"TaskSwitchXP"=C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
"Free Download Manager"=C:\Program Files\Free Download Manager\fdm.exe -autorun
"Nokia.PCSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
"msvecurity"=C:\WINDOWS\msvecurity.exe
"Hhjg5jfd93dftdf"=C:\WINDOWS\TEMP\winlagon.exe
"Windows update loader"=C:\Windows\xpupdate.exe
"autoload"=C:\Documents and Settings\LocalService\Local Settings\Application Data\cftmon.exe
"ntuser"=C:\WINDOWS\system32\drivers\spools.exe
"InstallProgram"=C:\WINDOWS\TEMP\lprn32.exe
"Service Pack 1"=C:\WINDOWS\system32\vedxg6ame4.exe
"Brave-Sentry"=C:\Program Files\BraveSentry\BraveSentry.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [3/9/2008 4:18:17 PM]
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart17.exe [3/5/2006 5:43:54 AM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 2:01:04 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=1 (0x1)
"NoDispBackgroundPage"=1 (0x1)
"NoDispScrSavPage"=1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)
"NoDispBackgroundPage"=1 (0x1)
"NoDispScrSavPage"=1 (0x1)
"Wallpaper"=C:\WINDOWS\desktop.html

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"=1 (0x1)
"ForceClassicControlPanel"=1 (0x1)
"NoRemoteRecursiveEvents"=1 (0x1)
"MemCheckBoxInRunDlg"=1 (0x1)
"DisableCAD"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSharedDocuments"=1 (0x1)
"ClearRecentDocsOnExit"=1 (0x1)
"NoRecentDocsMenu"=1 (0x1)
"NoRecentDocsHistory"=1 (0x1)
"NoInstrumentation"=1 (0x1)
"NoSMHelp"=1 (0x1)
"NoSaveSettings"=0 (0x0)
"DisableCAD"=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSharedDocuments"=1 (0x1)
"ClearRecentDocsOnExit"=1 (0x1)
"NoRecentDocsMenu"=1 (0x1)
"NoRecentDocsHistory"=1 (0x1)
"NoInstrumentation"=1 (0x1)
"NoSMHelp"=1 (0x1)
"NoActiveDesktop"=0 (0x0)
"ForceActiveDesktopOn"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{B5AC49A2-94F2-42BD-F434-2604812C897D}"= C:\WINDOWS\system32\hdxjd4g.dll [ ]
"{B5AF0562-94F3-42BD-F434-2604812C797D}"= C:\WINDOWS\system32\djki397g.dll [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{84C53226-C282-41FE-A4B4-8F05CC5EC24B}"= C:\WINDOWS\system32\fccaXQhg.dll [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"nqHIBFLbqf"= {606FD787-CAC5-7D2D-C387-DABE79CDEE95} - C:\WINDOWS\system32\xso.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crypt]
crypts.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccaXQhg]
fccaXQhg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WinCtrl32]
WinCtrl32.dll 07/03/2008 12:55 AM 15360 C:\WINDOWS\system32\WinCtrl32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\iifgHxYQ

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\System Reserved]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Vch40.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winye05.sys]
@="Driver"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{04dae2b1-f7be-11dc-bd86-08004628ffc6}]
Auto\command- G:\RECYCLER.exe
AutoRun\command- G:\RECYCLER.exe
explore\Command- vuts0e.cmd
open\Command- vuts0e.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5e4db760-f157-11dc-bd66-08004628ffc6}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d419bec0-ee96-11dc-bd59-08004628ffc6}]
AutoRun\command- SilentSoftech.exe
explore\command- SilentSoftech.exe
open\command- SilentSoftech.exe
var1\command- SilentSoftech.exe




-- End of Deckard's System Scanner: finished at 2008-07-03 01:06:53 ------------

Edited by hookedforever, 02 July 2008 - 12:10 PM.


#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:08 AM

Posted 02 July 2008 - 12:28 PM

You have some nasty stuff in your log. You should try to stay disconnected to the internet as much as possible until we get this fixed up.

Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O2 - BHO: C:\WINDOWS\system32\hdxjd4g.dll - {B5AC49A2-94F2-42BD-F434-2604812C897D} - C:\WINDOWS\system32\hdxjd4g.dll (file missing)
O2 - BHO: C:\WINDOWS\system32\djki397g.dll - {B5AF0562-94F3-42BD-F434-2604812C797D} - C:\WINDOWS\system32\djki397g.dll (file missing)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O4 - HKLM\..\Run: [lphcepbj0ev7g] C:\WINDOWS\system32\lphcepbj0ev7g.exe
O4 - HKLM\..\Run: [SMrhcapbj0ev7g] C:\Program Files\rhcapbj0ev7g\rhcapbj0ev7g.exe
O4 - HKLM\..\Run: [sysrest32.exe] C:\WINDOWS\system32\sysrest32.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlhr] RunDll32.exe %SystemRoot%\System32\AdvPack.Dll,LaunchINFSection %SystemRoot%\inf\nlite.inf,C (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [msvecurity] C:\WINDOWS\msvecurity.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Hhjg5jfd93dftdf] C:\WINDOWS\TEMP\winlagon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Windows update loader] C:\Windows\xpupdate.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [autoload] C:\Documents and Settings\LocalService\Local Settings\Application Data\cftmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [InstallProgram] C:\WINDOWS\TEMP\lprn32.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Service Pack 1] C:\WINDOWS\system32\vedxg6ame4.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Brave-Sentry] C:\Program Files\BraveSentry\BraveSentry.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlhr] RunDll32.exe %SystemRoot%\System32\AdvPack.Dll,LaunchINFSection %SystemRoot%\inf\nlite.inf,C (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msvecurity] C:\WINDOWS\msvecurity.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Hhjg5jfd93dftdf] C:\WINDOWS\TEMP\winlagon.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Windows update loader] C:\Windows\xpupdate.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [autoload] C:\Documents and Settings\LocalService\Local Settings\Application Data\cftmon.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [InstallProgram] C:\WINDOWS\TEMP\lprn32.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Service Pack 1] C:\WINDOWS\system32\vedxg6ame4.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Brave-Sentry] C:\Program Files\BraveSentry\BraveSentry.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlhr] RunDll32.exe %SystemRoot%\System32\AdvPack.Dll,LaunchINFSection %SystemRoot%\inf\nlite.inf,C (User 'Default user')
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll
O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O20 - Winlogon Notify: crypt - C:\WINDOWS\system32\crypts.dll (file missing)
O20 - Winlogon Notify: fccaXQhg - C:\WINDOWS\system32\fccaXQhg.dll (file missing)
O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\system32\WinCtrl32.dll
O21 - SSODL: nqHIBFLbqf - {606FD787-CAC5-7D2D-C387-DABE79CDEE95} - C:\WINDOWS\system32\xso.dll (file missing)
O22 - SharedTaskScheduler: Hkjr94jdfdgj - {B5AC49A2-94F2-42BD-F434-2604812C897D} - C:\WINDOWS\system32\hdxjd4g.dll (file missing)
O22 - SharedTaskScheduler: Hjkfj93dffd - {B5AF0562-94F3-42BD-F434-2604812C797D} - C:\WINDOWS\system32\djki397g.dll (file missing)



===============



Download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.


================



Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new DSS log

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 hookedforever

hookedforever
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:philippines
  • Local time:04:08 PM

Posted 02 July 2008 - 02:08 PM

Whew that was tough! I enjoyed it though even if it's already 3am here.. :thumbsup: I finally got rid of that "WARNING" background and now the default(?) xp background is back!!!! yipee!!!! are we done??? hehe, just kidding.i'm still enjoying... :)

But when I ran Hijackthis, there were some items I didn't find. I swear theSe weren't there:

O4 - HKLM\..\Run: [sysrest32.exe] C:\WINDOWS\system32\sysrest32.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [msvecurity] C:\WINDOWS\msvecurity.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Hhjg5jfd93dftdf] C:\WINDOWS\TEMP\winlagon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Windows update loader] C:\Windows\xpupdate.exe (User 'SYSTEM')


Here is the REPORT.TxT


SDFix: Version 1.200
Run by Administrator on Thu 07/03/2008 at 02:40 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix\SDFix

Checking Services :

Name :
CcEvtSvc
FCI
Google Online Services
ICF
sysrest.sys
tcpsr

Path :
%SystemRoot%\System32\CcEvtSvc.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe:ext.exe
C:\Documents and Settings\Administrator\ie_updates3r.exe -A
C:\WINDOWS\system32\svchost.exe:exe.exe
\??\C:\WINDOWS\system32\sysrest.sys
\??\C:\WINDOWS\System32\drivers\tcpsr.sys

CcEvtSvc - Deleted
FCI - Deleted
Google Online Services - Deleted
ICF - Deleted
sysrest.sys - Deleted
tcpsr - Deleted



Restoring Default Security Values
Restoring Default Hosts File
Restoring Default Desktop Wallpaper
Restoring Default Schedule Service Path
Restoring Missing Security Center Service

Rebooting

Service asc3550p - Deleted

Checking Files :

Trojan Files Found:

C:\WINDOWS\SYSTEM32\PHCEPB~1.BMP - Deleted
C:\19.TMP - Deleted
C:\26.TMP - Deleted
C:\27.TMP - Deleted
C:\28.TMP - Deleted
C:\_OTMoveIt\MovedFiles\07032008_004456\Documents and Settings\LocalService\Application

Data\Install.dat - Deleted
C:\_OTMOV~1\MOVEDF~1\070320~1\DOCUME~1\LOCALS~1\FTPDLL.DLL - Deleted
C:\_OTMOV~1\MOVEDF~1\070320~1\WINDOWS\SYSTEM32\FTPDLL.DLL - Deleted
C:\Deckard\System Scanner\20080703005757\backup\WINDOWS\temp\1.dflb - Deleted
C:\Deckard\System Scanner\20080703005757\backup\WINDOWS\temp\2.dflb - Deleted
C:\Deckard\System Scanner\20080703005757\backup\WINDOWS\temp\5.dflb - Deleted
C:\Deckard\System Scanner\20080703005757\backup\WINDOWS\temp\6.dflb - Deleted
C:\Deckard\System Scanner\20080703005757\backup\WINDOWS\temp\7.dflb - Deleted
C:\Deckard\System Scanner\20080703005757\backup\WINDOWS\temp\1.dllb - Deleted
C:\Deckard\System Scanner\20080703005757\backup\WINDOWS\temp\2.dllb - Deleted
C:\Deckard\System Scanner\20080703005757\backup\WINDOWS\temp\5.dllb - Deleted
C:\Deckard\System Scanner\20080703005757\backup\WINDOWS\temp\6.dllb - Deleted
C:\Deckard\System Scanner\20080703005757\backup\WINDOWS\temp\7.dllb - Deleted
C:\Deckard\System Scanner\20080703005757\backup\WINDOWS\temp\v4xd3.ga2me - Deleted
C:\Deckard\System Scanner\20080703005757\backup\WINDOWS\temp\v4xd6.gam5e - Deleted
C:\Deckard\System Scanner\20080703005757\backup\WINDOWS\temp\v5xd2.g3ame - Deleted
C:\Deckard\System Scanner\20080703005757\backup\WINDOWS\temp\v5xd4.ga2me - Deleted
C:\Deckard\System Scanner\20080703005757\backup\WINDOWS\temp\v6xdt4.game - Deleted
C:\Deckard\System Scanner\20080703005757\backup\WINDOWS\temp\vx3dt2.game - Deleted
C:\WINDOWS\system32\back.exe.exe - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.tt1.tmp - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.tt1F.tmp - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.tt25.tmp - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.tt2C.tmp - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.tt30.tmp - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.tt36.tmp - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.tt51.tmp - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.tt5B.tmp - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.tt64.tmp - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.tt69.tmp - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.tt6B.tmp - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.tt6E.tmp - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.tt70.tmp - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.tt73.tmp - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.tt7C.tmp - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.tt7F.tmp - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.tt8.tmp - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.tt85.tmp - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.tt8B.tmp - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.tt9E.tmp - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.ttAB.tmp - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.ttB1.tmp - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.ttB6.tmp - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.ttBD.tmp - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.ttD.tmp - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.ttE.tmp - Deleted
C:\WINDOWS\desktop.html - Deleted
C:\WINDOWS\system32\CcEvtSvc.exe - Deleted
C:\WINDOWS\system32\kr_done1 - Deleted
C:\WINDOWS\system32\svchost.t__ - Deleted
C:\WINDOWS\system32\svcp.csv - Deleted
C:\WINDOWS\system32\sysrest32.exe - Deleted
C:\WINDOWS\system32\vx.tll - Deleted
C:\WINDOWS\system32\winsub.xml - Deleted
C:\WINDOWS\winlogon.exe - Deleted
C:\WINDOWS\system32\drivers\asc3550p.sys - Deleted
C:\WINDOWS\system32\sysrest.sys - Deleted


Could Not Remove C:\WINDOWS\system32\WinCtrl32.dll



Removing Temp Files

ADS Check :


C:\WINDOWS\system32\svchost.exe
: ADS Found!
svchost.exe: deleted 47616 bytes in 2 streams.

Checking for remaining Streams

C:\WINDOWS\system32\svchost.exe
No streams found.



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-03 02:54:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sap29]
"Type"=dword:00000001
"Tag"=dword:00000001
"Group"="System Reserved\0Boot Bus Extender\0System Bus Extender\0SCSI

miniport\0Port\0Primary Disk\0SCSI Class\0SCSI CDROM Class\0FSFilter Infrastructure\0FSFilter

System\0FSFilter Bottom\0FSFilter Copy Protection\0FSFilter Security Enhancer\0FSFilter Open

File\0FSFilter Physical Quota Management\0FSFilter Encryption\0FSFilter Compression\0FSFilter

HSM\0FSFilter Cluster File System\0FSFilter System Recovery\0FSFilter Quota Management\0FSFilter

Content Screener\0FSFilter Continuous Backup\0FSFilter Replication\0FSFilter Anti-Virus\0FSFilter

Undelete\0FSFilter Activity Monitor\0FSFilter Top\0Filter\0Boot File System\0Base\0Pointer

Port\0Keyboard Port\0Pointer Class\0Keyboard Class\0Video Init\0Video\0Video Save\0File

System\0Event Log\0Streams Drivers\0NDIS Wrapper\0COM

Infrastructure\0UIGroup\0LocalValidation\0PlugPlay\0PNP_TDI\0NDIS\0TDI\0NetBIOSGroup\0ShellSvc

Group\0SchedulerGroup\0SpoolerGroup\0AudioGroup\0SmartCardGroup\0NetworkProvider\0Remote

Validation\0NetDDEGroup\0Parallel arbitrator\0Extended Base\0PCI Configuration\0MS

Transactions\0"
"ErrorControl"=dword:00000001
"Start"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Sap29]
"Type"=dword:00000001
"Tag"=dword:00000001
"Group"="System Reserved\0Boot Bus Extender\0System Bus Extender\0SCSI

miniport\0Port\0Primary Disk\0SCSI Class\0SCSI CDROM Class\0FSFilter Infrastructure\0FSFilter

System\0FSFilter Bottom\0FSFilter Copy Protection\0FSFilter Security Enhancer\0FSFilter Open

File\0FSFilter Physical Quota Management\0FSFilter Encryption\0FSFilter Compression\0FSFilter

HSM\0FSFilter Cluster File System\0FSFilter System Recovery\0FSFilter Quota Management\0FSFilter

Content Screener\0FSFilter Continuous Backup\0FSFilter Replication\0FSFilter Anti-Virus\0FSFilter

Undelete\0FSFilter Activity Monitor\0FSFilter Top\0Filter\0Boot File System\0Base\0Pointer

Port\0Keyboard Port\0Pointer Class\0Keyboard Class\0Video Init\0Video\0Video Save\0File

System\0Event Log\0Streams Drivers\0NDIS Wrapper\0COM

Infrastructure\0UIGroup\0LocalValidation\0PlugPlay\0PNP_TDI\0NDIS\0TDI\0NetBIOSGroup\0ShellSvc

Group\0SchedulerGroup\0SpoolerGroup\0AudioGroup\0SmartCardGroup\0NetworkProvider\0Remote

Validation\0NetDDEGroup\0Parallel arbitrator\0Extended Base\0PCI Configuration\0MS

Transactions\0"
"ErrorControl"=dword:00000001
"Start"=dword:00000000

scanning hidden registry entries ...

scanning hidden files ...

C:\WINDOWS\system32\drivers\Sap29.sys 124928 bytes executable

scan completed successfully
hidden processes: 0
hidden services: 1
hidden files: 1


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\

standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22

019"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program

Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program

Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program

Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"="C:\\Program Files\\IVT

Corporation\\BlueSoleil\\BlueSoleil.exe:*:Enabled:BlueSoleil"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program

Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program

Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program

Files\\uTorrent\\uTorrent.exe:*:Enabled:ćTorrent"
"C:\\WINDOWS\\msvecurity.exe"="C:\\WINDOWS\\msvecurity.exe:*:Enabled:enable"
"C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\.ttB1.tmp"="C:\\Documents

and Settings\\Administrator\\Local Settings\\Temp\\.ttB1.tmp:*:Enabled:enable"
"C:\\WINDOWS\\system32\\sysrest32.exe"="C:\\WINDOWS\\system32\\sysrest32.exe:*:Enabled:enabl

e"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\

domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22

019"

Remaining Files :

C:\WINDOWS\system32\WinCtrl32.dll Found

File Backups: - C:\SDFix\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sat 15 Mar 2008 24,064 ...H. --- "C:\Documents and

Settings\Administrator\Desktop\~WRL0001.tmp"
Sun 16 Mar 2008 24,576 ...H. --- "C:\Documents and

Settings\Administrator\Desktop\~WRL0005.tmp"
Sun 16 Mar 2008 25,600 ...H. --- "C:\Documents and

Settings\Administrator\Desktop\~WRL0629.tmp"
Sun 16 Mar 2008 24,576 ...H. --- "C:\Documents and

Settings\Administrator\Desktop\~WRL0942.tmp"
Sun 16 Mar 2008 25,600 ...H. --- "C:\Documents and

Settings\Administrator\Desktop\~WRL1168.tmp"
Sun 16 Mar 2008 24,576 ...H. --- "C:\Documents and

Settings\Administrator\Desktop\~WRL2370.tmp"
Sun 16 Mar 2008 24,576 ...H. --- "C:\Documents and

Settings\Administrator\Desktop\~WRL3143.tmp"
Sun 16 Mar 2008 24,576 ...H. --- "C:\Documents and

Settings\Administrator\Desktop\~WRL3349.tmp"
Sun 16 Mar 2008 25,600 ...H. --- "C:\Documents and

Settings\Administrator\Desktop\~WRL3461.tmp"
Sun 16 Mar 2008 25,088 ...H. --- "C:\Documents and

Settings\Administrator\Desktop\~WRL3991.tmp"
Sun 16 Mar 2008 25,600 ...H. --- "C:\Documents and

Settings\Administrator\Desktop\~WRL4034.tmp"
Fri 25 Apr 2008 19,968 ...H. --- "C:\Documents and Settings\Administrator\My

Documents\~WRL0005.tmp"
Fri 25 Apr 2008 20,480 ...H. --- "C:\Documents and Settings\Administrator\My

Documents\~WRL0173.tmp"
Fri 25 Apr 2008 20,992 ...H. --- "C:\Documents and Settings\Administrator\My

Documents\~WRL0303.tmp"
Fri 25 Apr 2008 20,992 ...H. --- "C:\Documents and Settings\Administrator\My

Documents\~WRL0731.tmp"
Fri 25 Apr 2008 21,504 ...H. --- "C:\Documents and Settings\Administrator\My

Documents\~WRL0790.tmp"
Fri 25 Apr 2008 20,480 ...H. --- "C:\Documents and Settings\Administrator\My

Documents\~WRL0881.tmp"
Fri 25 Apr 2008 22,016 ...H. --- "C:\Documents and Settings\Administrator\My

Documents\~WRL1202.tmp"
Fri 25 Apr 2008 20,992 ...H. --- "C:\Documents and Settings\Administrator\My

Documents\~WRL1343.tmp"
Fri 25 Apr 2008 19,968 ...H. --- "C:\Documents and Settings\Administrator\My

Documents\~WRL1376.tmp"
Fri 25 Apr 2008 19,968 ...H. --- "C:\Documents and Settings\Administrator\My

Documents\~WRL1753.tmp"
Sat 26 Apr 2008 21,504 ...H. --- "C:\Documents and Settings\Administrator\My

Documents\~WRL1769.tmp"
Sat 26 Apr 2008 21,504 ...H. --- "C:\Documents and Settings\Administrator\My

Documents\~WRL1985.tmp"
Fri 25 Apr 2008 21,504 ...H. --- "C:\Documents and Settings\Administrator\My

Documents\~WRL3308.tmp"
Fri 25 Apr 2008 20,480 ...H. --- "C:\Documents and Settings\Administrator\My

Documents\~WRL3703.tmp"
Fri 25 Apr 2008 21,504 ...H. --- "C:\Documents and Settings\Administrator\My

Documents\~WRL3706.tmp"
Fri 25 Apr 2008 20,480 ...H. --- "C:\Documents and Settings\Administrator\My

Documents\~WRL3964.tmp"
Fri 25 Apr 2008 20,480 ...H. --- "C:\Documents and Settings\Administrator\My

Documents\~WRL4009.tmp"
Tue 15 Nov 2005 78,104 ..SHR --- "C:\Program Files\Autodesk\Autodesk DWF Viewer\Setup.exe"
Tue 15 Nov 2005 12,912 A.SHR --- "C:\Program Files\Autodesk\Autodesk DWF Viewer\_Setupx.dll"
Mon 8 Oct 2007 20,992 A..H. --- "C:\Documents and Settings\Administrator\Desktop\hrim

proj\florendo\~WRL0781.tmp"
Mon 8 Oct 2007 80,384 A..H. --- "C:\Documents and Settings\Administrator\Desktop\hrim

proj\florendo\~WRL2214.tmp"
Sun 6 Apr 2008 616,448 A.SH. --- "C:\Deckard\System

Scanner\20080703005757\backup\WINDOWS\temp\28fk4dfp.TMP"
Tue 25 Mar 2008 408,217,600 A.SH. --- "C:\Deckard\System

Scanner\20080703005757\backup\WINDOWS\temp\5qll2jmo.TMP"
Sat 21 Jun 2008 616,448 A.SH. --- "C:\Deckard\System

Scanner\20080703005757\backup\WINDOWS\temp\8gmikt1q.TMP"
Tue 18 Sep 2007 214,016 A..H. --- "C:\Documents and Settings\Administrator\Desktop\hrim

proj\estilo de vida\Estilo de vida\~WRL0049.tmp"
Tue 18 Sep 2007 212,480 A..H. --- "C:\Documents and Settings\Administrator\Desktop\hrim

proj\estilo de vida\Estilo de vida\~WRL0052.tmp"
Tue 18 Sep 2007 212,480 A..H. --- "C:\Documents and Settings\Administrator\Desktop\hrim

proj\estilo de vida\Estilo de vida\~WRL0319.tmp"
Tue 18 Sep 2007 214,528 A..H. --- "C:\Documents and Settings\Administrator\Desktop\hrim

proj\estilo de vida\Estilo de vida\~WRL0324.tmp"
Tue 18 Sep 2007 212,992 A..H. --- "C:\Documents and Settings\Administrator\Desktop\hrim

proj\estilo de vida\Estilo de vida\~WRL0329.tmp"
Tue 18 Sep 2007 211,456 A..H. --- "C:\Documents and Settings\Administrator\Desktop\hrim

proj\estilo de vida\Estilo de vida\~WRL0429.tmp"
Mon 17 Sep 2007 213,504 A..H. --- "C:\Documents and Settings\Administrator\Desktop\hrim

proj\estilo de vida\Estilo de vida\~WRL0500.tmp"
Tue 18 Sep 2007 209,920 A..H. --- "C:\Documents and Settings\Administrator\Desktop\hrim

proj\estilo de vida\Estilo de vida\~WRL0517.tmp"
Tue 18 Sep 2007 211,456 A..H. --- "C:\Documents and Settings\Administrator\Desktop\hrim

proj\estilo de vida\Estilo de vida\~WRL0804.tmp"
Tue 18 Sep 2007 210,432 A..H. --- "C:\Documents and Settings\Administrator\Desktop\hrim

proj\estilo de vida\Estilo de vida\~WRL0857.tmp"
Tue 18 Sep 2007 211,968 A..H. --- "C:\Documents and Settings\Administrator\Desktop\hrim

proj\estilo de vida\Estilo de vida\~WRL1057.tmp"
Tue 18 Sep 2007 214,528 A..H. --- "C:\Documents and Settings\Administrator\Desktop\hrim

proj\estilo de vida\Estilo de vida\~WRL1199.tmp"
Tue 18 Sep 2007 210,944 A..H. --- "C:\Documents and Settings\Administrator\Desktop\hrim

proj\estilo de vida\Estilo de vida\~WRL1275.tmp"
Tue 18 Sep 2007 214,016 A..H. --- "C:\Documents and Settings\Administrator\Desktop\hrim

proj\estilo de vida\Estilo de vida\~WRL1413.tmp"
Tue 18 Sep 2007 209,408 A..H. --- "C:\Documents and Settings\Administrator\Desktop\hrim

proj\estilo de vida\Estilo de vida\~WRL2058.tmp"
Tue 18 Sep 2007 216,064 A..H. --- "C:\Documents and Settings\Administrator\Desktop\hrim

proj\estilo de vida\Estilo de vida\~WRL2082.tmp"
Tue 18 Sep 2007 214,528 A..H. --- "C:\Documents and Settings\Administrator\Desktop\hrim

proj\estilo de vida\Estilo de vida\~WRL2148.tmp"
Tue 18 Sep 2007 210,944 A..H. --- "C:\Documents and Settings\Administrator\Desktop\hrim

proj\estilo de vida\Estilo de vida\~WRL2194.tmp"
Tue 18 Sep 2007 214,528 A..H. --- "C:\Documents and Settings\Administrator\Desktop\hrim

proj\estilo de vida\Estilo de vida\~WRL2224.tmp"
Tue 18 Sep 2007 210,944 A..H. --- "C:\Documents and Settings\Administrator\Desktop\hrim

proj\estilo de vida\Estilo de vida\~WRL2367.tmp"
Tue 18 Sep 2007 210,432 A..H. --- "C:\Documents and Settings\Administrator\Desktop\hrim

proj\estilo de vida\Estilo de vida\~WRL2513.tmp"
Tue 18 Sep 2007 210,944 A..H. --- "C:\Documents and Settings\Administrator\Desktop\hrim

proj\estilo de vida\Estilo de vida\~WRL2724.tmp"
Tue 18 Sep 2007 209,408 A..H. --- "C:\Documents and Settings\Administrator\Desktop\hrim

proj\estilo de vida\Estilo de vida\~WRL3170.tmp"
Tue 18 Sep 2007 210,944 A..H. --- "C:\Documents and Settings\Administrator\Desktop\hrim

proj\estilo de vida\Estilo de vida\~WRL3623.tmp"
Tue 18 Sep 2007 210,432 A..H. --- "C:\Documents and Settings\Administrator\Desktop\hrim

proj\estilo de vida\Estilo de vida\~WRL3739.tmp"
Tue 18 Sep 2007 213,504 A..H. --- "C:\Documents and Settings\Administrator\Desktop\hrim

proj\estilo de vida\Estilo de vida\~WRL3744.tmp"
Tue 18 Sep 2007 210,944 A..H. --- "C:\Documents and Settings\Administrator\Desktop\hrim

proj\estilo de vida\Estilo de vida\~WRL3834.tmp"
Tue 18 Sep 2007 210,944 A..H. --- "C:\Documents and Settings\Administrator\Desktop\hrim

proj\estilo de vida\Estilo de vida\~WRL3837.tmp"
Tue 18 Sep 2007 210,432 A..H. --- "C:\Documents and Settings\Administrator\Desktop\hrim

proj\estilo de vida\Estilo de vida\~WRL4069.tmp"

Finished!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Now here is the MAIN.TXT (DSS)

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-07-03 03:02:30
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 89% (more than 75%).
Total Physical Memory: 126 MiB (512 MiB recommended).


-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:02:52 AM, on 7/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\notepad.exe
C:\WINDOWS\CameraFixer.exe
C:\WINDOWS\tsnpstd3.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Administrator.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myhpf.co.uk/mypage.asp?OrgID=125218
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! ¤u¨ă¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Yahoo! ¤u¨ă¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [CameraFixer] C:\WINDOWS\CameraFixer.exe
O4 - HKLM\..\Run: [tsnpstd3] C:\WINDOWS\tsnpstd3.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlhr] RunDll32.exe %SystemRoot%\System32\AdvPack.Dll,LaunchINFSection %SystemRoot%\inf\nlite.inf,C (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll
O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{08DEFBAF-8C03-4A64-9615-A52E6774408E}: NameServer = 66.93.87.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{33B00AD3-10D1-47B7-ACCF-DDBE9246973A}: NameServer = 66.93.87.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{9B888C2C-27CF-45F6-BBF0-A29EE52D6356}: NameServer = 66.93.87.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{08DEFBAF-8C03-4A64-9615-A52E6774408E}: NameServer = 66.93.87.2
O17 - HKLM\System\CS2\Services\Tcpip\..\{08DEFBAF-8C03-4A64-9615-A52E6774408E}: NameServer = 66.93.87.2
O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\SYSTEM32\WinCtrl32.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 6417 bytes

-- Files created between 2008-06-03 and 2008-07-03 -----------------------------

2008-07-03 02:50:44 15360 -----n--- C:\WINDOWS\system32\WinCtrl32.dll
2008-07-03 02:34:59 0 d-------- C:\WINDOWS\ERUNT
2008-07-03 02:30:56 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-07-03 02:13:55 0 drahs---- C:\autorun.inf
2008-07-03 01:01:31 0 d-------- C:\Program Files\Trend Micro
2008-07-02 20:54:26 0 d-------- C:\Documents and Settings\Administrator\Application Data\AVGTOOLBAR
2008-07-02 19:23:06 0 d-------- C:\Program Files\Panda Software
2008-07-02 19:13:41 0 d-------- C:\Program Files\Common Files\Panda Software
2008-07-02 17:02:35 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-02 17:01:46 0 d-------- C:\Program Files\AVG
2008-07-02 17:01:40 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-02 12:17:19 0 d--hs---- C:\WINDOWS\CSC
2008-07-02 11:02:28 40 --a------ C:\WINDOWS\file.bat
2008-07-02 11:00:45 0 d-------- C:\Documents and Settings\LocalService\Start Menu
2008-07-02 11:00:17 0 --a------ C:\1617942406
2008-07-02 10:55:41 0 dr------- C:\Documents and Settings\LocalService\My Documents
2008-07-01 20:08:33 30208 --a------ C:\WINDOWS\system32\drivers\Vch40.sys
2008-06-30 22:53:10 0 d-------- C:\Program Files\PCHealthCenter
2008-06-25 10:49:01 0 d-------- C:\WINDOWS\Sun
2008-06-21 17:27:26 0 d-------- C:\Documents and Settings\Administrator\Application Data\BearShare
2008-06-21 17:26:01 0 d-------- C:\Program Files\BearShare Applications
2008-06-19 15:56:59 4007835 --a------ C:\Documents and Settings\Administrator\Desktop(3)
2008-06-19 15:56:52 2742692 --a------ C:\Documents and Settings\Administrator\Desktop(2)
2008-06-18 18:27:46 4456448 --a------ C:\Documents and Settings\Administrator\ntuser.dat
2008-06-16 19:22:40 338 --a------ C:\Program Files\Setupinf.dat
2008-06-16 19:22:37 246972 --a------ C:\Program Files\FPFntDat.bin
2008-06-16 19:22:36 279781 --a------ C:\Program Files\BarRes.dat
2008-06-16 19:10:54 0 d-------- C:\Spedia
2008-06-16 18:48:12 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2008-06-13 14:20:40 0 d-------- C:\Program Files\QuickFix
2008-06-08 12:02:53 0 d-------- C:\WINDOWS\system32\appmgmt
2008-06-05 03:15:05 0 d-------- C:\Documents and Settings\Administrator\Application Data\ShoppingReport
2008-06-05 03:14:51 0 d-------- C:\Program Files\ShoppingReport
2008-06-04 15:25:52 0 d-------- C:\Program Files\Free PDF Downloader
2008-06-03 15:34:14 180224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2008-06-03 15:34:14 765952 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-06-03 15:34:13 0 d-------- C:\Program Files\Xvid


-- Find3M Report ---------------------------------------------------------------

2008-07-02 20:07:10 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-02 19:13:41 0 d-------- C:\Program Files\Common Files
2008-07-02 18:34:00 0 d-------- C:\Program Files\Java
2008-07-02 15:45:40 0 d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-07-02 11:00:04 17408 --a------ C:\WINDOWS\system32\svchost.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-06-26 02:37:04 0 d-------- C:\Documents and Settings\Administrator\Application Data\uTorrent
2008-06-24 23:21:32 5853 --a------ C:\WINDOWS\mozver.dat
2008-06-24 21:59:27 0 d-------- C:\Program Files\Google
2008-06-08 12:01:50 0 d-------- C:\Program Files\Common Files\Autodesk Shared
2008-06-01 19:27:41 0 d-------- C:\Program Files\uTorrent
2008-06-01 04:39:34 0 d-------- C:\Documents and Settings\Administrator\Application Data\Google
2008-06-01 04:35:39 0 --a------ C:\WINDOWS\nsreg.dat
2008-06-01 04:35:28 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2008-05-28 16:55:56 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-05-28 14:18:33 0 dr-h----- C:\Documents and Settings\Administrator\Application Data\yahoo!
2008-05-28 13:59:25 0 d-------- C:\Program Files\Yahoo!
2008-05-28 13:43:20 0 d-------- C:\Program Files\Chikka
2008-05-27 22:40:13 4096 --a------ C:\WINDOWS\d3dx.dat
2008-05-27 22:39:11 0 d-------- C:\Documents and Settings\Administrator\Application Data\GameHouse
2008-05-27 22:38:49 0 d-------- C:\Program Files\GameHouse
2008-05-25 22:34:24 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2008-05-14 11:11:10 356352 --a------ C:\WINDOWS\eSellerateEngine.dll <Not Verified; eSellerate Inc.; eSellerateEngine>
2008-05-12 21:19:48 0 d-------- C:\Program Files\Video-AVI to GIF-JPEG
2008-05-05 01:49:57 0 d-------- C:\Documents and Settings\Administrator\Application Data\Nokia
2008-05-04 10:54:49 0 d-------- C:\Program Files\DIFX
2008-05-04 10:52:54 0 d-------- C:\Program Files\Common Files\PCSuite
2008-05-04 10:52:16 0 d-------- C:\Program Files\Common Files\Nokia
2008-05-04 10:51:18 0 d-------- C:\Program Files\Nokia
2008-05-04 10:49:17 0 d-------- C:\Documents and Settings\Administrator\Application Data\PC Suite
2008-05-04 10:48:53 0 d-------- C:\Program Files\PC Connectivity Solution


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CameraFixer"="C:\WINDOWS\CameraFixer.exe" [10/03/2005 12:23 PM]
"tsnpstd3"="C:\WINDOWS\tsnpstd3.exe" [11/04/2005 04:05 PM]
"snpstd3"="C:\WINDOWS\vsnpstd3.exe" [09/05/2005 04:55 PM]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [03/23/2007 01:20 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 02:11 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Free Download Manager"="C:\Program Files\Free Download Manager\fdm.exe" []
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [08/30/2007 05:43 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"tscuninstall"=%systemroot%\system32\tscupgrd.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"TaskSwitchXP"=C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
"Free Download Manager"=C:\Program Files\Free Download Manager\fdm.exe -autorun
"Nokia.PCSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
"msvecurity"=C:\WINDOWS\msvecurity.exe
"Hhjg5jfd93dftdf"=C:\WINDOWS\TEMP\winlagon.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [3/9/2008 4:18:17 PM]
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart17.exe [3/5/2006 5:43:54 AM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 2:01:04 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"=1 (0x1)
"ForceClassicControlPanel"=1 (0x1)
"NoRemoteRecursiveEvents"=1 (0x1)
"MemCheckBoxInRunDlg"=1 (0x1)
"DisableCAD"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSharedDocuments"=1 (0x1)
"ClearRecentDocsOnExit"=1 (0x1)
"NoRecentDocsMenu"=1 (0x1)
"NoRecentDocsHistory"=1 (0x1)
"NoInstrumentation"=1 (0x1)
"NoSMHelp"=1 (0x1)
"DisableCAD"=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSharedDocuments"=1 (0x1)
"ClearRecentDocsOnExit"=1 (0x1)
"NoRecentDocsMenu"=1 (0x1)
"NoRecentDocsHistory"=1 (0x1)
"NoInstrumentation"=1 (0x1)
"NoSMHelp"=1 (0x1)
"NoActiveDesktop"=0 (0x0)
"ForceActiveDesktopOn"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{84C53226-C282-41FE-A4B4-8F05CC5EC24B}"= C:\WINDOWS\system32\fccaXQhg.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WinCtrl32]
WinCtrl32.dll 07/03/2008 02:50 AM 15360 C:\WINDOWS\system32\WinCtrl32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\iifgHxYQ

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\System Reserved]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Vch40.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winye05.sys]
@="Driver"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{04dae2b1-f7be-11dc-bd86-08004628ffc6}]
Auto\command- G:\RECYCLER.exe
AutoRun\command- G:\RECYCLER.exe
explore\Command- vuts0e.cmd
open\Command- vuts0e.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5e4db760-f157-11dc-bd66-08004628ffc6}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d419bec0-ee96-11dc-bd59-08004628ffc6}]
AutoRun\command- SilentSoftech.exe
explore\command- SilentSoftech.exe
open\command- SilentSoftech.exe
var1\command- SilentSoftech.exe




-- End of Deckard's System Scanner: finished at 2008-07-03 03:03:44 ------------

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:08 AM

Posted 02 July 2008 - 04:21 PM

Just to follow up, did you run the Flash Disinfector?

Your log is looking a whole lot better, but we still have some work to do.


Please download ComboFix and save it to your desktop.
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 hookedforever

hookedforever
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:philippines
  • Local time:04:08 PM

Posted 02 July 2008 - 09:01 PM

Just to follow up, did you run the Flash Disinfector?

Your log is looking a whole lot better, but we still have some work to do.


Yes I ran Flash Disinfector...Im about to run ComboFlix so i have to disconnect to the internet now. See ya later. :thumbsup:

#8 hookedforever

hookedforever
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:philippines
  • Local time:04:08 PM

Posted 02 July 2008 - 09:47 PM

Here's the Combofix log:

ComboFix 08-07-01.5 - Administrator 2008-07-03 10:28:28.1 - NTFSx86
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Application Data\ShoppingReport
C:\Documents and Settings\Administrator\Application Data\ShoppingReport\cs\Config.xml
C:\Documents and Settings\Administrator\Application Data\ShoppingReport\cs\db\Aliases.dbs
C:\Documents and Settings\Administrator\Application Data\ShoppingReport\cs\db\Sites.dbs
C:\Documents and Settings\Administrator\Application Data\ShoppingReport\cs\dwld\WhiteList.xip
C:\Documents and Settings\Administrator\Application Data\ShoppingReport\cs\report\aggr_storage.xml
C:\Documents and Settings\Administrator\Application Data\ShoppingReport\cs\report\send_storage.xml
C:\Documents and Settings\Administrator\Application Data\ShoppingReport\cs\res1\WhiteList.dbs
C:\Documents and Settings\LocalService\Application Data\microsoft\internet explorer\Desktop.htt
C:\Documents and Settings\LocalService\Start Menu\Programs\Brave-Sentry
C:\Documents and Settings\LocalService\Start Menu\Programs\Brave-Sentry\BraveSentry.lnk
C:\Documents and Settings\LocalService\Start Menu\Programs\Brave-Sentry\Uninstall.lnk
C:\Program Files\PCHealthCenter
C:\Program Files\PCHealthCenter\0.gif
C:\Program Files\PCHealthCenter\1.exe
C:\Program Files\PCHealthCenter\1.gif
C:\Program Files\PCHealthCenter\2.exe
C:\Program Files\PCHealthCenter\2.gif
C:\Program Files\PCHealthCenter\3.gif
C:\Program Files\ShoppingReport
C:\Program Files\ShoppingReport\Uninst.exe
C:\WINDOWS\file.bat
C:\WINDOWS\system32\drivers\Sap29.sys
C:\WINDOWS\system32\drivers\Vch40.sys
C:\WINDOWS\system32\drivers\Winye05.sys
C:\WINDOWS\system32\WinCtrl32.dl_
C:\WINDOWS\system32\WinCtrl32.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SAP29
-------\Legacy_TCPSR
-------\Legacy_VCH40
-------\Legacy_WINYE05
-------\Service_Sap29
-------\Service_tcpsr
-------\Service_Vch40
-------\Service_Winye05


((((((((((((((((((((((((( Files Created from 2008-06-03 to 2008-07-03 )))))))))))))))))))))))))))))))
.

2008-07-03 02:34 . 2008-07-03 02:35 <DIR> d-------- C:\WINDOWS\ERUNT
2008-07-03 02:29 . 2008-07-03 02:29 <DIR> d-------- C:\SDFix
2008-07-03 01:01 . 2008-07-03 01:01 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-03 00:44 . 2008-07-03 00:44 <DIR> d-------- C:\_OTMoveIt
2008-07-02 21:18 . 2008-07-02 21:18 <DIR> d-------- C:\Deckard
2008-07-02 20:54 . 2008-07-02 20:54 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVGTOOLBAR
2008-07-02 19:24 . 2007-04-03 10:19 1,990 --a------ C:\WINDOWS\system32\drivers\net_m32.inf
2008-07-02 19:23 . 2008-07-02 19:23 <DIR> d-------- C:\Program Files\Panda Software
2008-07-02 19:13 . 2008-07-02 20:07 <DIR> d-------- C:\Program Files\Common Files\Panda Software
2008-07-02 17:03 . 2008-07-02 17:03 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-02 17:03 . 2008-07-02 17:03 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-07-02 17:02 . 2008-07-02 20:50 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-02 17:01 . 2008-07-02 17:01 <DIR> d-------- C:\Program Files\AVG
2008-07-02 17:01 . 2008-07-02 20:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-02 11:00 . 2008-07-02 11:00 29 --a------ C:\WINDOWS\system32\qoouaeed.tmp
2008-07-02 11:00 . 2008-07-02 11:00 0 --a------ C:\1617942406
2008-07-01 15:09 . 2008-07-02 10:55 1 --a------ C:\WINDOWS\system32\cofzlp.tmp
2008-06-30 23:07 . 2008-07-01 12:38 38,824 --ahs---- C:\WINDOWS\system32\QYxHgfii.ini
2008-06-25 10:49 . 2008-06-25 10:49 <DIR> d-------- C:\WINDOWS\Sun
2008-06-24 20:50 . 2002-03-19 23:24 26,674 -ra------ C:\WINDOWS\system32\drivers\dm9usb.sys
2008-06-21 17:27 . 2008-06-24 01:09 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\BearShare
2008-06-21 17:26 . 2008-06-24 01:09 <DIR> d-------- C:\Program Files\BearShare Applications
2008-06-17 15:50 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-06-17 15:49 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-06-17 15:49 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-06-17 15:49 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-06-17 15:49 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-06-16 19:22 . 2008-06-16 19:22 279,781 --a------ C:\Program Files\BarRes.dat
2008-06-16 19:22 . 2008-06-16 19:22 246,972 --a------ C:\Program Files\FPFntDat.bin
2008-06-16 19:22 . 2008-06-16 19:22 338 --a------ C:\Program Files\Setupinf.dat
2008-06-16 19:10 . 2008-06-17 15:54 <DIR> d-------- C:\Spedia
2008-06-13 14:20 . 2008-06-17 15:56 <DIR> d-------- C:\Program Files\QuickFix
2008-06-04 15:25 . 2008-06-04 15:25 <DIR> d-------- C:\Program Files\Free PDF Downloader
2008-06-03 15:34 . 2008-06-03 15:34 <DIR> d-------- C:\Program Files\Xvid
2008-06-03 15:34 . 2008-04-27 10:33 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-06-03 15:34 . 2008-04-27 10:35 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2008-06-03 15:34 . 2007-06-28 18:55 77,824 --a------ C:\WINDOWS\system32\xvid.ax

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-03 03:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-07-03 03:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-03 01:34 --------- d-----w C:\Program Files\Java
2008-07-02 22:45 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AVG7
2008-07-02 18:03 90,112 ----a-w C:\WINDOWS\DUMP7af3.tmp
2008-07-02 18:00 17,408 ----a-w C:\WINDOWS\system32\svchost.exe
2008-06-26 09:37 --------- d-----w C:\Documents and Settings\Administrator\Application Data\uTorrent
2008-06-25 04:59 --------- d-----w C:\Program Files\Google
2008-06-08 19:01 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-06-02 02:27 --------- d-----w C:\Program Files\uTorrent
2008-05-28 21:18 --------- d--h--r C:\Documents and Settings\Administrator\Application Data\yahoo!
2008-05-28 21:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-05-28 21:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-05-28 20:59 --------- d-----w C:\Program Files\Yahoo!
2008-05-28 20:43 --------- d-----w C:\Program Files\Chikka
2008-05-28 05:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\n7-89-o9-3r-4t-r9
2008-05-28 05:39 --------- d-----w C:\Documents and Settings\Administrator\Application Data\GameHouse
2008-05-28 05:38 --------- d-----w C:\Program Files\GameHouse
2008-05-14 18:11 356,352 ----a-w C:\WINDOWS\eSellerateEngine.dll
2008-05-13 04:19 --------- d-----w C:\Program Files\Video-AVI to GIF-JPEG
2008-05-05 08:49 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Nokia
2008-05-04 17:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Suite
2008-05-04 17:54 --------- d-----w C:\Program Files\DIFX
2008-05-04 17:52 --------- d-----w C:\Program Files\Common Files\PCSuite
2008-05-04 17:52 --------- d-----w C:\Program Files\Common Files\Nokia
2008-05-04 17:51 --------- d-----w C:\Program Files\Nokia
2008-05-04 17:49 --------- d-----w C:\Documents and Settings\Administrator\Application Data\PC Suite
2008-05-04 17:48 --------- d-----w C:\Program Files\PC Connectivity Solution
2008-05-04 17:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
.

------- Sigcheck -------

2008-07-02 11:00 17408 83cff5d901a1b9382fcdb74e3c5d2619 C:\WINDOWS\system32\svchost.exe

2004-08-03 18:26 506368 bccc6d87487732ef9d29dc0da1a81b40 C:\WINDOWS\system32\winlogon.exe

2005-10-15 02:07 1034752 6b94d3f23bc656495f10ca5bbcac1dc4 C:\WINDOWS\explorer.exe

2004-08-03 18:26 110592 9072af57982c386e22ae1ec792a44dcd C:\WINDOWS\system32\services.exe

2004-08-03 18:26 14848 94c5c4bf75a706210d4d04214a738cb7 C:\WINDOWS\system32\lsass.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CameraFixer"="C:\WINDOWS\CameraFixer.exe" [2005-10-03 12:23 20480]
"tsnpstd3"="C:\WINDOWS\tsnpstd3.exe" [2005-11-04 16:05 90112]
"snpstd3"="C:\WINDOWS\vsnpstd3.exe" [2005-09-05 16:55 339968]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 13:20 227328]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 15:58 1744896]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-03-09 16:18:17 113664]
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart17.exe [2006-03-05 05:43:54 11000]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)
"DisableCAD"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoInstrumentation"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
"DisableCAD"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoInstrumentation"= 1 (0x1)
"NoSMHelp"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-02 17:03]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-02 17:02]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-02 17:03]
R3 SPI;Sony Programmable I/O Control Device;C:\WINDOWS\system32\DRIVERS\SonyPI.sys [2001-08-17 05:51]
S1 ShldDrv;Panda File Shield Driver;C:\WINDOWS\system32\DRIVERS\ShlDrv51.sys []
S2 PavProc;Panda Process Protection Driver;C:\WINDOWS\system32\DRIVERS\PavProc.sys []
S3 DM9USB;DM9601 USB To Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\dm9usb.sys [2002-03-19 23:24]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d419bec0-ee96-11dc-bd59-08004628ffc6}]
\Shell\AutoRun\command - SilentSoftech.exe
\Shell\explore\command - SilentSoftech.exe
\Shell\open\command - SilentSoftech.exe
\Shell\var1\command - SilentSoftech.exe

.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Free Download Manager - C:\Program Files\Free Download Manager\fdm.exe
HKU-Default-Run-TaskSwitchXP - C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
HKU-Default-Run-Free Download Manager - C:\Program Files\Free Download Manager\fdm.exe
HKU-Default-Run-msvecurity - C:\WINDOWS\msvecurity.exe
ShellExecuteHooks-{84C53226-C282-41FE-A4B4-8F05CC5EC24B} - C:\WINDOWS\system32\fccaXQhg.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-03 10:41:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-07-03 10:47:47 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-03 17:47:34

Pre-Run: 10,543,169,536 bytes free
Post-Run: 10,569,195,520 bytes free

210

#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:08 AM

Posted 03 July 2008 - 11:00 AM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\system32\cofzlp.tmp
C:\WINDOWS\system32\QYxHgfii.ini

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d419bec0-ee96-11dc-bd59-08004628ffc6}]
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.


Also post a new log from DSS.
How is your computer behaving now?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#10 hookedforever

hookedforever
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:philippines
  • Local time:04:08 PM

Posted 03 July 2008 - 11:22 AM

Hi again Sam!

Just so you know, I still don't have any antivirus until now. Remember I uninstalled AVG and Panda. I also don't know which one to use now.
My computer is way better now thanks to you. :thumbsup:

Be back with the results in a couple of minutes. :)

#11 hookedforever

hookedforever
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:philippines
  • Local time:04:08 PM

Posted 03 July 2008 - 11:59 AM

Hi!

Here are the logs:

ComboFix


ComboFix 08-07-01.5 - Administrator 2008-07-04 0:38:57.2 - NTFSx86
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\cofzlp.tmp
C:\WINDOWS\system32\QYxHgfii.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\cofzlp.tmp
C:\WINDOWS\system32\QYxHgfii.ini

.
((((((((((((((((((((((((( Files Created from 2008-06-04 to 2008-07-04 )))))))))))))))))))))))))))))))
.

2008-07-03 02:34 . 2008-07-03 02:35 <DIR> d-------- C:\WINDOWS\ERUNT
2008-07-03 02:29 . 2008-07-03 02:29 <DIR> d-------- C:\SDFix
2008-07-03 01:01 . 2008-07-03 01:01 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-03 00:44 . 2008-07-03 00:44 <DIR> d-------- C:\_OTMoveIt
2008-07-02 21:18 . 2008-07-02 21:18 <DIR> d-------- C:\Deckard
2008-07-02 20:54 . 2008-07-02 20:54 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVGTOOLBAR
2008-07-02 19:24 . 2007-04-03 10:19 1,990 --a------ C:\WINDOWS\system32\drivers\net_m32.inf
2008-07-02 19:23 . 2008-07-02 19:23 <DIR> d-------- C:\Program Files\Panda Software
2008-07-02 19:13 . 2008-07-02 20:07 <DIR> d-------- C:\Program Files\Common Files\Panda Software
2008-07-02 17:03 . 2008-07-02 17:03 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-02 17:03 . 2008-07-02 17:03 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-07-02 17:02 . 2008-07-02 20:50 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-02 17:01 . 2008-07-02 17:01 <DIR> d-------- C:\Program Files\AVG
2008-07-02 17:01 . 2008-07-02 20:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-02 11:00 . 2008-07-02 11:00 29 --a------ C:\WINDOWS\system32\qoouaeed.tmp
2008-07-02 11:00 . 2008-07-02 11:00 0 --a------ C:\1617942406
2008-06-25 10:49 . 2008-06-25 10:49 <DIR> d-------- C:\WINDOWS\Sun
2008-06-24 20:50 . 2002-03-19 23:24 26,674 -ra------ C:\WINDOWS\system32\drivers\dm9usb.sys
2008-06-21 17:27 . 2008-06-24 01:09 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\BearShare
2008-06-21 17:26 . 2008-06-24 01:09 <DIR> d-------- C:\Program Files\BearShare Applications
2008-06-17 15:50 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-06-17 15:49 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-06-17 15:49 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-06-17 15:49 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-06-17 15:49 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-06-16 19:22 . 2008-06-16 19:22 279,781 --a------ C:\Program Files\BarRes.dat
2008-06-16 19:22 . 2008-06-16 19:22 246,972 --a------ C:\Program Files\FPFntDat.bin
2008-06-16 19:22 . 2008-06-16 19:22 338 --a------ C:\Program Files\Setupinf.dat
2008-06-16 19:10 . 2008-06-17 15:54 <DIR> d-------- C:\Spedia
2008-06-13 14:20 . 2008-06-17 15:56 <DIR> d-------- C:\Program Files\QuickFix
2008-06-04 15:25 . 2008-06-04 15:25 <DIR> d-------- C:\Program Files\Free PDF Downloader

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-03 03:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-07-03 03:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-03 01:34 --------- d-----w C:\Program Files\Java
2008-07-02 22:45 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AVG7
2008-07-02 18:03 90,112 ----a-w C:\WINDOWS\DUMP7af3.tmp
2008-07-02 18:00 17,408 ----a-w C:\WINDOWS\system32\svchost.exe
2008-06-26 09:37 --------- d-----w C:\Documents and Settings\Administrator\Application Data\uTorrent
2008-06-25 04:59 --------- d-----w C:\Program Files\Google
2008-06-08 19:01 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-06-03 22:34 --------- d-----w C:\Program Files\Xvid
2008-06-02 02:27 --------- d-----w C:\Program Files\uTorrent
2008-05-28 21:18 --------- d--h--r C:\Documents and Settings\Administrator\Application Data\yahoo!
2008-05-28 21:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-05-28 21:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-05-28 20:59 --------- d-----w C:\Program Files\Yahoo!
2008-05-28 20:43 --------- d-----w C:\Program Files\Chikka
2008-05-28 05:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\n7-89-o9-3r-4t-r9
2008-05-28 05:39 --------- d-----w C:\Documents and Settings\Administrator\Application Data\GameHouse
2008-05-28 05:38 --------- d-----w C:\Program Files\GameHouse
2008-05-14 18:11 356,352 ----a-w C:\WINDOWS\eSellerateEngine.dll
2008-05-13 04:19 --------- d-----w C:\Program Files\Video-AVI to GIF-JPEG
2008-05-05 08:49 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Nokia
2008-05-04 17:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Suite
2008-05-04 17:54 --------- d-----w C:\Program Files\DIFX
2008-05-04 17:52 --------- d-----w C:\Program Files\Common Files\PCSuite
2008-05-04 17:52 --------- d-----w C:\Program Files\Common Files\Nokia
2008-05-04 17:51 --------- d-----w C:\Program Files\Nokia
2008-05-04 17:49 --------- d-----w C:\Documents and Settings\Administrator\Application Data\PC Suite
2008-05-04 17:48 --------- d-----w C:\Program Files\PC Connectivity Solution
2008-05-04 17:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2008-04-27 17:35 180,224 ----a-w C:\WINDOWS\system32\xvidvfw.dll
2008-04-27 17:33 765,952 ----a-w C:\WINDOWS\system32\xvidcore.dll
.

------- Sigcheck -------

2008-07-02 11:00 17408 83cff5d901a1b9382fcdb74e3c5d2619 C:\WINDOWS\system32\svchost.exe

2004-08-03 18:26 506368 bccc6d87487732ef9d29dc0da1a81b40 C:\WINDOWS\system32\winlogon.exe

2005-10-15 02:07 1034752 6b94d3f23bc656495f10ca5bbcac1dc4 C:\WINDOWS\explorer.exe

2004-08-03 18:26 110592 9072af57982c386e22ae1ec792a44dcd C:\WINDOWS\system32\services.exe

2004-08-03 18:26 14848 94c5c4bf75a706210d4d04214a738cb7 C:\WINDOWS\system32\lsass.exe
.
((((((((((((((((((((((((((((( snapshot@2008-07-03_10.46.52.92 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-03 17:38:12 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-04 01:35:01 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 17:43 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CameraFixer"="C:\WINDOWS\CameraFixer.exe" [2005-10-03 12:23 20480]
"tsnpstd3"="C:\WINDOWS\tsnpstd3.exe" [2005-11-04 16:05 90112]
"snpstd3"="C:\WINDOWS\vsnpstd3.exe" [2005-09-05 16:55 339968]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 13:20 227328]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 15:58 1744896]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-03-09 16:18:17 113664]
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart17.exe [2006-03-05 05:43:54 11000]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)
"DisableCAD"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoInstrumentation"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
"DisableCAD"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoInstrumentation"= 1 (0x1)
"NoSMHelp"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-02 17:03]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-02 17:02]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-02 17:03]
R3 SPI;Sony Programmable I/O Control Device;C:\WINDOWS\system32\DRIVERS\SonyPI.sys [2001-08-17 05:51]
S1 ShldDrv;Panda File Shield Driver;C:\WINDOWS\system32\DRIVERS\ShlDrv51.sys []
S2 PavProc;Panda Process Protection Driver;C:\WINDOWS\system32\DRIVERS\PavProc.sys []
S3 DM9USB;DM9601 USB To Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\dm9usb.sys [2002-03-19 23:24]

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-04 00:43:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-04 0:47:52
ComboFix-quarantined-files.txt 2008-07-04 07:47:46
ComboFix2.txt 2008-07-03 17:47:51

Pre-Run: 10,435,792,896 bytes free
Post-Run: 10,433,196,032 bytes free

164







Deckard's System Scanner v20071014.68
Run by Administrator on 2008-07-04 01:00:34
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 79% (more than 75%).
Total Physical Memory: 126 MiB (512 MiB recommended).


-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:00:47 AM, on 7/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\CameraFixer.exe
C:\WINDOWS\tsnpstd3.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ADMINI~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myhpf.co.uk/mypage.asp?OrgID=125218
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! ¤u¨ă¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Yahoo! ¤u¨ă¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [CameraFixer] C:\WINDOWS\CameraFixer.exe
O4 - HKLM\..\Run: [tsnpstd3] C:\WINDOWS\tsnpstd3.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKUS\S-1-5-19\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlhr] RunDll32.exe %SystemRoot%\System32\AdvPack.Dll,LaunchINFSection %SystemRoot%\inf\nlite.inf,C (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{08DEFBAF-8C03-4A64-9615-A52E6774408E}: NameServer = 66.93.87.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{33B00AD3-10D1-47B7-ACCF-DDBE9246973A}: NameServer = 66.93.87.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{9B888C2C-27CF-45F6-BBF0-A29EE52D6356}: NameServer = 66.93.87.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{08DEFBAF-8C03-4A64-9615-A52E6774408E}: NameServer = 66.93.87.2
O17 - HKLM\System\CS2\Services\Tcpip\..\{08DEFBAF-8C03-4A64-9615-A52E6774408E}: NameServer = 66.93.87.2
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 6175 bytes

-- Files created between 2008-06-04 and 2008-07-04 -----------------------------

2008-07-03 13:04:56 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-07-03 10:25:56 68096 --a------ C:\WINDOWS\zip.exe
2008-07-03 10:25:56 49152 --a------ C:\WINDOWS\VFind.exe
2008-07-03 10:25:56 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-03 10:25:56 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-03 10:25:56 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-03 10:25:56 98816 --a------ C:\WINDOWS\sed.exe
2008-07-03 10:25:56 80412 --a------ C:\WINDOWS\grep.exe
2008-07-03 10:25:56 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-03 02:34:59 0 d-------- C:\WINDOWS\ERUNT
2008-07-03 02:13:55 0 drahs---- C:\autorun.inf
2008-07-03 01:01:31 0 d-------- C:\Program Files\Trend Micro
2008-07-02 20:54:26 0 d-------- C:\Documents and Settings\Administrator\Application Data\AVGTOOLBAR
2008-07-02 19:23:06 0 d-------- C:\Program Files\Panda Software
2008-07-02 19:13:41 0 d-------- C:\Program Files\Common Files\Panda Software
2008-07-02 17:02:35 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-02 17:01:46 0 d-------- C:\Program Files\AVG
2008-07-02 17:01:40 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-02 12:17:19 0 d--hs---- C:\WINDOWS\CSC
2008-07-02 11:00:45 0 d-------- C:\Documents and Settings\LocalService\Start Menu
2008-07-02 11:00:17 0 --a------ C:\1617942406
2008-07-02 10:55:41 0 dr------- C:\Documents and Settings\LocalService\My Documents
2008-06-25 10:49:01 0 d-------- C:\WINDOWS\Sun
2008-06-21 17:27:26 0 d-------- C:\Documents and Settings\Administrator\Application Data\BearShare
2008-06-21 17:26:01 0 d-------- C:\Program Files\BearShare Applications
2008-06-19 15:56:59 4007835 --a------ C:\Documents and Settings\Administrator\Desktop(3)
2008-06-19 15:56:52 2742692 --a------ C:\Documents and Settings\Administrator\Desktop(2)
2008-06-18 18:27:46 4456448 --a------ C:\Documents and Settings\Administrator\ntuser.dat
2008-06-16 19:22:40 338 --a------ C:\Program Files\Setupinf.dat
2008-06-16 19:22:37 246972 --a------ C:\Program Files\FPFntDat.bin
2008-06-16 19:22:36 279781 --a------ C:\Program Files\BarRes.dat
2008-06-16 19:10:54 0 d-------- C:\Spedia
2008-06-16 18:48:12 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2008-06-13 14:20:40 0 d-------- C:\Program Files\QuickFix
2008-06-08 12:02:53 0 d-------- C:\WINDOWS\system32\appmgmt
2008-06-04 15:25:52 0 d-------- C:\Program Files\Free PDF Downloader


-- Find3M Report ---------------------------------------------------------------

2008-07-02 20:07:10 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-02 19:13:41 0 d-------- C:\Program Files\Common Files
2008-07-02 18:34:00 0 d-------- C:\Program Files\Java
2008-07-02 15:45:40 0 d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-07-02 11:00:04 17408 --a------ C:\WINDOWS\system32\svchost.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-06-26 02:37:04 0 d-------- C:\Documents and Settings\Administrator\Application Data\uTorrent
2008-06-24 23:21:32 5853 --a------ C:\WINDOWS\mozver.dat
2008-06-24 21:59:27 0 d-------- C:\Program Files\Google
2008-06-08 12:01:50 0 d-------- C:\Program Files\Common Files\Autodesk Shared
2008-06-03 15:34:14 0 d-------- C:\Program Files\Xvid
2008-06-01 19:27:41 0 d-------- C:\Program Files\uTorrent
2008-06-01 04:39:34 0 d-------- C:\Documents and Settings\Administrator\Application Data\Google
2008-06-01 04:35:39 0 --a------ C:\WINDOWS\nsreg.dat
2008-06-01 04:35:28 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2008-05-28 16:55:56 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-05-28 14:18:33 0 dr-h----- C:\Documents and Settings\Administrator\Application Data\yahoo!
2008-05-28 13:59:25 0 d-------- C:\Program Files\Yahoo!
2008-05-28 13:43:20 0 d-------- C:\Program Files\Chikka
2008-05-27 22:40:13 4096 --a------ C:\WINDOWS\d3dx.dat
2008-05-27 22:39:11 0 d-------- C:\Documents and Settings\Administrator\Application Data\GameHouse
2008-05-27 22:38:49 0 d-------- C:\Program Files\GameHouse
2008-05-25 22:34:24 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2008-05-14 11:11:10 356352 --a------ C:\WINDOWS\eSellerateEngine.dll <Not Verified; eSellerate Inc.; eSellerateEngine>
2008-05-12 21:19:48 0 d-------- C:\Program Files\Video-AVI to GIF-JPEG
2008-05-05 01:49:57 0 d-------- C:\Documents and Settings\Administrator\Application Data\Nokia
2008-05-04 10:54:49 0 d-------- C:\Program Files\DIFX
2008-05-04 10:52:54 0 d-------- C:\Program Files\Common Files\PCSuite
2008-05-04 10:52:16 0 d-------- C:\Program Files\Common Files\Nokia
2008-05-04 10:51:18 0 d-------- C:\Program Files\Nokia
2008-05-04 10:49:17 0 d-------- C:\Documents and Settings\Administrator\Application Data\PC Suite
2008-05-04 10:48:53 0 d-------- C:\Program Files\PC Connectivity Solution
2008-04-27 10:35:28 180224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2008-04-27 10:33:36 765952 --a------ C:\WINDOWS\system32\xvidcore.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CameraFixer"="C:\WINDOWS\CameraFixer.exe" [10/03/2005 12:23 PM]
"tsnpstd3"="C:\WINDOWS\tsnpstd3.exe" [11/04/2005 04:05 PM]
"snpstd3"="C:\WINDOWS\vsnpstd3.exe" [09/05/2005 04:55 PM]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [03/23/2007 01:20 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 02:11 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [08/30/2007 05:43 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"tscuninstall"=%systemroot%\system32\tscupgrd.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Nokia.PCSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [3/9/2008 4:18:17 PM]
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart17.exe [3/5/2006 5:43:54 AM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 2:01:04 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=1 (0x1)
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=1 (0x1)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"=1 (0x1)
"ForceClassicControlPanel"=1 (0x1)
"NoRemoteRecursiveEvents"=1 (0x1)
"MemCheckBoxInRunDlg"=1 (0x1)
"DisableCAD"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSharedDocuments"=1 (0x1)
"ClearRecentDocsOnExit"=1 (0x1)
"NoRecentDocsMenu"=1 (0x1)
"NoRecentDocsHistory"=1 (0x1)
"NoInstrumentation"=1 (0x1)
"NoSMHelp"=1 (0x1)
"DisableCAD"=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSharedDocuments"=1 (0x1)
"ClearRecentDocsOnExit"=1 (0x1)
"NoRecentDocsMenu"=1 (0x1)
"NoRecentDocsHistory"=1 (0x1)
"NoInstrumentation"=1 (0x1)
"NoSMHelp"=1 (0x1)




-- End of Deckard's System Scanner: finished at 2008-07-04 01:01:31 ------------

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:08 AM

Posted 03 July 2008 - 04:24 PM

For now I would get AVG-free installed again right away so you have some protection.


And let's get rid of this Panda service that's hanging around still.


Click Start > Run and type these commands hitting enter after each one:

sc stop PavPrSrv

sc delete PavPrSrv




Now let's run a malware scan to pick up anything leftover that we may have missed.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 hookedforever

hookedforever
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:philippines
  • Local time:04:08 PM

Posted 03 July 2008 - 07:13 PM

Hi Sam!
I tried installing AVG again but it still rolls back. Is it possible that it's having problems with my AVG 7.5? Here is the same error report i received:

Local machine: installation failed
Installation:
Error: Action failed for file avgmfx86.sys: starting service....
Error 0x80070002

I've removed Panda already. thanks! Can you also teach me how to remove that C:\Spedia? I actually don't need that. I just got that from some site and I don't want to keep it any longer. Would it be safe to just delete the whole folder?

I'll be back with the MBAM log later.

#14 hookedforever

hookedforever
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:philippines
  • Local time:04:08 PM

Posted 03 July 2008 - 07:28 PM

Hi! Here's the MBAM log:

Malwarebytes' Anti-Malware 1.19
Database version: 919
Windows 5.1.2600 Service Pack 2

8:34:00 AM 7/4/2008
mbam-log-7-4-2008 (08-34-00).txt

Scan type: Quick Scan
Objects scanned: 36491
Time elapsed: 10 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{100eb1fd-d03e-47fd-81f3-ee91287f9465} (Adware.Shopping.Report) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008 (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Administrator\Desktop\EncodeDecode.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Services.cpi (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Services.cpl (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

#15 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:08 AM

Posted 03 July 2008 - 08:49 PM

Can you also teach me how to remove that C:\Spedia? I actually don't need that. I just got that from some site and I don't want to keep it any longer. Would it be safe to just delete the whole folder?

Yes, you can just delete the whole folder.


I tried installing AVG again but it still rolls back. Is it possible that it's having problems with my AVG 7.5?

Usually that error is caused by another antivirus program that causes a conflict. You said that you had AVG uninstalled already, but I do see it running in your last log. I would uninstall any previous version of AVG that you have now. Make sure you reboot and then try installing it once again.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users