Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumode / Trojan Infections


  • This topic is locked This topic is locked
10 replies to this topic

#1 The Oldboy

The Oldboy

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:05 PM

Posted 04 July 2008 - 07:53 PM

ok. where to start!? from when i turn my computer on i get spybot notifications of a system startup entry. i click deny. and remember this decision, it continues trying so the box pops up constanlty on the right. when surfing the internet i get continous popup windows opening up although my pop up blocker is on. everytime i run spybot search and destroy it brings up several adaware, malware and spyware infections, i choose to 'fix' the problems but after re-starting and running the same scan the problems show. the startup scan always runs also although the box is unticked in the preferences for it. i have avg and constantly get virus reports of a trojan. i get error boxes every so often stating that something failed to initialize. below is the report. the extra report does not appear after a scan, im only recieving the main one. also... i cant do the kapersky scan as it claims i do not have java 1.5 or higher, though i just installed the latest version. windows explorer keeps restarting also.

below is the report.

thanks for your help

Tamer


Deckard's System Scanner v20071014.68
Run by Tamer Rustum on 2008-07-05 01:38:37
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 80% (more than 75%).
Total Physical Memory: 495 MiB (512 MiB recommended).


-- HijackThis (run as Tamer Rustum.exe) ----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:38:41, on 05/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20733)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\acer\Wireless\Utility\WlanUtil.exe
C:\Acer\ePM\EPM-DM.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Documents and Settings\Tamer Rustum\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\TAMERR~1.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {02EFC8DD-4336-4E2E-8E93-5D9375DBE6C7} - C:\WINDOWS\system32\awtsTNfG.dll (file missing)
O2 - BHO: (no name) - {0E64E841-2463-47C9-8797-DAF2810BBF61} - C:\WINDOWS\system32\tuvWpMdb.dll
O2 - BHO: (no name) - {1239a69f-3f68-49f3-8ef0-3d0aae297f98} - (no file)
O2 - BHO: (no name) - {462E7DCD-611D-4210-ABC2-F0422991E76B} - C:\WINDOWS\system32\ljJYPgFU.dll
O2 - BHO: (no name) - {494021CF-36D7-42F6-ADB0-9E795F159B54} - C:\WINDOWS\system32\mlJCVoMe.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: {c8c30303-4b53-8e5b-5624-aee5682818fa} - {af818286-5eea-4265-b5e8-35b430303c8c} - C:\WINDOWS\system32\lkwzzr.dll
O2 - BHO: (no name) - {FE9E61DC-5981-4D3C-9B83-F3F9854DA2F7} - C:\WINDOWS\system32\wvUmjKAP.dll (file missing)
O4 - HKLM\..\Run: [acerWireless] C:\Program Files\acer\Wireless\Utility\WlanUtil.exe
O4 - HKLM\..\Run: [EPM-DM] C:\Acer\ePM\EPM-DM.exe
O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [901035dc] rundll32.exe "C:\WINDOWS\system32\nuxgwtoo.dll",b
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingD2618] cmd /c del "C:\WINDOWS\system32\mlJCVoMe.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6511] cmd /c del "C:\WINDOWS\system32\tuvUMcyX.dll_old"
O4 - HKLM\..\Policies\Explorer\Run: [R1hnuegere] C:\WINDOWS\lqdizuhq.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/Facebo...Uploader4_5.cab
O20 - Winlogon Notify: tuvWpMdb - C:\WINDOWS\SYSTEM32\tuvWpMdb.dll
O20 - Winlogon Notify: winvvh32 - C:\WINDOWS\SYSTEM32\winvvh32.dll
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

--
End of file - 9906 bytes

-- Files created between 2008-06-05 and 2008-07-05 -----------------------------

2008-07-05 01:35:10 0 d-------- C:\Program Files\Trend Micro
2008-07-04 20:21:38 81408 --a------ C:\WINDOWS\system32\nuxgwtoo.dll
2008-07-04 20:19:26 101376 --a------ C:\WINDOWS\system32\lkwzzr.dll
2008-07-04 20:19:25 101376 --a------ C:\WINDOWS\system32\cxcfnuwt.dll
2008-07-04 20:18:36 587463 --ahs---- C:\WINDOWS\system32\UFgPYJjl.ini2
2008-07-04 20:18:27 282112 --a------ C:\WINDOWS\system32\ljJYPgFU.dll
2008-06-30 23:47:29 1947 --ahs---- C:\WINDOWS\system32\PAKjmUvw.ini2
2008-06-28 16:27:21 94208 --a------ C:\WINDOWS\system32\gsvolayk.dll
2008-06-28 06:43:58 691545 --a------ C:\WINDOWS\unins000.exe
2008-06-28 06:43:54 2561 --a------ C:\WINDOWS\unins000.dat
2008-06-28 04:26:02 584935 --ahs---- C:\WINDOWS\system32\eMoVCJlm.ini2
2008-06-28 00:56:36 0 d-------- C:\Documents and Settings\Tamer Rustum\Application Data\dBpoweramp
2008-06-28 00:37:09 0 d-------- C:\Documents and Settings\Tamer Rustum\Application Data\AccurateRip
2008-06-28 00:37:03 13783 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Music Converter.dat
2008-06-28 00:36:52 0 d-------- C:\Program Files\Illustrate
2008-06-28 00:27:45 145 --a------ C:\WINDOWS\system32\winver.bat
2008-06-28 00:26:57 2637 --ahs---- C:\WINDOWS\system32\XycMUvut.ini2
2008-06-28 00:01:33 118784 --a------ C:\WINDOWS\system32\mp3dec.dll
2008-06-27 18:36:18 0 d-------- C:\Program Files\VSTplugins
2008-06-27 18:34:56 0 d-------- C:\Documents and Settings\Tamer Rustum\Application Data\Publish Providers
2008-06-27 18:24:49 5149 --ahs---- C:\WINDOWS\system32\GfNTstwa.ini2
2008-06-27 18:19:41 32256 --a------ C:\WINDOWS\system32\winvvh32.dll
2008-06-27 18:19:39 34304 --a------ C:\WINDOWS\system32\tuvWpMdb.dll
2008-06-27 18:14:38 0 d-------- C:\Documents and Settings\Tamer Rustum\Application Data\Sony
2008-06-22 01:03:05 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-06-22 00:22:26 0 d-------- C:\Documents and Settings\Tamer Rustum\Application Data\Apple Computer
2008-06-22 00:19:12 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple Computer
2008-06-22 00:18:01 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple
2008-06-19 13:33:54 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Office Genuine Advantage
2008-06-17 00:39:25 0 d------c- C:\DVDVideoSoft
2008-06-17 00:38:37 0 d-------- C:\Program Files\DVDVideoSoft
2008-06-17 00:38:37 0 d-------- C:\Program Files\Common Files\DVDVideoSoft


-- Find3M Report ---------------------------------------------------------------

2008-07-05 01:34:58 0 d-------- C:\Documents and Settings\Tamer Rustum\Application Data\OpenOffice.org2
2008-07-04 21:33:49 0 d-------- C:\Program Files\Java
2008-07-02 22:45:03 0 d-------- C:\Documents and Settings\Tamer Rustum\Application Data\dvdcss
2008-06-29 12:29:55 0 d-------- C:\Program Files\BitTorrent
2008-06-28 22:15:14 0 d-------- C:\Program Files\Bonjour
2008-06-27 18:13:49 0 d-------- C:\Program Files\Sony
2008-06-22 00:55:05 0 d-------- C:\Documents and Settings\Tamer Rustum\Application Data\LimeWire
2008-06-17 00:38:37 0 d-------- C:\Program Files\Common Files
2008-06-17 00:18:14 0 d-------- C:\Documents and Settings\Tamer Rustum\Application Data\Real
2008-06-07 23:36:08 0 d-------- C:\Program Files\InterActual
2008-05-31 14:36:44 0 d-------- C:\Program Files\Kontiki
2008-05-31 14:36:39 0 d-------- C:\Program Files\Channel4
2008-05-15 04:20:39 0 d-------- C:\Program Files\FriendBlasterPro
2008-05-05 20:13:28 0 d-------- C:\Program Files\OpenOffice.org 2.4


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02EFC8DD-4336-4E2E-8E93-5D9375DBE6C7}]
C:\WINDOWS\system32\awtsTNfG.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0E64E841-2463-47C9-8797-DAF2810BBF61}]
27/06/2008 18:19 34304 --a------ C:\WINDOWS\system32\tuvWpMdb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1239a69f-3f68-49f3-8ef0-3d0aae297f98}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{462E7DCD-611D-4210-ABC2-F0422991E76B}]
04/07/2008 20:18 282112 --a------ C:\WINDOWS\system32\ljJYPgFU.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{494021CF-36D7-42F6-ADB0-9E795F159B54}]
C:\WINDOWS\system32\mlJCVoMe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{af818286-5eea-4265-b5e8-35b430303c8c}]
04/07/2008 20:19 101376 --a------ C:\WINDOWS\system32\lkwzzr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FE9E61DC-5981-4D3C-9B83-F3F9854DA2F7}]
C:\WINDOWS\system32\wvUmjKAP.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"acerWireless"="C:\Program Files\acer\Wireless\Utility\WlanUtil.exe" [09/06/2004 12:15]
"EPM-DM"="C:\Acer\ePM\EPM-DM.exe" [03/11/2004 19:11]
"ePowerManagement"="C:\Acer\ePM\ePM.exe" [03/11/2004 18:45]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [11/06/2007 10:25]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [28/06/2008 08:44]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [01/03/2007 16:57]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [08/08/2007 10:25]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [04/05/2008 17:30]
"4oD"="C:\Program Files\Kontiki\KHost.exe" [23/04/2007 11:23]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [15/01/2008 04:22]
"901035dc"="C:\WINDOWS\system32\nuxgwtoo.dll" [04/07/2008 20:21]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [25/03/2008 04:28]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [10/10/2006 22:23]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [03/08/2007 13:51]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [28/01/2008 11:43]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 14:00]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"SpybotDeletingD2618"=cmd /c del "C:\WINDOWS\system32\mlJCVoMe.dll_old"
"SpybotDeletingD6511"=cmd /c del "C:\WINDOWS\system32\tuvUMcyX.dll_old"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"ShowDeskFix"=regsvr32 /s /n /i:u shell32

C:\Documents and Settings\Tamer Rustum\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe [21/01/2008 15:41:28]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [23/09/2005 23:05:26]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"DisableTaskMgr"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"R1hnuegere"=C:\WINDOWS\lqdizuhq.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{0E64E841-2463-47C9-8797-DAF2810BBF61}"= C:\WINDOWS\system32\tuvWpMdb.dll [27/06/2008 18:19 34304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvWpMdb]
tuvWpMdb.dll 27/06/2008 18:19 34304 C:\WINDOWS\system32\tuvWpMdb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winvvh32]
winvvh32.dll 27/06/2008 18:19 32256 C:\WINDOWS\system32\winvvh32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\ljJYPgFU

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"BM93230640"=Rundll32.exe "C:\WINDOWS\system32\gsvolayk.dll",s
"holnqpyy"=C:\WINDOWS\system32\holnqpyy.exe
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6d1f4590-2e84-11dc-8aeb-000e358df5f7}]
AutoRun\command- RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213\autorunme.exe
open\command- RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213\autorunme.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cc5785b3-271a-11dd-b5ac-000e358df5f7}]
AutoRun\command- wscript.exe .\.vbs
open\command- wscript.exe .\.vbs




-- End of Deckard's System Scanner: finished at 2008-07-05 01:40:01 ------------

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:05 AM

Posted 04 July 2008 - 09:56 PM

Hello The Oldboy,

Welcome to Bleeping Computer :thumbsup:

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with the fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts

You can reenable TeaTimer once your system is clean.

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 The Oldboy

The Oldboy
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:05 PM

Posted 05 July 2008 - 08:15 AM

thank you very much for your quick response.
below is the new hijack this log and then the combofix log

Deckard's System Scanner v20071014.68
Run by Tamer Rustum on 2008-07-05 14:11:43
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 76% (more than 75%).
Total Physical Memory: 495 MiB (512 MiB recommended).


-- HijackThis (run as Tamer Rustum.exe) ----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:11:50, on 05/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20733)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\acer\Wireless\Utility\WlanUtil.exe
C:\Acer\ePM\EPM-DM.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Tamer Rustum\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\TAMERR~1.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {02EFC8DD-4336-4E2E-8E93-5D9375DBE6C7} - C:\WINDOWS\system32\awtsTNfG.dll (file missing)
O2 - BHO: (no name) - {0E64E841-2463-47C9-8797-DAF2810BBF61} - C:\WINDOWS\system32\tuvWpMdb.dll (file missing)
O2 - BHO: (no name) - {1239a69f-3f68-49f3-8ef0-3d0aae297f98} - (no file)
O2 - BHO: (no name) - {494021CF-36D7-42F6-ADB0-9E795F159B54} - C:\WINDOWS\system32\mlJCVoMe.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {59D6A28B-190A-4507-8EF4-1CFF725B4CBB} - C:\WINDOWS\system32\ljJYPgFU.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: {c8c30303-4b53-8e5b-5624-aee5682818fa} - {af818286-5eea-4265-b5e8-35b430303c8c} - C:\WINDOWS\system32\lkwzzr.dll (file missing)
O2 - BHO: (no name) - {FE9E61DC-5981-4D3C-9B83-F3F9854DA2F7} - C:\WINDOWS\system32\wvUmjKAP.dll (file missing)
O4 - HKLM\..\Run: [acerWireless] C:\Program Files\acer\Wireless\Utility\WlanUtil.exe
O4 - HKLM\..\Run: [EPM-DM] C:\Acer\ePM\EPM-DM.exe
O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/Facebo...Uploader4_5.cab
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

--
End of file - 9276 bytes

-- Files created between 2008-06-05 and 2008-07-05 -----------------------------

2008-07-05 13:53:49 68096 --a------ C:\WINDOWS\zip.exe
2008-07-05 13:53:49 49152 --a------ C:\WINDOWS\VFind.exe
2008-07-05 13:53:49 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-05 13:53:49 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-05 13:53:49 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-05 13:53:49 98816 --a------ C:\WINDOWS\sed.exe
2008-07-05 13:53:49 80412 --a------ C:\WINDOWS\grep.exe
2008-07-05 13:53:49 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-05 01:35:10 0 d-------- C:\Program Files\Trend Micro
2008-06-28 06:43:58 691545 --a------ C:\WINDOWS\unins000.exe
2008-06-28 06:43:54 2561 --a------ C:\WINDOWS\unins000.dat
2008-06-28 00:56:36 0 d-------- C:\Documents and Settings\Tamer Rustum\Application Data\dBpoweramp
2008-06-28 00:37:09 0 d-------- C:\Documents and Settings\Tamer Rustum\Application Data\AccurateRip
2008-06-28 00:37:03 13783 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Music Converter.dat
2008-06-28 00:36:52 0 d-------- C:\Program Files\Illustrate
2008-06-28 00:27:45 145 --a------ C:\WINDOWS\system32\winver.bat
2008-06-28 00:01:33 118784 --a------ C:\WINDOWS\system32\mp3dec.dll
2008-06-27 18:36:18 0 d-------- C:\Program Files\VSTplugins
2008-06-27 18:34:56 0 d-------- C:\Documents and Settings\Tamer Rustum\Application Data\Publish Providers
2008-06-27 18:14:38 0 d-------- C:\Documents and Settings\Tamer Rustum\Application Data\Sony
2008-06-22 01:03:05 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-06-22 00:22:26 0 d-------- C:\Documents and Settings\Tamer Rustum\Application Data\Apple Computer
2008-06-22 00:19:12 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple Computer
2008-06-22 00:18:01 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple
2008-06-19 13:33:54 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Office Genuine Advantage
2008-06-17 00:39:25 0 d------c- C:\DVDVideoSoft
2008-06-17 00:38:37 0 d-------- C:\Program Files\DVDVideoSoft
2008-06-17 00:38:37 0 d-------- C:\Program Files\Common Files\DVDVideoSoft


-- Find3M Report ---------------------------------------------------------------

2008-07-05 14:06:28 0 d-------- C:\Documents and Settings\Tamer Rustum\Application Data\OpenOffice.org2
2008-07-04 21:33:49 0 d-------- C:\Program Files\Java
2008-07-02 22:45:03 0 d-------- C:\Documents and Settings\Tamer Rustum\Application Data\dvdcss
2008-06-29 12:29:55 0 d-------- C:\Program Files\BitTorrent
2008-06-28 22:15:14 0 d-------- C:\Program Files\Bonjour
2008-06-27 18:13:49 0 d-------- C:\Program Files\Sony
2008-06-22 00:55:05 0 d-------- C:\Documents and Settings\Tamer Rustum\Application Data\LimeWire
2008-06-17 00:38:37 0 d-------- C:\Program Files\Common Files
2008-06-17 00:18:14 0 d-------- C:\Documents and Settings\Tamer Rustum\Application Data\Real
2008-06-07 23:36:08 0 d-------- C:\Program Files\InterActual
2008-05-31 14:36:44 0 d-------- C:\Program Files\Kontiki
2008-05-31 14:36:39 0 d-------- C:\Program Files\Channel4
2008-05-15 04:20:39 0 d-------- C:\Program Files\FriendBlasterPro
2008-05-05 20:13:28 0 d-------- C:\Program Files\OpenOffice.org 2.4


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02EFC8DD-4336-4E2E-8E93-5D9375DBE6C7}]
C:\WINDOWS\system32\awtsTNfG.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0E64E841-2463-47C9-8797-DAF2810BBF61}]
C:\WINDOWS\system32\tuvWpMdb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1239a69f-3f68-49f3-8ef0-3d0aae297f98}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{494021CF-36D7-42F6-ADB0-9E795F159B54}]
C:\WINDOWS\system32\mlJCVoMe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{59D6A28B-190A-4507-8EF4-1CFF725B4CBB}]
C:\WINDOWS\system32\ljJYPgFU.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{af818286-5eea-4265-b5e8-35b430303c8c}]
C:\WINDOWS\system32\lkwzzr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FE9E61DC-5981-4D3C-9B83-F3F9854DA2F7}]
C:\WINDOWS\system32\wvUmjKAP.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"acerWireless"="C:\Program Files\acer\Wireless\Utility\WlanUtil.exe" [09/06/2004 12:15]
"EPM-DM"="C:\Acer\ePM\EPM-DM.exe" [03/11/2004 19:11]
"ePowerManagement"="C:\Acer\ePM\ePM.exe" [03/11/2004 18:45]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [11/06/2007 10:25]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [28/06/2008 08:44]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [01/03/2007 16:57]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [08/08/2007 10:25]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [04/05/2008 17:30]
"4oD"="C:\Program Files\Kontiki\KHost.exe" [23/04/2007 11:23]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [15/01/2008 04:22]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [25/03/2008 04:28]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [10/10/2006 22:23]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [03/08/2007 13:51]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 14:00]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [23/04/2007 11:23]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"ShowDeskFix"=regsvr32 /s /n /i:u shell32

C:\Documents and Settings\Tamer Rustum\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe [21/01/2008 15:41:28]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [23/09/2005 23:05:26]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{0E64E841-2463-47C9-8797-DAF2810BBF61}"= C:\WINDOWS\system32\tuvWpMdb.dll [ ]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"BM93230640"=Rundll32.exe "C:\WINDOWS\system32\gsvolayk.dll",s
"holnqpyy"=C:\WINDOWS\system32\holnqpyy.exe
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cc5785b3-271a-11dd-b5ac-000e358df5f7}]
AutoRun\command- wscript.exe .\.vbs
open\command- wscript.exe .\.vbs




-- End of Deckard's System Scanner: finished at 2008-07-05 14:12:30 ------------



ComboFix 08-07-04.6 - Tamer Rustum 2008-07-05 13:55:59.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.161 [GMT 1:00]
Running from: C:\Documents and Settings\Tamer Rustum\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\cxcfnuwt.dll
C:\WINDOWS\system32\eMoVCJlm.ini
C:\WINDOWS\system32\eMoVCJlm.ini2
C:\WINDOWS\system32\fjcftbam.ini
C:\WINDOWS\system32\GfNTstwa.ini
C:\WINDOWS\system32\GfNTstwa.ini2
C:\WINDOWS\system32\gsvolayk.dll
C:\WINDOWS\system32\ljJYPgFU.dll
C:\WINDOWS\system32\lkwzzr.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nuxgwtoo.dll
C:\WINDOWS\system32\ootwgxun.ini
C:\WINDOWS\system32\PAKjmUvw.ini
C:\WINDOWS\system32\PAKjmUvw.ini2
C:\WINDOWS\system32\tuvWpMdb.dll
C:\WINDOWS\system32\UFgPYJjl.ini
C:\WINDOWS\system32\UFgPYJjl.ini2
C:\WINDOWS\system32\umborkyc.ini
C:\WINDOWS\system32\wcoooeya.ini
C:\WINDOWS\system32\winvvh32.dll
C:\WINDOWS\system32\XycMUvut.ini
C:\WINDOWS\system32\XycMUvut.ini2

.
((((((((((((((((((((((((( Files Created from 2008-06-05 to 2008-07-05 )))))))))))))))))))))))))))))))
.

2008-07-05 01:35 . 2008-07-05 01:35 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-04 23:15 . 2008-07-04 23:15 <DIR> d----c--- C:\Deckard
2008-06-28 16:27 . 2008-07-04 20:25 110,424 --a------ C:\WINDOWS\BM93230640.xml
2008-06-28 06:43 . 2008-06-28 06:42 691,545 --a------ C:\WINDOWS\unins000.exe
2008-06-28 06:43 . 2008-06-28 06:44 2,561 --a------ C:\WINDOWS\unins000.dat
2008-06-28 05:14 . 2003-11-04 15:10 65,536 --a------ C:\WINDOWS\system32\lfeps13n.dll
2008-06-28 00:56 . 2008-06-28 00:56 <DIR> d-------- C:\Documents and Settings\Tamer Rustum\Application Data\dBpoweramp
2008-06-28 00:37 . 2008-06-28 00:37 <DIR> d-------- C:\Documents and Settings\Tamer Rustum\Application Data\AccurateRip
2008-06-28 00:37 . 2008-06-28 00:36 5,052,280 --a------ C:\WINDOWS\system32\SpoonUninstall.exe
2008-06-28 00:37 . 2008-06-28 00:36 33,846 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Music Converter.bmp
2008-06-28 00:37 . 2008-06-28 00:37 13,783 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Music Converter.dat
2008-06-28 00:36 . 2008-06-28 00:36 <DIR> d-------- C:\Program Files\Illustrate
2008-06-28 00:27 . 2008-06-28 00:27 145 --a------ C:\WINDOWS\system32\winver.bat
2008-06-28 00:03 . 2001-08-08 21:00 40,960 --a------ C:\WINDOWS\system32\DGPNorm.ocx
2008-06-28 00:01 . 1999-09-17 10:56 118,784 --a------ C:\WINDOWS\system32\mp3dec.dll
2008-06-28 00:01 . 2001-12-12 10:42 40,960 --a------ C:\WINDOWS\system32\MDec.ocx
2008-06-27 19:30 . 2008-07-01 19:50 359 --a------ C:\WINDOWS\wininit.ini
2008-06-27 18:36 . 2008-06-27 18:36 <DIR> d-------- C:\Program Files\VSTplugins
2008-06-27 18:34 . 2008-06-27 18:34 <DIR> d-------- C:\Documents and Settings\Tamer Rustum\Application Data\Publish Providers
2008-06-27 18:14 . 2008-06-28 13:32 <DIR> d-------- C:\Documents and Settings\Tamer Rustum\Application Data\Sony
2008-06-22 01:03 . 2008-07-03 22:59 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-06-22 00:22 . 2008-06-22 00:22 <DIR> d-------- C:\Documents and Settings\Tamer Rustum\Application Data\Apple Computer
2008-06-22 00:22 . 2008-07-05 14:05 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-22 00:22 . 2008-06-22 00:22 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-22 00:19 . 2008-06-22 00:21 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple Computer
2008-06-22 00:18 . 2008-06-22 00:18 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple
2008-06-22 00:18 . 2008-01-15 03:39 30,464 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys
2008-06-19 13:33 . 2008-06-19 13:33 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Office Genuine Advantage
2008-06-17 00:39 . 2008-06-17 00:40 <DIR> d----c--- C:\DVDVideoSoft
2008-06-17 00:38 . 2008-06-17 00:38 <DIR> d-------- C:\Program Files\DVDVideoSoft
2008-06-17 00:38 . 2008-06-28 00:48 <DIR> d-------- C:\Program Files\Common Files\DVDVideoSoft
2008-06-17 00:38 . 2002-01-05 15:37 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2008-06-07 23:36 . 2008-06-07 23:36 0 --a------ C:\WINDOWS\iPlayer.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-05 13:05 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Kontiki
2008-07-05 12:49 --------- d-----w C:\Documents and Settings\Tamer Rustum\Application Data\OpenOffice.org2
2008-07-04 20:33 --------- d-----w C:\Program Files\Java
2008-07-02 21:45 --------- d-----w C:\Documents and Settings\Tamer Rustum\Application Data\dvdcss
2008-06-30 19:57 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\avg7
2008-06-29 11:29 --------- d-----w C:\Program Files\BitTorrent
2008-06-28 21:15 --------- d-----w C:\Program Files\Bonjour
2008-06-28 11:23 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-06-28 11:22 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-27 17:13 --------- d-----w C:\Program Files\Sony
2008-06-21 23:55 --------- d-----w C:\Documents and Settings\Tamer Rustum\Application Data\LimeWire
2008-06-07 22:36 --------- d-----w C:\Program Files\InterActual
2008-05-31 13:36 --------- d-----w C:\Program Files\Kontiki
2008-05-31 13:36 --------- d-----w C:\Program Files\Channel4
2008-05-31 13:36 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Channel4
2008-05-15 03:20 --------- d-----w C:\Program Files\FriendBlasterPro
2008-05-05 19:13 --------- d-----w C:\Program Files\OpenOffice.org 2.4
2008-03-21 02:03 107 ---ha-w C:\Program Files\Desktop.ini
2007-06-12 14:02 427,320 ----a-w C:\Program Files\historyeraser.exe
2008-03-20 19:51 16,384 --sha-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
2008-03-20 19:51 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
2008-03-20 19:51 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008032020080321\index.dat
2008-03-20 19:51 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.

------- Sigcheck -------

2008-03-21 14:09 502272 6225f14b8ce08ccba8b25ad27843c674 C:\WINDOWS\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [2006-10-10 22:23 43520]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-08-03 13:51 202024]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [2007-04-23 11:23 1032640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"acerWireless"="C:\Program Files\acer\Wireless\Utility\WlanUtil.exe" [2004-06-09 12:15 417792]
"EPM-DM"="C:\Acer\ePM\EPM-DM.exe" [2004-11-03 19:11 163840]
"ePowerManagement"="C:\Acer\ePM\ePM.exe" [2004-11-03 18:45 2883584]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25 6731312]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-06-28 08:44 580096]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 16:57 153136]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-08-08 10:25 1828136]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-05-04 17:30 185896]
"4oD"="C:\Program Files\Kontiki\KHost.exe" [2007-04-23 11:23 1032640]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 04:22 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 14:00 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-26 03:54 219136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]

C:\Documents and Settings\Tamer Rustum\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe [2008-01-21 15:41:28 393216]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"BM93230640"=Rundll32.exe "C:\WINDOWS\system32\gsvolayk.dll",s
"holnqpyy"=C:\WINDOWS\system32\holnqpyy.exe
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R1 SMBHC;Microsoft SM Bus Host Controller Driver;C:\WINDOWS\system32\DRIVERS\SMBHC.sys [2001-08-17 14:57]
R2 EpmPsd;Acer EPM Power Scheme Driver;C:\WINDOWS\system32\drivers\epm-psd.sys [2004-07-19 14:10]
R2 EpmShd;Acer EPM System Hardware Driver;C:\WINDOWS\system32\drivers\epm-shd.sys [2004-09-02 18:27]
R3 SMBBATT;Microsoft Smart Battery Driver;C:\WINDOWS\system32\DRIVERS\SMBBATT.sys [2004-08-04 00:07]
S3 SeratoUsb;SeratoUsb driver;C:\WINDOWS\system32\Drivers\SeratoUsb.sys [2006-03-16 18:24]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cc5785b3-271a-11dd-b5ac-000e358df5f7}]
\Shell\AutoRun\command - wscript.exe .\.vbs
\Shell\open\command - wscript.exe .\.vbs

.
- - - - ORPHANS REMOVED - - - -

BHO-{02EFC8DD-4336-4E2E-8E93-5D9375DBE6C7} - C:\WINDOWS\system32\awtsTNfG.dll
BHO-{0E64E841-2463-47C9-8797-DAF2810BBF61} - C:\WINDOWS\system32\tuvWpMdb.dll
BHO-{1239a69f-3f68-49f3-8ef0-3d0aae297f98} - (no file)
BHO-{494021CF-36D7-42F6-ADB0-9E795F159B54} - C:\WINDOWS\system32\mlJCVoMe.dll
BHO-{59D6A28B-190A-4507-8EF4-1CFF725B4CBB} - C:\WINDOWS\system32\ljJYPgFU.dll
BHO-{af818286-5eea-4265-b5e8-35b430303c8c} - C:\WINDOWS\system32\lkwzzr.dll
BHO-{FE9E61DC-5981-4D3C-9B83-F3F9854DA2F7} - C:\WINDOWS\system32\wvUmjKAP.dll
HKLM-Run-901035dc - C:\WINDOWS\system32\nuxgwtoo.dll
HKLM-Explorer_Run-R1hnuegere - C:\WINDOWS\lqdizuhq.exe
ShellExecuteHooks-{0E64E841-2463-47C9-8797-DAF2810BBF61} - C:\WINDOWS\system32\tuvWpMdb.dll
Notify-winvvh32 - winvvh32.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-05 14:04:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.bin
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-07-05 14:10:57 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-05 13:10:51

Pre-Run: 51,694,039,040 bytes free
Post-Run: 52,212,412,416 bytes free

193 --- E O F --- 2008-03-21 12:59:25

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:05 AM

Posted 05 July 2008 - 09:15 AM

Hello,

You're welcome. :thumbsup:

Looking better.....how is it running please?

Please download Malwarebytes' Anti-Malware from one of these places:
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/tools/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply along with a fresh HijackThis log.


Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 The Oldboy

The Oldboy
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:05 PM

Posted 05 July 2008 - 01:44 PM

yo..
yeah i can notice a difference. havent really used my laptop today, but had no popups or virus flashup things. and things seem to be working!

below is the malawarebytes report and then the hijack this one.

thanks

Tamer

Malwarebytes' Anti-Malware 1.19
Database version: 924
Windows 5.1.2600 Service Pack 2

19:38:04 05/07/2008
mbam-log-7-5-2008 (19-38-04).txt

Scan type: Quick Scan
Objects scanned: 51434
Time elapsed: 7 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{0e64e841-2463-47c9-8797-daf2810bbf61} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0e64e841-2463-47c9-8797-daf2810bbf61} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DataDisp32 (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{0e64e841-2463-47c9-8797-daf2810bbf61} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\Application Data\VideoEgg (Adware.VideoEgg) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\All Users\Application Data\VideoEgg\user.dat (Adware.VideoEgg) -> Quarantined and deleted successfully.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:44:18, on 05/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20733)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\acer\Wireless\Utility\WlanUtil.exe
C:\Acer\ePM\EPM-DM.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {02EFC8DD-4336-4E2E-8E93-5D9375DBE6C7} - C:\WINDOWS\system32\awtsTNfG.dll (file missing)
O2 - BHO: (no name) - {1239a69f-3f68-49f3-8ef0-3d0aae297f98} - (no file)
O2 - BHO: (no name) - {494021CF-36D7-42F6-ADB0-9E795F159B54} - C:\WINDOWS\system32\mlJCVoMe.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {59D6A28B-190A-4507-8EF4-1CFF725B4CBB} - C:\WINDOWS\system32\ljJYPgFU.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: {c8c30303-4b53-8e5b-5624-aee5682818fa} - {af818286-5eea-4265-b5e8-35b430303c8c} - C:\WINDOWS\system32\lkwzzr.dll (file missing)
O2 - BHO: (no name) - {FE9E61DC-5981-4D3C-9B83-F3F9854DA2F7} - C:\WINDOWS\system32\wvUmjKAP.dll (file missing)
O4 - HKLM\..\Run: [acerWireless] C:\Program Files\acer\Wireless\Utility\WlanUtil.exe
O4 - HKLM\..\Run: [EPM-DM] C:\Acer\ePM\EPM-DM.exe
O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/Facebo...Uploader4_5.cab
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

--
End of file - 9309 bytes

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:05 AM

Posted 05 July 2008 - 07:52 PM

Hello,

Great to know. :thumbsup:

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

O2 - BHO: (no name) - {02EFC8DD-4336-4E2E-8E93-5D9375DBE6C7} - C:\WINDOWS\system32\awtsTNfG.dll (file missing)
O2 - BHO: (no name) - {1239a69f-3f68-49f3-8ef0-3d0aae297f98} - (no file)
O2 - BHO: (no name) - {494021CF-36D7-42F6-ADB0-9E795F159B54} - C:\WINDOWS\system32\mlJCVoMe.dll (file missing)
O2 - BHO: (no name) - {59D6A28B-190A-4507-8EF4-1CFF725B4CBB} - C:\WINDOWS\system32\ljJYPgFU.dll (file missing)
O2 - BHO: {c8c30303-4b53-8e5b-5624-aee5682818fa} - {af818286-5eea-4265-b5e8-35b430303c8c} - C:\WINDOWS\system32\lkwzzr.dll (file missing)
O2 - BHO: (no name) - {FE9E61DC-5981-4D3C-9B83-F3F9854DA2F7} - C:\WINDOWS\system32\wvUmjKAP.dll (file missing)[

Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Reboot your computer.

I'd like you to perform an online virus scan with Kaspersky Online Virus Scanner

Navigate (using Internet Explorer only, other browsers won't work) to the following site: http://www.kaspersky.com/virusscanner

Click the "Kaspersky Online Scanner" button (NOT "Kaspersky File Scanner").

* In the new window that opens, click the "Accept" button to accept the user agreement, install the ActiveX control, and download the program.
* When you get the Windows dialog asking if you want to install this software, click the "Install" button.
* The scanner will download the latest definition files. When the "Update progress" line changes to "Ready" and the "NEXT ->" button lights up with a green arrow, click it.
* Click on the "Scan Settings" button, and in the next window select the "extended" database, and click Ok.
* Under "Please select a target to scan:", click My Computer to start the scan.

When the scan is finished, click the "Save as Text" button, and save the file as [b]kavscan.txt
to your Desktop. Close the Kaspersky On-line Scanner window. Please post the report in your reply. :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 The Oldboy

The Oldboy
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:05 PM

Posted 06 July 2008 - 03:15 AM

thank you again so far.
so ive done the first step and ammeneded those files.
i cant do the kapersky thing as when it comes to accepting the agreement a box pops up saying i need java 1.5 or later. ive already gone on the java site and installed the latest version.... ?

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:05 AM

Posted 06 July 2008 - 12:44 PM

Hello,

Several folks have had a hard time with it lately, and Kaspersky is known to take these "spells", so I don't think it's anything to do with you. :)

How about a scan with your AVG AS? Let me know if it finds anything, and please go ahead and post a fresh, and hopefully last, HijackThis log. :thumbsup:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 The Oldboy

The Oldboy
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:05 PM

Posted 07 July 2008 - 05:33 PM

hello.
so i did an avg scan at it still found like 40 infections.
below is the log and a new hijack this log.

thanks

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 23:27:53 07/07/2008

+ Scan result:



C:\Documents and Settings\Tamer Rustum\Cookies\tamer_rustum@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Tamer Rustum\Cookies\tamer_rustum@atoc.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Tamer Rustum\Cookies\tamer_rustum@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Tamer Rustum\Cookies\tamer_rustum@viamtvcom.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Tamer Rustum\Cookies\tamer_rustum@adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Tamer Rustum\Cookies\tamer_rustum@ads.adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Tamer Rustum\Cookies\tamer_rustum@rotator.adjuggler[1].txt -> TrackingCookie.Adjuggler : Cleaned.
C:\Documents and Settings\Tamer Rustum\Cookies\tamer_rustum@adrevolver[2].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\Tamer Rustum\Cookies\tamer_rustum@dynamic.media.adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\Tamer Rustum\Cookies\tamer_rustum@media.adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\Tamer Rustum\Cookies\tamer_rustum@adtech[1].txt -> TrackingCookie.Adtech : Cleaned.
C:\Documents and Settings\Tamer Rustum\Cookies\tamer_rustum@advertising[2].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Tamer Rustum\Cookies\tamer_rustum@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Tamer Rustum\Cookies\tamer_rustum@connextra[2].txt -> TrackingCookie.Connextra : Cleaned.
C:\Documents and Settings\Tamer Rustum\Cookies\tamer_rustum@dealtime[1].txt -> TrackingCookie.Dealtime : Cleaned.
C:\Documents and Settings\Tamer Rustum\Cookies\tamer_rustum@stat.dealtime[2].txt -> TrackingCookie.Dealtime : Cleaned.
C:\Documents and Settings\Tamer Rustum\Cookies\tamer_rustum@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Tamer Rustum\Cookies\tamer_rustum@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\Tamer Rustum\Cookies\tamer_rustum@findwhat[1].txt -> TrackingCookie.Findwhat : Cleaned.
C:\Documents and Settings\Tamer Rustum\Cookies\tamer_rustum@ehg-logantod.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Tamer Rustum\Cookies\tamer_rustum@server.iad.liveperson[6].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\Tamer Rustum\Cookies\tamer_rustum@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Tamer Rustum\Cookies\tamer_rustum@ssl-hints.netflame[1].txt -> TrackingCookie.Netflame : Cleaned.
C:\Documents and Settings\Tamer Rustum\Cookies\tamer_rustum@ssl-hints.netflame[2].txt -> TrackingCookie.Netflame : Cleaned.
C:\Documents and Settings\Tamer Rustum\Cookies\tamer_rustum@stat.onestat[2].txt -> TrackingCookie.Onestat : Cleaned.
C:\Documents and Settings\Tamer Rustum\Cookies\tamer_rustum@overture[2].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Tamer Rustum\Cookies\tamer_rustum@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Tamer Rustum\Cookies\tamer_rustum@bs.serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Tamer Rustum\Cookies\tamer_rustum@serving-sys[3].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Tamer Rustum\Cookies\tamer_rustum@counter3.sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned.
C:\Documents and Settings\Tamer Rustum\Cookies\tamer_rustum@counter4.sextracker[2].txt -> TrackingCookie.Sextracker : Cleaned.
C:\Documents and Settings\Tamer Rustum\Cookies\tamer_rustum@counter7.sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned.
C:\Documents and Settings\Tamer Rustum\Cookies\tamer_rustum@sextracker[2].txt -> TrackingCookie.Sextracker : Cleaned.
C:\Documents and Settings\Tamer Rustum\Cookies\tamer_rustum@anad.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Tamer Rustum\Cookies\tamer_rustum@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Tamer Rustum\Cookies\tamer_rustum@tradedoubler[2].txt -> TrackingCookie.Tradedoubler : Cleaned.
C:\Documents and Settings\Tamer Rustum\Cookies\tamer_rustum@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\Tamer Rustum\Cookies\tamer_rustum@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Tamer Rustum\Cookies\tamer_rustum@weborama[1].txt -> TrackingCookie.Weborama : Cleaned.
C:\Documents and Settings\Tamer Rustum\Cookies\tamer_rustum@m.webtrends[2].txt -> TrackingCookie.Webtrends : Cleaned.
C:\Documents and Settings\Tamer Rustum\Cookies\tamer_rustum@statse.webtrendslive[2].txt -> TrackingCookie.Webtrendslive : Cleaned.
C:\Documents and Settings\Tamer Rustum\Cookies\tamer_rustum@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Tamer Rustum\Cookies\tamer_rustum@yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.


::Report end


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:32:52, on 07/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20733)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\acer\Wireless\Utility\WlanUtil.exe
C:\Acer\ePM\EPM-DM.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [acerWireless] C:\Program Files\acer\Wireless\Utility\WlanUtil.exe
O4 - HKLM\..\Run: [EPM-DM] C:\Acer\ePM\EPM-DM.exe
O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/Facebo...Uploader4_5.cab
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

--
End of file - 8563 bytes

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:05 AM

Posted 07 July 2008 - 06:57 PM

Hello,

Those are all common cookies and nothing to worry about. :thumbsup: How is it running now please?

Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.

Regards,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:05 AM

Posted 20 July 2008 - 03:25 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users