Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware...virtumonde?


  • This topic is locked This topic is locked
10 replies to this topic

#1 smurfe000

smurfe000

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:27 AM

Posted 15 July 2008 - 08:56 PM

Hello all,
This is the first time i've posted here, so if there is anything i'm missing please just let me know how to go about putting it all in and i'll try my best to assist you pro's.
So the story is my brother tried to remove this virus, i'm not to sure what he's done but the scans come back as negative, although the computer seems to be behaving badly...
some things that aren't running right...
-internet explorer is taking way to long to load
-windows updates are not installing, they are downloading though
-when shutting down it says installing update 1 of 6, but about 3 seconds after that appears the pc just shuts down without installing the updates.
- when trying to set the automatic updates, it wont allow me to change the time that the updates are automatically installed, it will always set the time to 3:00 even after i've set it to a different time and applied the new settings
-when trying to copy and paste large amounts of data an error seems to occur constantly...someting like delayed write failed???

So now to the logs...
i performed a Kaspersky scan but it came up with no infections which i think may be odd, also the dss scan only popped up one report 'main.txt' so im afraid thats all i can post...any advice on this matter would be greatly appreciated

Deckard's System Scanner v20071014.68
Run by User on 2008-07-16 11:41:40
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as User.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:41:45, on 16/07/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\RDS\RsiSvc.exe
C:\Program Files\RDS\srscandr.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\RDS\ddsschednt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Hotkey\Hotkey.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\RDS\dds.exe
C:\Program Files\RDS\spooler.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Documents and Settings\User\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\User.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aapt.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {4CDD4075-7FEE-4433-800A-54FC5F855531} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8E839189-8D33-464D-9338-1A91BBBD0EDE} - (no file)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Hotkey] C:\Program Files\Hotkey\Hotkey.exe
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Start Delivery Services.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1215760081963
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1216011221906
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: yaywvTlm - yaywvTlm.dll (file missing)
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Dds Scheduler Deamon (DdsSched) - RICOH Company Ltd. - C:\Program Files\RDS\ddsschednt.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Ridoc Server Information Service (RsiSvc) - RICOH Company Ltd. - C:\Program Files\RDS\RsiSvc.exe
O23 - Service: ScanRouterDriverV2 - Ricoh Co.,Ltd. - C:\Program Files\RDS\srscandr.exe
O23 - Service: SOption - RICOH Company Ltd. - C:\Program Files\RDS\SOption.exe

--
End of file - 6432 bytes

-- Files created between 2008-06-16 and 2008-07-16 -----------------------------

2008-07-16 10:27:06 0 d-------- C:\WINDOWS\Sun
2008-07-16 10:26:11 0 d-------- C:\Program Files\Sun
2008-07-16 10:23:25 0 d-------- C:\Program Files\Java
2008-07-16 10:23:18 0 d-------- C:\Program Files\Common Files\Java
2008-07-16 10:23:03 0 d-------- C:\Documents and Settings\User\Application Data\Sun
2008-07-16 09:56:40 0 d-------- C:\Program Files\SDM20
2008-07-16 09:47:37 0 d-------- C:\Program Files\Trend Micro
2008-07-16 09:29:21 0 d-------- C:\WINDOWS\LastGood
2008-07-14 15:28:50 0 d-------- C:\Program Files\Windows Defender
2008-07-14 14:38:39 0 d-------- C:\WINDOWS\Prefetch
2008-07-14 14:34:50 0 d-------- C:\WINDOWS\system32\scripting
2008-07-14 14:34:50 0 d-------- C:\WINDOWS\system32\en
2008-07-14 14:34:50 0 d-------- C:\WINDOWS\l2schemas
2008-07-14 14:34:49 0 d-------- C:\WINDOWS\system32\bits
2008-07-14 14:32:30 0 d-------- C:\WINDOWS\ServicePackFiles
2008-07-14 14:27:26 0 d-------- C:\WINDOWS\EHome
2008-07-11 17:21:49 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-11 16:39:30 0 d-------- C:\WINDOWS\setup.pss
2008-07-11 16:15:51 2330 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-11 16:15:15 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-07-11 16:15:15 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-07-11 16:15:15 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-07-11 16:15:15 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-07-11 16:15:15 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-07-11 16:15:15 82944 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-07-11 16:15:15 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-07-11 16:15:15 81920 --a------ C:\WINDOWS\system32\404Fix.exe <Not Verified; S!Ri.URZ; 404Fix>
2008-07-11 15:56:41 0 d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-07-11 14:31:48 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-07-11 14:31:48 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-07-11 14:31:48 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-07-11 14:31:48 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-07-11 14:31:48 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-07-11 14:31:48 3145728 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-07-11 14:31:48 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-07-11 14:31:48 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-07-11 14:31:48 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-07-11 14:31:48 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-07-11 14:31:48 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-07-11 14:31:48 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-07-11 14:31:48 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-07-11 14:31:48 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-07-11 14:27:29 0 d-------- C:\Autoruns
2008-07-11 12:30:07 162165 --ahs---- C:\WINDOWS\system32\BadeLRqr.ini2
2008-07-11 12:24:25 0 d-------- C:\Documents and Settings\User\Application Data\TmpRecentIcons
2008-07-11 11:56:23 0 d--h----- C:\$AVG8.VAULT$
2008-07-04 10:57:22 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-04 10:57:22 0 d-------- C:\Documents and Settings\User\Application Data\AVGTOOLBAR
2008-07-04 10:15:46 0 d-------- C:\Documents and Settings\User\Application Data\aAvgApi
2008-06-17 11:07:57 0 d-------- C:\Program Files\Avery
2008-06-16 09:45:29 0 d-------- C:\NOCOUNTRY_OLDMEN_AU


-- Find3M Report ---------------------------------------------------------------

2008-07-16 10:23:18 0 d-------- C:\Program Files\Common Files
2008-07-14 16:15:38 0 d-------- C:\Program Files\Google
2008-07-14 14:35:15 0 d-------- C:\Program Files\Messenger
2008-07-14 14:34:49 0 d-------- C:\Program Files\Movie Maker
2008-07-14 14:32:19 0 d-------- C:\Program Files\Windows NT
2008-07-14 13:30:53 22816 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-07-14 12:11:17 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-18 10:55:53 0 d-------- C:\Documents and Settings\User\Application Data\DivX
2008-05-28 14:08:42 0 d-------- C:\Program Files\Windows Media Connect 2


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4CDD4075-7FEE-4433-800A-54FC5F855531}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8E839189-8D33-464D-9338-1A91BBBD0EDE}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
04/07/2008 10:57 2055960 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [04/07/2008 10:57 2055960]

[-HKEY_CLASSES_ROOT\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [08/03/2005 13:33 C:\WINDOWS\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [01/11/2005 06:15 C:\WINDOWS\system32\VTTrayp.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [09/07/2001 11:50]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [12/01/2005 03:01]
"Hotkey"="C:\Program Files\Hotkey\Hotkey.exe" [04/04/2004 11:38]
"JobHisInit"="C:\Program Files\RMClient\JobHisInit.exe" [07/04/2001 15:26]
"MplSetUp"="C:\Program Files\RMClient\MplSetUp.exe" [05/11/2000 14:09]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/01/2008 21:16]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [04/07/2008 10:57]
"SoundMan"="SOUNDMAN.EXE" [23/09/2005 02:42 C:\WINDOWS\SOUNDMAN.EXE]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [03/11/2006 19:20]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [10/06/2008 04:27]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [14/04/2008 10:12]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [07/07/2008 09:42]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2/18/1999 6:05:56 AM]
Start Delivery Services.lnk - C:\Program Files\RDS\DdsLaunch.exe [2/5/2008 1:22:14 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yaywvTlm]
yaywvTlm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\rqRLedaB

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3b21bdac-4d55-11db-9dd2-806d6172696f}]
AutoRun\command- D:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aa2e3f8b-cb82-11db-afba-806d6172696f}]
AutoRun\command- D:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b4d95185-eb0f-11dc-a9da-0018f31bf63a}]
AutoRun\command- hdbifxd.exe
explore\Command- hdbifxd.exe
open\Command- hdbifxd.exe




-- End of Deckard's System Scanner: finished at 2008-07-16 11:42:28 ------------


i don't know if this will help, but this is what windows updates shows when i try to install updates...

Installation Summary

Successful: 0
Failed: 8
Remaining: 0


--------------------------------------------------------------------------------

Successful Updates


--------------------------------------------------------------------------------


Failed Updates
For help installing an update successfully, see the solution under each problem description.


Problem: End User License Agreement (EULA) Not Accepted
Solution: Check for updates again and wait while you install updates. You will be asked to accept the EULA before any updates with a EULA can be installed.

Problem: Not Enough Disk Space
Solution: To make more space available, run the Disk Cleanup tool or uninstall any programs that you don’t use. For directions, see Help and Support on your computer.

Problem: Automatic Updates is currently installing updates
Solution: Please wait until Automatic Updates is complete and then check your update history. At that time, if the update has failed to install, you can try installing it from the website.
Note: To view Automatic Updates progress, click the updating icon in your System Tray.

Problem: Please check your update history for a description.

Problem: A problem on your computer is preventing updates from being downloaded or installed
Solution: To fix the problem, try installing the updates again. If that doesn't work, use the Troubleshooter to try solve the problem.

Microsoft CAPICOM
Security Update for CAPICOM (KB931906)

Microsoft Office 2007
Security Update for the 2007 Microsoft Office System (KB936960)
Security Update for the 2007 Microsoft Office System (KB947801)
Security Update for Microsoft Office system 2007 (KB951808)
Microsoft Office Compatibility Pack Service Pack 1 (SP1)

Microsoft Windows XP
Cumulative Security Update for Internet Explorer 7 for Windows XP (KB950759)
Update for Windows XP (KB951978)

Microsoft Windows Defender
Definition Update for Windows Defender - KB915597 (Definition 1.37.746.0)


Any help here would be greatly appreciated...thanks in advance!

BC AdBot (Login to Remove)

 


m

#2 smurfe000

smurfe000
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:27 AM

Posted 15 July 2008 - 10:36 PM

just some more things i've noticed with this little virus situation thing...

-my clock in the toolbar is in 24 hour time and wont allow me to change it...i've ben told that when the virus was in its prime instead of just the time being there it read "VIRUS ALERT! and time in 24 hour time'
-internet explorer (ie7) is constantly asking for me to allow activeX, which i know is normal but usually after i've accepted it once then it will reload and not ask again
-adobe flash player wont install

thats all i can think of at the moment...if anything else that seems unusual comes up i'll let you know. also if these little additions aren't any help please let me know and i will stop posting them.

once again thanks in advance :thumbsup:

#3 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:03:27 PM

Posted 04 August 2008 - 11:27 AM

Hello and welcome to BC

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. We aim to provide the valuable service known to come from BC to every member we can, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Upon completing the steps below a staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks and again sorry for the delay.

Please download Deckard's System Scanner (DSS) and save to your Desktop.
alternate download site

DSS will do the following:
  • Create a new System Restore point in Windows XP and Vista.
  • Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives.
  • Check some important areas of your system and produce a report for an analyst to review.
  • Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes.
You must be logged onto an account with administrator privileges when using.
  • Close all applications and windows.
  • Double-click on dss.exe to run it and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not
    malicious.
  • When the scan is complete, two text files will open in Notepad:
    • main.txt <- this one will be maximized
    • extra.txt <- this one will be minimized
  • If not, they both can be found in the C:\Deckard\System Scanner folder.
  • Please copy (Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your next reply.
-- When running DSS, some firewalls may warn that it is trying to access the Internet especially if your asked to download the most current version of HijackThis. Please ensure that you allow it permission to do so.
-- If you get a warning from your anti-virus while DSS is scanning, please allow DSS to continue as the scan is not harmful.


If you already preformed the steps above We still need to see the current state of the machine fresh scan and logs are still necessary

click on Start, click on Run
copy and paste the following in bold in the open window and then click OK
"%userprofile%\desktop\dss.exe" /config
This will open up DSS configuration
click on Check All
click Scan
DSS will now run again when finished
Please post back both logs that open in notepad
Main txt and extra txt



Next
Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Please post back with dss reports main.txt, extra.txt and Kaspersky report.

Regards
SNOWHITE
Posted Image

#4 smurfe000

smurfe000
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:27 AM

Posted 06 August 2008 - 01:57 AM

Hello BC maestro

Please find below the reports requested. Also i would like to make a note that although the Kapersky Scanner has come up with negative I am positive there is something wrong here, one of the major clues to this is that whenever I go to save a file or rename a file I must manually enter the extension name i.e. .doc .pdf .txt etc otherwise the file is un-usable. Anyways, here's the reports...

Deckard's System Scanner v20071014.68
Run by User on 2008-08-06 15:38:21
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
89: 2008-08-06 05:38:24 UTC - RP89 - Deckard's System Scanner Restore Point
88: 2008-08-06 04:02:51 UTC - RP88 - Software Distribution Service 3.0
87: 2008-08-06 03:40:58 UTC - RP87 - Software Distribution Service 3.0
86: 2008-08-06 03:27:53 UTC - RP86 - Software Distribution Service 3.0
85: 2008-08-06 03:22:45 UTC - RP85 - Software Distribution Service 3.0


-- First Restore Point --
1: 2008-07-14 03:44:52 UTC - RP1 - System Checkpoint


Performed disk cleanup.



-- HijackThis (run as User.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:38:30, on 6/08/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\RDS\RsiSvc.exe
C:\Program Files\RDS\srscandr.exe
C:\Program Files\RDS\ddsschednt.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Hotkey\Hotkey.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\RDS\dds.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RDS\spooler.exe
C:\Documents and Settings\User\desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\User.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aapt.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {4CDD4075-7FEE-4433-800A-54FC5F855531} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8E839189-8D33-464D-9338-1A91BBBD0EDE} - (no file)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Hotkey] C:\Program Files\Hotkey\Hotkey.exe
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Start Delivery Services.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1215760081963
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1216011221906
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: yaywvTlm - yaywvTlm.dll (file missing)
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Dds Scheduler Deamon (DdsSched) - RICOH Company Ltd. - C:\Program Files\RDS\ddsschednt.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Ridoc Server Information Service (RsiSvc) - RICOH Company Ltd. - C:\Program Files\RDS\RsiSvc.exe
O23 - Service: ScanRouterDriverV2 - Ricoh Co.,Ltd. - C:\Program Files\RDS\srscandr.exe
O23 - Service: SOption - RICOH Company Ltd. - C:\Program Files\RDS\SOption.exe

--
End of file - 6701 bytes

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 StarOpen - c:\windows\system32\drivers\staropen.sys

S3 rtl8139 (Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver) - c:\windows\system32\drivers\rtl8139.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 DdsSched (Dds Scheduler Deamon) - c:\program files\rds\ddsschednt.exe <Not Verified; RICOH Company Ltd.; Ridoc Docuent System>
R2 RsiSvc (Ridoc Server Information Service) - c:\program files\rds\rsisvc.exe <Not Verified; RICOH Company Ltd.; Ridoc Document System>
R2 ScanRouterDriverV2 - c:\program files\rds\srscandr.exe <Not Verified; Ricoh Co.,Ltd.; Server Application Program>
R2 SOption - c:\program files\rds\soption.exe <Not Verified; RICOH Company Ltd.; Ridoc Document System>

S2 CLTNetCnService (Symantec Lic NetConnect service) - "c:\program files\common files\symantec shared\ccsvchst.exe" /h cccommon (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Process Modules -------------------------------------------------------------

C:\WINDOWS\system32\svchost.exe (pid 1112)
2008-04-23 14:16:28 267776 --a------ C:\WINDOWS\system32\iertutil.dll <Not Verified; Microsoft Corporation; Windows® Internet Explorer>

C:\WINDOWS\explorer.exe (pid 3544)
2008-04-23 14:16:28 267776 --a------ C:\WINDOWS\system32\iertutil.dll <Not Verified; Microsoft Corporation; Windows® Internet Explorer>
2008-04-23 14:16:28 6066176 --a------ C:\WINDOWS\system32\ieframe.dll <Not Verified; Microsoft Corporation; Windows® Internet Explorer>
2006-10-18 21:47:22 133632 --a------ C:\WINDOWS\system32\WPDShServiceObj.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2006-10-18 21:47:18 166912 --a------ C:\WINDOWS\system32\PortableDeviceTypes.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2006-10-18 21:47:18 284160 --a------ C:\WINDOWS\system32\PortableDeviceApi.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>


-- Scheduled Tasks -------------------------------------------------------------

2008-08-06 14:02:53 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job


-- Files created between 2008-07-06 and 2008-08-06 -----------------------------

2008-08-06 13:22:17 0 d-------- C:\WINDOWS\LastGood
2008-07-23 11:28:41 0 d-------- C:\Documents and Settings\User\Application Data\Samsung
2008-07-23 11:19:44 174592 --a------ C:\WINDOWS\system32\framedyn.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-23 11:19:05 5632 --a------ C:\WINDOWS\system32\drivers\StarOpen.sys
2008-07-23 11:17:48 0 d-------- C:\WINDOWS\system32\Samsung_USB_Drivers
2008-07-23 11:17:44 0 d-------- C:\Program Files\Samsung
2008-07-16 10:27:06 0 d-------- C:\WINDOWS\Sun
2008-07-16 10:26:11 0 d-------- C:\Program Files\Sun
2008-07-16 10:23:25 0 d-------- C:\Program Files\Java
2008-07-16 10:23:18 0 d-------- C:\Program Files\Common Files\Java
2008-07-16 10:23:03 0 d-------- C:\Documents and Settings\User\Application Data\Sun
2008-07-16 09:56:40 0 d-------- C:\Program Files\SDM20
2008-07-16 09:47:37 0 d-------- C:\Program Files\Trend Micro
2008-07-14 15:28:50 0 d-------- C:\Program Files\Windows Defender
2008-07-14 14:38:39 0 d-------- C:\WINDOWS\Prefetch
2008-07-14 14:34:50 0 d-------- C:\WINDOWS\system32\scripting
2008-07-14 14:34:50 0 d-------- C:\WINDOWS\system32\en
2008-07-14 14:34:50 0 d-------- C:\WINDOWS\l2schemas
2008-07-14 14:34:49 0 d-------- C:\WINDOWS\system32\bits
2008-07-14 14:32:30 0 d-------- C:\WINDOWS\ServicePackFiles
2008-07-14 14:27:26 0 d-------- C:\WINDOWS\EHome
2008-07-11 17:21:49 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-11 16:39:30 0 d-------- C:\WINDOWS\setup.pss
2008-07-11 16:15:51 2330 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-11 16:15:15 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-07-11 16:15:15 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-07-11 16:15:15 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-07-11 16:15:15 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-07-11 16:15:15 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-07-11 16:15:15 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-07-11 16:15:15 81920 --a------ C:\WINDOWS\system32\404Fix.exe <Not Verified; S!Ri.URZ; 404Fix>
2008-07-11 15:56:41 0 d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-07-11 14:31:48 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-07-11 14:31:48 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-07-11 14:31:48 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-07-11 14:31:48 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-07-11 14:31:48 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-07-11 14:31:48 3145728 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-07-11 14:31:48 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-07-11 14:31:48 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-07-11 14:31:48 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-07-11 14:31:48 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-07-11 14:31:48 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-07-11 14:31:48 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-07-11 14:31:48 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-07-11 14:31:48 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-07-11 14:27:29 0 d-------- C:\Autoruns
2008-07-11 12:30:07 162165 --ahs---- C:\WINDOWS\system32\BadeLRqr.ini2
2008-07-11 12:24:25 0 d-------- C:\Documents and Settings\User\Application Data\TmpRecentIcons
2008-07-11 11:56:23 0 d--h----- C:\$AVG8.VAULT$


-- Find3M Report ---------------------------------------------------------------

2008-07-23 14:36:30 0 d-------- C:\Program Files\dvd shrink
2008-07-23 11:18:53 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-23 11:06:08 0 d-------- C:\Documents and Settings\User\Application Data\AVGTOOLBAR
2008-07-16 12:02:19 0 d-------- C:\Program Files\MSN Messenger
2008-07-16 10:23:18 0 d-------- C:\Program Files\Common Files
2008-07-14 16:15:38 0 d-------- C:\Program Files\Google
2008-07-14 14:35:15 0 d-------- C:\Program Files\Messenger
2008-07-14 14:34:49 0 d-------- C:\Program Files\Movie Maker
2008-07-14 14:32:19 0 d-------- C:\Program Files\Windows NT
2008-07-14 13:30:53 22816 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-07-14 12:11:17 0 d-------- C:\Program Files\Common Files\Adobe
2008-07-04 10:15:46 0 d-------- C:\Documents and Settings\User\Application Data\aAvgApi
2008-06-18 10:55:53 0 d-------- C:\Documents and Settings\User\Application Data\DivX
2008-06-17 11:07:57 0 d-------- C:\Program Files\Avery


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4CDD4075-7FEE-4433-800A-54FC5F855531}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8E839189-8D33-464D-9338-1A91BBBD0EDE}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
04/07/2008 10:57 2055960 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [04/07/2008 10:57 2055960]

[-HKEY_CLASSES_ROOT\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [08/03/2005 13:33 C:\WINDOWS\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [01/11/2005 06:15 C:\WINDOWS\system32\VTTrayp.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [09/07/2001 11:50]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [12/01/2005 03:01]
"Hotkey"="C:\Program Files\Hotkey\Hotkey.exe" [04/04/2004 11:38]
"JobHisInit"="C:\Program Files\RMClient\JobHisInit.exe" [07/04/2001 15:26]
"MplSetUp"="C:\Program Files\RMClient\MplSetUp.exe" [05/11/2000 14:09]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/01/2008 21:16]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [30/07/2008 13:24]
"SoundMan"="SOUNDMAN.EXE" [23/09/2005 02:42 C:\WINDOWS\SOUNDMAN.EXE]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [03/11/2006 19:20]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [10/06/2008 04:27]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [07/07/2008 09:42]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [14/04/2008 10:12]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2/18/1999 6:05:56 AM]
Start Delivery Services.lnk - C:\Program Files\RDS\DdsLaunch.exe [2/5/2008 1:22:14 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yaywvTlm]
yaywvTlm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\rqRLedaB

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3b21bdac-4d55-11db-9dd2-806d6172696f}]
AutoRun\command- D:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aa2e3f8b-cb82-11db-afba-806d6172696f}]
AutoRun\command- D:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b4d95185-eb0f-11dc-a9da-0018f31bf63a}]
AutoRun\command- hdbifxd.exe
explore\Command- hdbifxd.exe
open\Command- hdbifxd.exe




-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8784 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-08-06 15:40:40 ------------


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 3.0
Architecture: X86; Language: English

CPU 0: Intel® Core™2 CPU 4300 @ 1.80GHz
Percentage of Memory in Use: 44%
Physical Memory (total/avail): 959.23 MiB / 533.1 MiB
Pagefile Memory (total/avail): 2317.97 MiB / 2002.37 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1874.93 MiB

C: is Fixed (NTFS) - 298.09 GiB total, 288.8 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST3320620AS - 298.09 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 298.09 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\User\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=DESK
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\User
LOGONSERVER=\\DESK
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\WBEM;C:\Program Files\Samsung\Samsung PC Studio 3\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 2, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f02
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\User\LOCALS~1\Temp
TMP=C:\DOCUME~1\User\LOCALS~1\Temp
USERDOMAIN=DESK
USERNAME=User
USERPROFILE=C:\Documents and Settings\User
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

User (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742) --> MsiExec.exe /X{6846389C-BAC0-4374-808E-B120F86AF5D7}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Reader 8.1.2 Security Update 1 (KB403742) -->
Avery Wizard 3.1 --> MsiExec.exe /I{B4E96960-5F6B-48B9-A5BD-6A5A9BB4F027}
AVG Free 8.0 --> C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
Compatibility Pack for the 2007 Office system --> MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Converter --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Free iPod Video Converter 1.34 --> "C:\Program Files\Jodix - iPod Video Converter\unins000.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotkey 2.0 --> "C:\Program Files\Hotkey\unins000.exe"
Java DB 10.3.1.4 --> MsiExec.exe /X{CD49361E-3FE6-457E-90A1-9C59E29B5D02}
Java™ 6 Update 7 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
Java™ SE Development Kit 6 Update 7 --> MsiExec.exe /I{32A3A4F4-B792-11D6-A78A-00B0D0160070}
Microsoft Office 2000 Standard --> MsiExec.exe /I{00020409-78E1-11D2-B60F-006097C998E7}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Windows Journal Viewer --> MsiExec.exe /X{43DCF766-6838-4F9A-8C91-D92DA586DFA8}
MYOB BusinessBasics v1 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{A06176AF-7494-4B29-BE74-F01323AD3233}
Nero Suite --> C:\Program Files\Common Files\Nero\Uninstall\Setupx.exe /uninstall ExtraUninstallID=""
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" -l0x9 -removeonly
REALTEK Gigabit and Fast Ethernet NIC Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{94FB906A-CF42-4128-A509-D353026A607E}\setup.exe" -l0x9 REMOVE
SAMSUNG Mobile Modem Driver Set --> C:\WINDOWS\system32\Samsung_USB_Drivers\3\SSCDUninstall.exe
Samsung Mobile phone USB driver Software --> C:\WINDOWS\system32\Samsung_USB_Drivers\5\SSSDUninstall.exe
SAMSUNG Mobile USB Modem 1.0 Software --> C:\WINDOWS\system32\Samsung_USB_Drivers\1\SS_Uninstall.exe
SAMSUNG Mobile USB Modem Software --> C:\WINDOWS\system32\Samsung_USB_Drivers\2\SSM_Uninstall.exe
Samsung PC Studio 3 --> "C:\Program Files\InstallShield Installation Information\{C4A4722E-79F9-417C-BD72-8D359A090C97}\setup.exe" -runfromtemp -l0x0009 -removeonly
Samsung PC Studio 3 USB Driver Installer --> "C:\Program Files\InstallShield Installation Information\{EBA29752-DDD2-4B62-B2E3-9841F92A3E3A}\setup.exe" -runfromtemp -l0x0009 -removeonly
ScanRouter V2 Lite --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{387D6CC5-6D6C-4BA0-8EAF-955813BFC5D8}\Setup.exe" -l0x9 UNINSTALL
SmartNetMonitor for Client --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\RMClient\UninstC.isu" -c"C:\PROGRA~1\RMClient\_PMCEND.DLL"
Spelling Dictionaries Support For Adobe Reader 8 --> MsiExec.exe /I{AC76BA86-7AD7-5464-3428-800000000003}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Sun™ Download Manager 2.0 --> C:\Program Files\SDM20\Uninstal.exe
VIA Platform Device Manager --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{20D4A895-748C-4D88-871C-FDB1695B0169}
VIA/S3G Display Driver --> C:\PROGRA~1\S3\UChromeP\s3minset.exe /u UChromeP.uns
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows XP Service Pack 3 --> "C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type5619 / Error
Event Submitted/Written: 08/06/2008 03:40:14 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.

Event Record #/Type5617 / Error
Event Submitted/Written: 08/06/2008 03:38:52 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.

Event Record #/Type5616 / Error
Event Submitted/Written: 08/06/2008 03:38:52 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.

Event Record #/Type5615 / Error
Event Submitted/Written: 08/06/2008 03:35:20 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.

Event Record #/Type5614 / Error
Event Submitted/Written: 08/06/2008 03:31:09 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type51657 / Warning
Event Submitted/Written: 08/06/2008 03:38:58 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%DESK27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %DESK27 can't undo changes that you allow.

For more information please see the following:
%DESK275

Scan ID: {F8510416-C48B-4DA1-AC7C-09C0797D41D1}

User: DESK\User

Name: %DESK271

ID: %DESK272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %DESK276

Alert Type: %DESK278

Detection Type: 1.1.1593.02

Event Record #/Type51656 / Warning
Event Submitted/Written: 08/06/2008 03:38:58 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%DESK27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %DESK27 can't undo changes that you allow.

For more information please see the following:
%DESK275

Scan ID: {0084AC7C-3CA3-45A5-9B1A-D27D631FE9DF}

User: DESK\User

Name: %DESK271

ID: %DESK272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %DESK276

Alert Type: %DESK278

Detection Type: 1.1.1593.02

Event Record #/Type51655 / Warning
Event Submitted/Written: 08/06/2008 03:38:58 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%DESK27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %DESK27 can't undo changes that you allow.

For more information please see the following:
%DESK275

Scan ID: {8F407F61-F36C-4933-9947-3FB436EF1C93}

User: DESK\User

Name: %DESK271

ID: %DESK272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %DESK276

Alert Type: %DESK278

Detection Type: 1.1.1593.02

Event Record #/Type51654 / Warning
Event Submitted/Written: 08/06/2008 03:38:57 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%DESK27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %DESK27 can't undo changes that you allow.

For more information please see the following:
%DESK275

Scan ID: {62EF660F-0C42-41A9-A54F-21D7D68B4B22}

User: DESK\User

Name: %DESK271

ID: %DESK272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %DESK276

Alert Type: %DESK278

Detection Type: 1.1.1593.02

Event Record #/Type51653 / Warning
Event Submitted/Written: 08/06/2008 03:38:55 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%DESK27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %DESK27 can't undo changes that you allow.

For more information please see the following:
%DESK275

Scan ID: {7126FF1B-5B2E-47C8-B043-29E8B34DEF61}

User: DESK\User

Name: %DESK271

ID: %DESK272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %DESK276

Alert Type: %DESK278

Detection Type: 1.1.1593.02



-- End of Deckard's System Scanner: finished at 2008-08-06 15:40:40 ------------



KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, August 6, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, August 06, 2008 04:38:14
Records in database: 1059544


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
C:\
D:\

Scan statistics
Files scanned 37500
Threat name 0
Infected objects 0
Suspicious objects 0
Duration of the scan 00:41:31

No malware has been detected. The scan area is clean.
The selected area was scanned.


Thank-you in advance for any help you may provide. :thumbsup:

#5 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:03:27 PM

Posted 09 August 2008 - 04:13 PM

Hello smurfe000,

Before we proceed with fixes, I need you to disable SPYBOT TEATIMER and WINDOWS DEFENDER because they will interfere with the fixes. We will enable them when the computer is clean. Please go to this LINK, scroll down to the instructions for disabling the above said programs and follow them.

Next:

Go to Start > My Computer
Go to Tools > Folder Options
Click on the View tab
Untick the following:
  • Hide extensions for known file types
  • Hide protected operating system files (Recommended)
You will get a message warning you about showing protected operating system files, click Yes
Make sure this option is selected:
  • Show hidden files and folders
Click Apply and then click OK


Run HijackThis.
Click on Do a system scan only.
Place a checkmark next to these lines (if still present).

O2 - BHO: (no name) - {4CDD4075-7FEE-4433-800A-54FC5F855531} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8E839189-8D33-464D-9338-1A91BBBD0EDE} - (no file)
O20 - Winlogon Notify: yaywvTlm - yaywvTlm.dll (file missing)


Then close all windows except HijackThis and click Fix Checked.

Restart

Use Windows Explorer to find and delete these files:

C:\WINDOWS\system32\BadeLRqr.ini2

As an example:
To delete C:\WINDOWS\badfile.dll
Double click the My Computer icon on your Desktop. Or click on the Windows KEY + E.
Double click on Local Disc (C:\)
Double click on the Windows folder,
Right click on badfile.dll and then from the menu that appears, click on Delete


Next:

Click start > Run > in the empty edit box copy&paste this line :

"%userprofile%\desktop\dss.exe" /daft

Read the disclaimer and click OK.
  • Click on the Scan button.
  • Place a checkmark next to the following entries in case they appear:
.cpl
.cpl
[/list]
  • Click the Fix button.
  • Re-scan and save a logfile. By default, it will save as daft.txt
  • I'll need that log later.
If everything is ok again, it should display the "all associations ok message"

Next:
  • 1 - Go Here and download ERUNT
    Double click erunt-setup.exe and follow the prompts for installing ERUNT using the default settings.
    At the prompt that asks you to add ERUNT to the start-up folder, answer No, (you can enable this option later).

    2 - Start ERUNT
    At the dialog box asking where to save registry backup, leave the default location on.
    Default location should be this: "C:\WINDOWS\ERDNT\7-4-2008" <-- where numbers differs depending of the current date.

    Make sure that there is a check mark next to these options:
    • System registry
    • Curent user registry
  • Click OK
  • Answer YES at the prompt asking to create the folder.
Save text below as fixme.reg on Notepad. Save it as All Files and save it on your Desktop.
REGEDIT4

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b4d95185-eb0f-11dc-a9da-0018f31bf63a}]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
The above Registry file was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Locate fixme.reg on your Desktop and double-click on it. It should look like this -> Posted Image
You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
Answer "Yes" and wait for a message to appear similar to "Merged Successfully".

(In case you are unsure how to create a reg file, take a look here with screenshots.)

Next:

Download gmer.zip and save to your desktop.
alternate download site 1
alternate download site 2
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • When you have done this, disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click on "Settings", then check the first five settings:
    *System Protection and Tracing
    *Processes
    *Save created processes to the log
    *Drivers
    *Save loaded drivers to the log
  • You will be prompted to restart your computer. Please do so.
Run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the "Scan" and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in SAFE MODE"
Important! Please do not select the "Show all" checkbox during the scan..



In your next post please include the following reports:
  • daft.txt
  • Gmer report
  • new dss scan report main.txt
Let me know how the things went.

Edited by SNOWHITE, 09 August 2008 - 04:18 PM.

SNOWHITE
Posted Image

#6 smurfe000

smurfe000
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:27 AM

Posted 13 August 2008 - 09:55 PM

Hi snowwhite,
sorry about the delayed response, i have been sick in bed so haven't seen my pc for a while. anyway enough self pity from me, i've done everything you asked but as you'll notice i'll only post the daft.txt report and main.txt (dss scan) report. For some apparent resaon the Gmer scan returned nothing back and so there is no report for that. If you could advise on that issue aswell that would be greatly appreciated. Please find the 2 reports i do have below:

DAFT Log saved on 2008-08-14 11:41:31
-----------------------------------------------------------------------
All associations okay!


Deckard's System Scanner v20071014.68
Run by User on 2008-08-14 12:49:27
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
103: 2008-08-14 02:49:31 UTC - RP103 - Deckard's System Scanner Restore Point
102: 2008-08-13 07:23:13 UTC - RP102 - Software Distribution Service 3.0
101: 2008-08-13 04:21:37 UTC - RP101 - Software Distribution Service 3.0
100: 2008-08-13 04:00:51 UTC - RP100 - Software Distribution Service 3.0
99: 2008-08-13 01:59:50 UTC - RP99 - Software Distribution Service 3.0


-- First Restore Point --
1: 2008-07-14 03:44:52 UTC - RP1 - System Checkpoint


Performed disk cleanup.



-- HijackThis (run as User.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:49:37, on 14/08/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\RDS\RsiSvc.exe
C:\Program Files\RDS\srscandr.exe
C:\Program Files\RDS\ddsschednt.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTtrayp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Hotkey\Hotkey.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\RDS\dds.exe
C:\Program Files\RDS\spooler.exe
C:\Documents and Settings\User\Desktop\gmer\gmer.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\User\desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\User.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aapt.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Hotkey] C:\Program Files\Hotkey\Hotkey.exe
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Start Delivery Services.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1215760081963
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1216011221906
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Dds Scheduler Deamon (DdsSched) - RICOH Company Ltd. - C:\Program Files\RDS\ddsschednt.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Ridoc Server Information Service (RsiSvc) - RICOH Company Ltd. - C:\Program Files\RDS\RsiSvc.exe
O23 - Service: ScanRouterDriverV2 - Ricoh Co.,Ltd. - C:\Program Files\RDS\srscandr.exe
O23 - Service: SOption - RICOH Company Ltd. - C:\Program Files\RDS\SOption.exe

--
End of file - 6184 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080814-113730-291 O2 - BHO: (no name) - {8E839189-8D33-464D-9338-1A91BBBD0EDE} - (no file)
backup-20080814-113730-511 O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
backup-20080814-113730-594 O2 - BHO: (no name) - {4CDD4075-7FEE-4433-800A-54FC5F855531} - (no file)
backup-20080814-113730-686 O20 - Winlogon Notify: yaywvTlm - yaywvTlm.dll (file missing)

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 StarOpen - c:\windows\system32\drivers\staropen.sys

S3 rtl8139 (Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver) - c:\windows\system32\drivers\rtl8139.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 DdsSched (Dds Scheduler Deamon) - c:\program files\rds\ddsschednt.exe <Not Verified; RICOH Company Ltd.; Ridoc Docuent System>
R2 RsiSvc (Ridoc Server Information Service) - c:\program files\rds\rsisvc.exe <Not Verified; RICOH Company Ltd.; Ridoc Document System>
R2 ScanRouterDriverV2 - c:\program files\rds\srscandr.exe <Not Verified; Ricoh Co.,Ltd.; Server Application Program>
R2 SOption - c:\program files\rds\soption.exe <Not Verified; RICOH Company Ltd.; Ridoc Document System>

S2 CLTNetCnService (Symantec Lic NetConnect service) - "c:\program files\common files\symantec shared\ccsvchst.exe" /h cccommon (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: VIA Compatable Fast Ethernet Adapter
Device ID: PCI\VEN_1106&DEV_3065&SUBSYS_80A71043&REV_7C\3&267A616A&0&90
Manufacturer: VIA Technologies, Inc.
Name: VIA Compatable Fast Ethernet Adapter
PNP Device ID: PCI\VEN_1106&DEV_3065&SUBSYS_80A71043&REV_7C\3&267A616A&0&90
Service: FETNDIS


-- Process Modules -------------------------------------------------------------

C:\WINDOWS\system32\svchost.exe (pid 872)
2008-04-23 14:16:28 267776 --a------ C:\WINDOWS\system32\iertutil.dll <Not Verified; Microsoft Corporation; Windows® Internet Explorer>

C:\WINDOWS\explorer.exe (pid 432)
2008-04-23 14:16:28 267776 --a------ C:\WINDOWS\system32\iertutil.dll <Not Verified; Microsoft Corporation; Windows® Internet Explorer>
2008-04-23 14:16:28 6066176 --a------ C:\WINDOWS\system32\ieframe.dll <Not Verified; Microsoft Corporation; Windows® Internet Explorer>
2006-10-18 21:47:22 133632 --a------ C:\WINDOWS\system32\WPDShServiceObj.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2006-10-18 21:47:18 166912 --a------ C:\WINDOWS\system32\PortableDeviceTypes.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2006-10-18 21:47:18 284160 --a------ C:\WINDOWS\system32\PortableDeviceApi.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>


-- Files created between 2008-07-14 and 2008-08-14 -----------------------------

2008-07-23 11:28:41 0 d-------- C:\Documents and Settings\User\Application Data\Samsung
2008-07-23 11:19:44 174592 --a------ C:\WINDOWS\system32\framedyn.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-23 11:19:05 5632 --a------ C:\WINDOWS\system32\drivers\StarOpen.sys
2008-07-23 11:17:48 0 d-------- C:\WINDOWS\system32\Samsung_USB_Drivers
2008-07-23 11:17:44 0 d-------- C:\Program Files\Samsung
2008-07-16 10:27:06 0 d-------- C:\WINDOWS\Sun
2008-07-16 10:26:11 0 d-------- C:\Program Files\Sun
2008-07-16 10:23:25 0 d-------- C:\Program Files\Java
2008-07-16 10:23:18 0 d-------- C:\Program Files\Common Files\Java
2008-07-16 10:23:03 0 d-------- C:\Documents and Settings\User\Application Data\Sun
2008-07-16 09:56:40 0 d-------- C:\Program Files\SDM20
2008-07-16 09:47:37 0 d-------- C:\Program Files\Trend Micro
2008-07-14 15:28:50 0 d-------- C:\Program Files\Windows Defender
2008-07-14 14:38:39 0 d-------- C:\WINDOWS\Prefetch
2008-07-14 14:34:50 0 d-------- C:\WINDOWS\system32\scripting
2008-07-14 14:34:50 0 d-------- C:\WINDOWS\system32\en
2008-07-14 14:34:50 0 d-------- C:\WINDOWS\l2schemas
2008-07-14 14:34:49 0 d-------- C:\WINDOWS\system32\bits
2008-07-14 14:32:30 0 d-------- C:\WINDOWS\ServicePackFiles
2008-07-14 14:27:26 0 d-------- C:\WINDOWS\EHome


-- Find3M Report ---------------------------------------------------------------

2008-07-23 14:36:30 0 d-------- C:\Program Files\dvd shrink
2008-07-23 11:18:53 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-23 11:06:08 0 d-------- C:\Documents and Settings\User\Application Data\AVGTOOLBAR
2008-07-16 12:02:19 0 d-------- C:\Program Files\MSN Messenger
2008-07-16 10:23:18 0 d-------- C:\Program Files\Common Files
2008-07-14 16:15:38 0 d-------- C:\Program Files\Google
2008-07-14 14:35:15 0 d-------- C:\Program Files\Messenger
2008-07-14 14:34:49 0 d-------- C:\Program Files\Movie Maker
2008-07-14 14:32:19 0 d-------- C:\Program Files\Windows NT
2008-07-14 13:30:53 22816 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-07-14 12:11:17 0 d-------- C:\Program Files\Common Files\Adobe
2008-07-11 16:20:22 2330 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-11 14:13:56 0 d-------- C:\Documents and Settings\User\Application Data\TmpRecentIcons
2008-07-04 10:15:46 0 d-------- C:\Documents and Settings\User\Application Data\aAvgApi
2008-06-18 10:55:53 0 d-------- C:\Documents and Settings\User\Application Data\DivX
2008-06-17 11:07:57 0 d-------- C:\Program Files\Avery
2008-05-29 09:35:36 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-05-23 18:21:42 81920 --a------ C:\WINDOWS\system32\404Fix.exe <Not Verified; S!Ri.URZ; 404Fix>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
04/07/2008 10:57 2055960 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [04/07/2008 10:57 2055960]

[-HKEY_CLASSES_ROOT\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTrayp"="VTtrayp.exe" [01/11/2005 06:15 C:\WINDOWS\system32\VTTrayp.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [09/07/2001 11:50]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [12/01/2005 03:01]
"Hotkey"="C:\Program Files\Hotkey\Hotkey.exe" [04/04/2004 11:38]
"JobHisInit"="C:\Program Files\RMClient\JobHisInit.exe" [07/04/2001 15:26]
"MplSetUp"="C:\Program Files\RMClient\MplSetUp.exe" [05/11/2000 14:09]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/01/2008 21:16]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [30/07/2008 13:24]
"SoundMan"="SOUNDMAN.EXE" [23/09/2005 02:42 C:\WINDOWS\SOUNDMAN.EXE]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [03/11/2006 19:20]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [10/06/2008 04:27]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [14/04/2008 10:12]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2/18/1999 6:05:56 AM]
Start Delivery Services.lnk - C:\Program Files\RDS\DdsLaunch.exe [2/5/2008 1:22:14 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"VTTimer"=VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3b21bdac-4d55-11db-9dd2-806d6172696f}]
AutoRun\command- D:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aa2e3f8b-cb82-11db-afba-806d6172696f}]
AutoRun\command- D:\setup.exe




-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8784 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-08-14 12:50:33 ------------



Thanks in advance for any further assistance in this issue.

Regards
Smurfe000

#7 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:03:27 PM

Posted 18 August 2008 - 12:36 AM

Hello and sorry for the delay.

For some apparent resaon the Gmer scan returned nothing back and so there is no report for that. If you could advise on that issue aswell that would be greatly appreciated.


Gmer likely didn't find anything hidden so when the scan was done, the window where the report was suppose to be came back empty. I don't see any signs of malware at your reports, but we will do few more checks to make sure of that.

Can you tell me what D:\ drive is used for?

Run HijackThis.
Click on Do a system scan only.
Place a checkmark next to these lines (if still present).

The "Adobe PDF Reader Link Helper" file is missing, if you are using this program you will need to reinstall it to work properly.


O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)


Then close all windows except HijackThis and click Fix Checked.

If you are not using any Symantec products delete this folder if found:

C:\Program Files\Common Files\Symantec Shared

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Please download F-Secure Blacklight (fsbl.exe) and save to your C:\ drive.
  • Open a command window by going to Start > Run and typing: cmd
  • Copy/paste or type the following in the command window: C:\fsbl.exe /expert
  • Hit "Enter" to start the program and then close the cmd box.
  • Accept the user agreement and click "Next".
  • Click "Scan".
  • After the scan is complete, click "Next", then "Exit".
  • BlackLight will create a log in C:\ drive named "fsbl-xxxxxxx.log" (the xxxxxxx will be the date and time of the scan).
  • The log will have a list of all items found. Do not choose to rename any yet!
    I want to see the log first because legitimate items can also be present...like "wbemtest.exe" and "tcptest.exe.
  • Exit Blacklight and post the contents of the log in your next reply.

Post back with SUPERAntiSpyware report, Blacklight report, fresh HijackThis report and let me know how is the computer running.


Regards,
SNOWHITE
Posted Image

#8 smurfe000

smurfe000
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:27 AM

Posted 24 August 2008 - 09:59 PM

Hi Snowwhite,

sorry about the delay in response, but i've finally gotten around to taking the next step...

Firstly to answer your question, D:\ is a CD/DVD-ROM drive

You'll also find all of the requested logs below, as for the pc...it's running standardish, internet explorer is still very slow as well as the pc in general and the time stamp in the bottom right corner is still in 24 hour format which is odd. I have totally removed adobe reader now, and will re-install that later. Also, i don't know if the logs tell you but SUPERAntiSpyware did find some malware, and apparently removed it which i'm a little excited about lol. Did i mention IE is very slow.

Let me know if there is anything else i can do to help...cheers and thanks in advance.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:47:53, on 25/08/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\RDS\RsiSvc.exe
C:\Program Files\RDS\srscandr.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\RDS\ddsschednt.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Hotkey\Hotkey.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RDS\dds.exe
C:\Program Files\RDS\spooler.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aapt.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Hotkey] C:\Program Files\Hotkey\Hotkey.exe
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Start Delivery Services.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1215760081963
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1216011221906
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Dds Scheduler Deamon (DdsSched) - RICOH Company Ltd. - C:\Program Files\RDS\ddsschednt.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Ridoc Server Information Service (RsiSvc) - RICOH Company Ltd. - C:\Program Files\RDS\RsiSvc.exe
O23 - Service: ScanRouterDriverV2 - Ricoh Co.,Ltd. - C:\Program Files\RDS\srscandr.exe
O23 - Service: SOption - RICOH Company Ltd. - C:\Program Files\RDS\SOption.exe

--
End of file - 6028 bytes

#9 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:03:27 PM

Posted 29 August 2008 - 05:54 PM

Hello smurfe000, no worries for the delay..

You haven't posted the SUPERAntiSpyware and Blacklight reports, can you please post them back here?

I would like to see what SUPERAntiSpyware deleted and if Blacklight found anything.. It can help me with deciding how to proceed with next steps.

Regards
SNOWHITE
Posted Image

#10 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:03:27 PM

Posted 06 September 2008 - 07:53 PM

smurfe000, do you still need help with the computer?
SNOWHITE
Posted Image

#11 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:03:27 PM

Posted 21 September 2008 - 04:23 AM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.

Thank you
SNOWHITE
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users