Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Defender Alert Trojan:win32/conhook.i


  • This topic is locked This topic is locked
6 replies to this topic

#1 jaunos

jaunos

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:58 PM

Posted 29 July 2008 - 09:20 AM

Hello,
Sorry for my bad english.
The Windows defender alert Trojan:Win32/Conhook, try to remove it but cant.
Here is some log files:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, July 29, 2008
Operating System: Microsoft Windows Vista Business Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, July 29, 2008 12:24:08
Records in database: 1022043
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - Critical Areas:
C:\Program Files
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
C:\Users\Akos\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
C:\Windows

Scan statistics:
Files scanned: 123192
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 00:55:27


File name / Threat name / Threats count
C:\Windows\System32\rejfupql.dll Infected: Trojan.Win32.Monder.bcb 1

The selected area was scanned.
-------------------------------------KASPERSKY ONLINE SCANNER 7 REPORT END-------------------------------------------------------------------------------

Deckard's System Scanner v20071014.68
Run by Akos on 2008-07-29 15:57:52
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- Last 2 Restore Point(s) --
2: 2008-07-29 09:25:26 UTC - RP136 - Windows Defender Checkpoint
1: 2008-07-28 23:42:25 UTC - RP134 - Last known good configuration


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Akos.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:59:28, on 2008.07.29.
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\TerraTec\Remote\TTTvRc.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe
C:\Windows\explorer.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Windows\system32\UI0Detect.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\conime.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Users\Akos\Desktop\dss.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\Akos\Desktop\Akos.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = socks=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = plimus.com,www.plimus.com,regnow.com,www.regnow.com,;*.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live bejelentkezési segítség - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: &TerraTec Home Cinema - {AD6E6555-FB2C-47D4-8339-3E2965509877} - C:\PROGRA~1\TerraTec\TERRAT~1\THCDES~1.DLL
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [TerraTec Remote Control] "C:\Program Files\Common Files\TerraTec\Remote\TTTvRc.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\byxVMfDt.dll,#1
O4 - HKLM\..\Run: [BM57197c5b] Rundll32.exe "C:\Windows\system32\rejfupql.dll",s
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [uTorrent] "C:\Users\Akos\Desktop\utorrent.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'HELYI SZOLGÁLTATÁS')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'HELYI SZOLGÁLTATÁS')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'HÁLÓZATI SZOLGÁLTATÁS')
O8 - Extra context menu item: E&xportálás a Microsoft Excel programba - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Bingo Day - {003E07C0-CA63-4be3-BD0A-A60B64102C97} - C:\Bingo\Bingo Day\casino.exe
O9 - Extra 'Tools' menuitem: Bingo Day - {003E07C0-CA63-4be3-BD0A-A60B64102C97} - C:\Bingo\Bingo Day\casino.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe
O9 - Extra 'Tools' menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

--
End of file - 8173 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

All drivers whitelisted.


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Bonjour Service (##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##) - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Computer, Inc.; Bonjour>

S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-06-29 and 2008-07-29 -----------------------------

2008-07-29 12:19:09 0 d-------- C:\Program Files\True Sword 4
2008-07-29 11:57:34 0 d-------- C:\Program Files\EsetOnlineScanner
2008-07-29 11:37:24 0 d-------- C:\Program Files\Enigma Software Group
2008-07-29 11:24:47 36352 --a------ C:\Windows\system32\byxVMfDt.dll
2008-07-29 01:43:59 80896 --a------ C:\Windows\system32\gxxvlggq.dll
2008-07-29 01:43:51 91136 --a------ C:\Windows\system32\rejfupql.dll
2008-07-29 01:38:55 1371 --ahs---- C:\Windows\system32\TBJRAGgh.ini2
2008-07-29 01:33:48 0 d-------- C:\Program Files\Total Video Converter
2008-07-29 01:33:42 36352 --a------ C:\Windows\system32\jkkJyYoP.dll
2008-07-29 01:16:53 165477 --a------ C:\Windows\Video Cleaner Pro Uninstaller.exe
2008-07-29 01:16:52 0 d-------- C:\Users\All Users\River Past G5
2008-07-29 01:16:52 0 d-------- C:\Program Files\River Past
2008-07-29 01:16:52 0 d-------- C:\Program Files\Common Files\River Past
2008-07-29 00:53:43 1245184 --a------ C:\Windows\system32\bkll.dll <Not Verified; NCT Company Ltd.; NCTRMFile ActiveX DLL>
2008-07-29 00:53:43 215552 --a------ C:\Windows\system32\ALOWMVFile.dll <Not Verified; NCT Company Ltd.; NCTWMVFile ActiveX DLL>
2008-07-29 00:53:43 188416 --a------ C:\Windows\system32\ALOVideoFile.dll <Not Verified; NCT Company Ltd.; NCTVideoFile ActiveX DLL>
2008-07-29 00:53:43 495104 --a------ C:\Windows\system32\ALOVideoCoreM.dll <Not Verified; NCT Company Ltd.; NCTVideoCoreM ActiveX DLL>
2008-07-29 00:53:43 249856 --a------ C:\Windows\system32\ALOQuickTimeFile.dll <Not Verified; Online Media Technologies Company Ltd.; NCTQuickTimeFile Module>
2008-07-29 00:53:43 382464 --a------ C:\Windows\system32\ALOAVIFile.dll <Not Verified; NCT Company Ltd.; NCTAVIFile ActiveX DLL>
2008-07-29 00:53:42 1 --a------ C:\Windows\yedlata.dll
2008-07-29 00:53:42 237568 --a------ C:\Windows\system32\lame_enc.dll
2008-07-29 00:53:42 403968 --a------ C:\Windows\system32\ALOWMAFile2.dll <Not Verified; Online Media Technologies Ltd.; NCTWMAFile2 ActiveX DLL>
2008-07-29 00:53:42 780288 --a------ C:\Windows\system32\ALOVideoCompress.dll <Not Verified; NCT Company Ltd.; NCTVideoCompress ActiveX DLL>
2008-07-29 00:53:42 90112 --a------ C:\Windows\system32\ALOAudioFormatSettings3.dll <Not Verified; Online Media Technologies Ltd.; NCTAudioFormatSettings3 Module>
2008-07-29 00:53:42 877568 --a------ C:\Windows\system32\ALOAudioFile2.dll <Not Verified; NCT Company Ltd.; NCTAudioFile2 ActiveX DLL>
2008-07-29 00:53:42 2846720 --a------ C:\Windows\system32\ALOAudioCompress3.dll <Not Verified; Online Media Technologies Ltd.; NCTAudioCompress3 Module>
2008-07-29 00:53:42 778240 --a------ C:\Windows\system32\ALOAudioCompress2.dll <Not Verified; Online Media Technologies Ltd.; NCTAudioCompress2 Module>
2008-07-29 00:53:40 0 d-------- C:\Windows\system32\RMBin
2008-07-28 23:24:27 0 d-------- C:\Program Files\WeFi Software
2008-07-27 23:47:23 0 d-------- C:\Program Files\Spectec
2008-07-27 00:01:45 0 d-------- C:\Program Files\Micro Madness
2008-07-26 20:44:32 0 d-------- C:\Windows\Sun
2008-07-26 12:16:15 0 d-------- C:\Program Files\Bonjour
2008-07-26 12:12:09 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-07-24 17:09:25 0 d-------- C:\Program Files\QuickTime
2008-07-24 17:09:24 0 d-------- C:\Users\All Users\Apple Computer
2008-07-24 17:08:43 0 d-------- C:\Users\All Users\Apple
2008-07-24 17:08:43 0 d-------- C:\Program Files\Apple Software Update
2008-07-24 16:43:13 0 d-------- C:\Windows\system32\drivers\downld
2008-07-23 20:47:02 0 d-------- C:\Program Files\Windows Live Safety Center
2008-07-23 20:09:54 0 d-------- C:\Program Files\Windows Mobile Device Handbook
2008-07-23 19:38:29 0 d-------- C:\Program Files\NavNGo
2008-07-20 20:32:51 0 d-------- C:\Bingo
2008-07-17 10:49:21 0 d-------- C:\Program Files\seven m
2008-07-16 13:16:49 0 d-------- C:\Program Files\Guitar Pro 5
2008-07-12 21:51:09 0 d-------- C:\Windows\Roogoo
2008-07-10 08:01:59 0 d-------- C:\Windows\SQLTools9_KB948109_ENU
2008-07-10 08:00:22 0 d-------- C:\Windows\SQL9_KB948109_ENU
2008-07-07 15:44:30 0 d-------- C:\Poker
2008-07-06 12:15:35 0 d-------- C:\Program Files\AC3Filter
2008-07-05 18:36:53 0 d-------- C:\Program Files\FLAC
2008-07-05 18:26:17 0 d-------- C:\Program Files\Monkey's Audio
2008-07-05 16:53:13 0 d-------- C:\Program Files\Atari


-- Find3M Report ---------------------------------------------------------------

2008-07-29 13:30:35 0 d-------- C:\Users\Akos\AppData\Roaming\uTorrent
2008-07-29 12:19:31 0 d-------- C:\Users\Akos\AppData\Roaming\True Sword
2008-07-29 11:03:23 654298 --a------ C:\Windows\system32\perfh00E.dat
2008-07-29 11:03:23 159634 --a------ C:\Windows\system32\perfc00E.dat
2008-07-29 01:28:48 0 d-------- C:\Program Files\Xvid
2008-07-29 01:16:52 0 d-------- C:\Users\Akos\AppData\Roaming\River Past G5
2008-07-29 01:16:52 0 d-------- C:\Program Files\Common Files
2008-07-27 23:57:21 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-26 14:24:39 0 d-------- C:\Users\Akos\AppData\Roaming\Adobe
2008-07-26 12:16:14 0 d-------- C:\Program Files\Common Files\Adobe
2008-07-24 11:39:53 0 d-------- C:\Users\Akos\AppData\Roaming\Hide IP NG
2008-07-23 19:38:38 0 d-------- C:\Users\Akos\AppData\Roaming\navngo.com
2008-07-22 09:22:52 0 d-------- C:\Program Files\Java
2008-07-21 18:53:13 0 d-------- C:\Users\Akos\AppData\Roaming\Chameleon Submitter
2008-07-12 21:54:02 0 d-------- C:\Users\Akos\AppData\Roaming\Roogoo
2008-07-10 08:02:07 0 d-------- C:\Program Files\Microsoft SQL Server
2008-07-10 08:00:02 0 d-------- C:\Program Files\Windows Mail
2008-07-05 16:57:41 0 dr-h----- C:\Users\Akos\AppData\Roaming\SecuROM
2008-07-05 16:53:11 0 d-------- C:\Users\Akos\AppData\Roaming\gnupg
2008-06-21 02:25:32 0 d-------- C:\Program Files\Trillian
2008-06-20 19:47:02 0 d-------- C:\Program Files\Chameleon Confirmer
2008-06-19 21:57:18 0 d-------- C:\Program Files\Microsoft Press Training Kit Exam Prep
2008-06-17 21:09:16 0 d-------- C:\Users\Akos\AppData\Roaming\Mozilla
2008-06-17 17:03:33 932864 --a------ C:\Windows\system32\DreamSaver.scr
2008-06-16 21:49:42 0 d-------- C:\Program Files\IrfanView
2008-06-15 21:29:56 0 d-------- C:\Program Files\Common Files\Java
2008-06-07 15:59:08 0 d-------- C:\Users\Akos\AppData\Roaming\Nero
2008-06-07 15:57:37 0 d-------- C:\Program Files\Nero
2008-06-07 15:57:29 0 d-------- C:\Program Files\Common Files\Nero
2008-06-07 00:20:09 0 d-------- C:\Users\Akos\AppData\Roaming\GHISLER
2008-06-06 12:15:28 0 d-------- C:\Program Files\Microsoft Works
2008-06-06 12:15:14 0 d-------- C:\Program Files\MSBuild
2008-06-06 12:12:42 0 d-------- C:\Program Files\Microsoft Visual Studio 8
2008-05-30 16:05:03 0 d-------- C:\Users\Akos\AppData\Roaming\vlc
2008-05-30 16:03:50 0 d-------- C:\Program Files\VideoLAN
2008-05-30 10:19:27 0 d-------- C:\Program Files\DAEMON Tools Lite
2008-05-29 19:01:32 174 --ahs---- C:\Program Files\desktop.ini
2008-05-29 18:55:29 0 d-------- C:\Program Files\Windows Sidebar
2008-05-29 18:55:29 0 d-------- C:\Program Files\Windows Calendar
2008-05-29 18:55:29 0 d-------- C:\Program Files\Movie Maker
2008-05-29 18:55:28 0 d-------- C:\Program Files\Windows Photo Gallery
2008-05-29 18:55:28 0 d-------- C:\Program Files\Windows Journal
2008-05-29 18:55:28 0 d-------- C:\Program Files\Windows Collaboration
2008-05-29 18:55:27 0 d-------- C:\Program Files\Windows Defender
2008-05-29 18:17:40 0 d-------- C:\Users\Akos\AppData\Roaming\DAEMON Tools
2008-05-29 16:22:33 0 d-------- C:\Program Files\Microsoft Visual Studio 9.0
2008-05-29 16:22:33 0 d-------- C:\Program Files\Business Objects
2008-05-29 16:18:21 0 d-------- C:\Program Files\Microsoft.NET
2008-05-29 16:15:24 0 d-------- C:\Program Files\Microsoft Device Emulator
2008-05-29 16:15:11 0 d-------- C:\Program Files\Windows Mobile 5.0 SDK R2
2008-05-29 16:13:40 0 d-------- C:\Program Files\Microsoft Synchronization Services
2008-05-29 16:13:40 0 d-------- C:\Program Files\Microsoft SQL Server Compact Edition
2008-05-29 16:08:12 0 d-------- C:\Program Files\Common Files\Merge Modules
2008-05-29 16:06:08 0 d-------- C:\Program Files\HTML Help Workshop
2008-05-29 16:04:05 0 d-------- C:\Program Files\Microsoft SDKs
2008-05-29 16:04:05 0 d-------- C:\Program Files\CE Remote Tools
2008-05-29 16:02:21 0 d-------- C:\Program Files\Microsoft Web Designer Tools
2008-05-25 23:27:51 0 -rahs---- C:\MSDOS.SYS
2008-05-25 23:27:51 0 -rahs---- C:\IO.SYS
2008-05-24 13:16:04 0 --a------ C:\Windows\nsreg.dat
2008-05-24 10:55:00 60273 --a------ C:\Windows\system32\pthreadGC2.dll <Not Verified; Open Source Software community project; >
2008-05-24 10:55:00 7680 --a------ C:\Windows\system32\ff_vfw.dll
2008-05-23 23:08:52 0 --a------ C:\Windows\ativpsrm.bin


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2008.01.19. 09:38]

"RtHDVCpl"="RtHDVCpl.exe" [2006.12.29. 05:11 C:\Windows\RtHDVCpl.exe]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008.01.21. 12:17]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008.04.01. 20:49]
"TerraTec Remote Control"="C:\Program Files\Common Files\TerraTec\Remote\TTTvRc.exe" [2008.05.14. 11:32]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008.01.11. 22:16]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008.06.10. 04:27]
"Windows Mobile Device Center"="%windir%\WindowsMobile\wmdc.exe" []
"Windows Mobile-based device management"="%windir%\WindowsMobile\wmdc.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008.05.27. 10:50]
"MSServer"="C:\Windows\system32\byxVMfDt.dll" [2008.07.29. 01:33]
"BM57197c5b"="C:\Windows\system32\rejfupql.dll" [2008.07.29. 12:34]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008.01.19. 09:33]
"WindowsWelcomeCenter"="oobefldr.dll,ShowWelcomeCenter" []
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007.10.18. 11:34]
"uTorrent"="C:\Users\Akos\Desktop\utorrent.exe" [2008.05.27. 17:40]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008.04.01. 11:39]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableLUA"=0 (0x0)
"EnableUIADesktopToggle"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{9B904910-78A4-489D-A825-5111B883A5B2}"= C:\Windows\system32\byxVMfDt.dll [2008.07.29. 01:33 36352]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE WebClient SstpSvc
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc CscService TabletInputService UmRdpService wlansvc WPDBusEnum EMDMgmt
LocalServiceNoNetwork PLA DPS BFE mpssvc
LocalServiceNetworkRestricted DHCP eventlog AudioSrv LmHosts wscsvc p2pimsvc PNRPSvc p2psvc PnrpAutoReg
GPSvcGroup GPSvc
WindowsMobile wcescomm rapimgr
LocalServiceRestricted WcesComm RapiMgr


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4bff666f-2da0-11dd-b2e9-001a9205834d}]
AutoRun\command- J:\MicroMadness.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a8f4a21e-2902-11dd-bef8-806e6f6e6963}]
AutoRun\command- I:\Start.exe

*Newly Created Service* - MCHINJDRV

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-07-29 16:00:37 ------------

BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:58 PM

Posted 29 July 2008 - 11:26 AM

Hello jaunos

Welcome to BleepingComputer :thumbsup:
========================
The first thing I will need you to do is to Download ONE of these anti-virus programs and install it.
These are free.
AVG free 8.0
Note this is free antispyware protection and Antivirus protection.

or
Antivir
===================================
Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\Windows\system32\byxVMfDt.dll
    C:\Windows\system32\gxxvlggq.dll
    C:\Windows\system32\rejfupql.dll
    C:\Windows\system32\TBJRAGgh.ini2
    C:\Windows\system32\jkkJyYoP.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\MSServer
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\BM57197c5b
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4bff666f-2da0-11dd-b2e9-001a9205834d}
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a8f4a21e-2902-11dd-bef8-806e6f6e6963}
    I:\Start.exe
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • OTMoveit2 will create a log of moved files in the C:\_OTMoveIt\MovedFiles folder. The log's name will appear as the date and time it was created, with the format mmddyyyy_hhmmss.log. Open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
==================
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
=================
PLease post back with these logs:
Ot Move it log
MalwareBytes log
New dss log

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3 jaunos

jaunos
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:58 PM

Posted 29 July 2008 - 03:13 PM

Hello
Thanks for the very helpful and fast reply!
I ran the AVG 8 free too before the OTMoveIt2.exe. Sorry for that.. but i think my computer is clean now.

Ot Move it log

DllUnregisterServer procedure not found in C:\Windows\system32\byxVMfDt.dll
C:\Windows\system32\byxVMfDt.dll NOT unregistered.
File move failed. C:\Windows\system32\byxVMfDt.dll scheduled to be moved on reboot.
DllUnregisterServer procedure not found in C:\Windows\system32\gxxvlggq.dll
C:\Windows\system32\gxxvlggq.dll NOT unregistered.
C:\Windows\system32\gxxvlggq.dll moved successfully.
File/Folder C:\Windows\system32\rejfupql.dll not found.
C:\Windows\system32\TBJRAGgh.ini2 moved successfully.
File/Folder C:\Windows\system32\jkkJyYoP.dll not found.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\MSServer >
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\MSServer deleted successfully.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\BM57197c5b >
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\BM57197c5b not found.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4bff666f-2da0-11dd-b2e9-001a9205834d} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4bff666f-2da0-11dd-b2e9-001a9205834d}\\ deleted successfully.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a8f4a21e-2902-11dd-bef8-806e6f6e6963} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a8f4a21e-2902-11dd-bef8-806e6f6e6963}\\ deleted successfully.
File move failed. I:\Start.exe scheduled to be moved on reboot.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07292008_212657

Files moved on Reboot...
File C:\Windows\system32\byxVMfDt.dll not found!
File move failed. I:\Start.exe scheduled to be moved on reboot.

MalwareBytes log
Sory for some hungarian language :S

Malwarebytes' Anti-Malware 1.23
Adatbázis verzió: 1008
Windows 6.0.6001 Service Pack 1

21:45:48 2008.07.29.
mbam-log-7-29-2008 (21-45-48).txt

Vizsgálat típusa: Gyorsvizsgálat
Átvizsgált objektumok: 35615
Eltelt idő: 3 minute(s), 25 second(s)

FertĹ‘zött memóriafolyamatok: 0
FertĹ‘zött memória modulok: 0
FertĹ‘zött rendszerleíró kulcsok: 3 (infected registry keys)
FertĹ‘zött rendszerleíró értékek: 2 (infected registry values)
FertĹ‘zött rednszerleíró elemek: 0
FertĹ‘zött mappák: 1
FertĹ‘zött fájlok: 0

FertĹ‘zött memóriafolyamatok:
(Nem észleltem rosszindulatú elemeket)

FertĹ‘zött memória modulok:
(Nem észleltem rosszindulatú elemeket)

FertĹ‘zött rendszerleíró kulcsok:
HKEY_CLASSES_ROOT\CLSID\{9b904910-78a4-489d-a825-5111b883a5b2} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

FertĹ‘zött rendszerleíró értékek:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{9b904910-78a4-489d-a825-5111b883a5b2} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSServer (Malware.Trace) -> Quarantined and deleted successfully.

FertĹ‘zött rednszerleíró elemek:
(Nem észleltem rosszindulatú elemeket)

FertĹ‘zött mappák: (infected folders)
C:\Windows\System32\drivers\downld (Trojan.Agent) -> Quarantined and deleted successfully.

FertĹ‘zött fájlok:
(Nem észleltem rosszindulatú elemeket)


New dss log

Deckard's System Scanner v20071014.68
Run by Akos on 2008-07-29 21:55:33
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Akos.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:55:58, on 2008.07.29.
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\TerraTec\Remote\TTTvRc.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Users\Akos\Desktop\utorrent.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Akos\Desktop\dss.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\conime.exe
C:\Users\Akos\Desktop\Akos.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = socks=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = plimus.com,www.plimus.com,regnow.com,www.regnow.com,;*.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live bejelentkezési segítség - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: &TerraTec Home Cinema - {AD6E6555-FB2C-47D4-8339-3E2965509877} - C:\PROGRA~1\TerraTec\TERRAT~1\THCDES~1.DLL
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [TerraTec Remote Control] "C:\Program Files\Common Files\TerraTec\Remote\TTTvRc.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [uTorrent] "C:\Users\Akos\Desktop\utorrent.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'HELYI SZOLGÁLTATÁS')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'HELYI SZOLGÁLTATÁS')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'HÁLÓZATI SZOLGÁLTATÁS')
O8 - Extra context menu item: E&xportálás a Microsoft Excel programba - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Bingo Day - {003E07C0-CA63-4be3-BD0A-A60B64102C97} - C:\Bingo\Bingo Day\casino.exe
O9 - Extra 'Tools' menuitem: Bingo Day - {003E07C0-CA63-4be3-BD0A-A60B64102C97} - C:\Bingo\Bingo Day\casino.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe
O9 - Extra 'Tools' menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

--
End of file - 7325 bytes

-- Files created between 2008-06-29 and 2008-07-29 -----------------------------

2008-07-29 21:39:50 0 d-------- C:\Users\All Users\Malwarebytes
2008-07-29 21:39:50 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-29 20:21:12 0 d--h----- C:\$AVG8.VAULT$
2008-07-29 20:15:29 0 d-------- C:\Windows\system32\drivers\Avg
2008-07-29 20:15:18 0 d-------- C:\Users\All Users\avg8
2008-07-29 20:15:18 0 d-------- C:\Program Files\AVG
2008-07-29 12:19:09 0 d-------- C:\Program Files\True Sword 4
2008-07-29 11:57:34 0 d-------- C:\Program Files\EsetOnlineScanner
2008-07-29 11:37:24 0 d-------- C:\Program Files\Enigma Software Group
2008-07-29 01:33:48 0 d-------- C:\Program Files\Total Video Converter
2008-07-29 01:16:53 165477 --a------ C:\Windows\Video Cleaner Pro Uninstaller.exe
2008-07-29 01:16:52 0 d-------- C:\Users\All Users\River Past G5
2008-07-29 01:16:52 0 d-------- C:\Program Files\River Past
2008-07-29 01:16:52 0 d-------- C:\Program Files\Common Files\River Past
2008-07-29 00:53:43 1245184 --a------ C:\Windows\system32\bkll.dll <Not Verified; NCT Company Ltd.; NCTRMFile ActiveX DLL>
2008-07-29 00:53:43 215552 --a------ C:\Windows\system32\ALOWMVFile.dll <Not Verified; NCT Company Ltd.; NCTWMVFile ActiveX DLL>
2008-07-29 00:53:43 188416 --a------ C:\Windows\system32\ALOVideoFile.dll <Not Verified; NCT Company Ltd.; NCTVideoFile ActiveX DLL>
2008-07-29 00:53:43 495104 --a------ C:\Windows\system32\ALOVideoCoreM.dll <Not Verified; NCT Company Ltd.; NCTVideoCoreM ActiveX DLL>
2008-07-29 00:53:43 249856 --a------ C:\Windows\system32\ALOQuickTimeFile.dll <Not Verified; Online Media Technologies Company Ltd.; NCTQuickTimeFile Module>
2008-07-29 00:53:43 382464 --a------ C:\Windows\system32\ALOAVIFile.dll <Not Verified; NCT Company Ltd.; NCTAVIFile ActiveX DLL>
2008-07-29 00:53:42 1 --a------ C:\Windows\yedlata.dll
2008-07-29 00:53:42 237568 --a------ C:\Windows\system32\lame_enc.dll
2008-07-29 00:53:42 403968 --a------ C:\Windows\system32\ALOWMAFile2.dll <Not Verified; Online Media Technologies Ltd.; NCTWMAFile2 ActiveX DLL>
2008-07-29 00:53:42 780288 --a------ C:\Windows\system32\ALOVideoCompress.dll <Not Verified; NCT Company Ltd.; NCTVideoCompress ActiveX DLL>
2008-07-29 00:53:42 90112 --a------ C:\Windows\system32\ALOAudioFormatSettings3.dll <Not Verified; Online Media Technologies Ltd.; NCTAudioFormatSettings3 Module>
2008-07-29 00:53:42 877568 --a------ C:\Windows\system32\ALOAudioFile2.dll <Not Verified; NCT Company Ltd.; NCTAudioFile2 ActiveX DLL>
2008-07-29 00:53:42 2846720 --a------ C:\Windows\system32\ALOAudioCompress3.dll <Not Verified; Online Media Technologies Ltd.; NCTAudioCompress3 Module>
2008-07-29 00:53:42 778240 --a------ C:\Windows\system32\ALOAudioCompress2.dll <Not Verified; Online Media Technologies Ltd.; NCTAudioCompress2 Module>
2008-07-29 00:53:40 0 d-------- C:\Windows\system32\RMBin
2008-07-28 23:24:27 0 d-------- C:\Program Files\WeFi Software
2008-07-27 23:47:23 0 d-------- C:\Program Files\Spectec
2008-07-27 00:01:45 0 d-------- C:\Program Files\Micro Madness
2008-07-26 20:44:32 0 d-------- C:\Windows\Sun
2008-07-26 12:16:15 0 d-------- C:\Program Files\Bonjour
2008-07-26 12:12:09 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-07-24 17:09:25 0 d-------- C:\Program Files\QuickTime
2008-07-24 17:09:24 0 d-------- C:\Users\All Users\Apple Computer
2008-07-24 17:08:43 0 d-------- C:\Users\All Users\Apple
2008-07-24 17:08:43 0 d-------- C:\Program Files\Apple Software Update
2008-07-23 20:47:02 0 d-------- C:\Program Files\Windows Live Safety Center
2008-07-23 20:09:54 0 d-------- C:\Program Files\Windows Mobile Device Handbook
2008-07-23 19:38:29 0 d-------- C:\Program Files\NavNGo
2008-07-20 20:32:51 0 d-------- C:\Bingo
2008-07-17 10:49:21 0 d-------- C:\Program Files\seven m
2008-07-16 13:16:49 0 d-------- C:\Program Files\Guitar Pro 5
2008-07-12 21:51:09 0 d-------- C:\Windows\Roogoo
2008-07-10 08:01:59 0 d-------- C:\Windows\SQLTools9_KB948109_ENU
2008-07-10 08:00:22 0 d-------- C:\Windows\SQL9_KB948109_ENU
2008-07-07 15:44:30 0 d-------- C:\Poker
2008-07-06 12:15:35 0 d-------- C:\Program Files\AC3Filter
2008-07-05 18:36:53 0 d-------- C:\Program Files\FLAC
2008-07-05 18:26:17 0 d-------- C:\Program Files\Monkey's Audio
2008-07-05 16:53:13 0 d-------- C:\Program Files\Atari


-- Find3M Report ---------------------------------------------------------------

2008-07-29 21:55:59 0 d-------- C:\Users\Akos\AppData\Roaming\uTorrent
2008-07-29 21:39:53 0 d-------- C:\Users\Akos\AppData\Roaming\Malwarebytes
2008-07-29 21:36:30 654298 --a------ C:\Windows\system32\perfh00E.dat
2008-07-29 21:36:30 159634 --a------ C:\Windows\system32\perfc00E.dat
2008-07-29 12:19:31 0 d-------- C:\Users\Akos\AppData\Roaming\True Sword
2008-07-29 01:28:48 0 d-------- C:\Program Files\Xvid
2008-07-29 01:16:52 0 d-------- C:\Users\Akos\AppData\Roaming\River Past G5
2008-07-29 01:16:52 0 d-------- C:\Program Files\Common Files
2008-07-27 23:57:21 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-26 14:24:39 0 d-------- C:\Users\Akos\AppData\Roaming\Adobe
2008-07-26 12:16:14 0 d-------- C:\Program Files\Common Files\Adobe
2008-07-24 11:39:53 0 d-------- C:\Users\Akos\AppData\Roaming\Hide IP NG
2008-07-23 19:38:38 0 d-------- C:\Users\Akos\AppData\Roaming\navngo.com
2008-07-22 09:22:52 0 d-------- C:\Program Files\Java
2008-07-21 18:53:13 0 d-------- C:\Users\Akos\AppData\Roaming\Chameleon Submitter
2008-07-12 21:54:02 0 d-------- C:\Users\Akos\AppData\Roaming\Roogoo
2008-07-10 08:02:07 0 d-------- C:\Program Files\Microsoft SQL Server
2008-07-10 08:00:02 0 d-------- C:\Program Files\Windows Mail
2008-07-05 16:57:41 0 dr-h----- C:\Users\Akos\AppData\Roaming\SecuROM
2008-07-05 16:53:11 0 d-------- C:\Users\Akos\AppData\Roaming\gnupg
2008-06-21 02:25:32 0 d-------- C:\Program Files\Trillian
2008-06-20 19:47:02 0 d-------- C:\Program Files\Chameleon Confirmer
2008-06-19 21:57:18 0 d-------- C:\Program Files\Microsoft Press Training Kit Exam Prep
2008-06-17 21:09:16 0 d-------- C:\Users\Akos\AppData\Roaming\Mozilla
2008-06-17 17:03:33 932864 --a------ C:\Windows\system32\DreamSaver.scr
2008-06-16 21:49:42 0 d-------- C:\Program Files\IrfanView
2008-06-15 21:29:56 0 d-------- C:\Program Files\Common Files\Java
2008-06-07 15:59:08 0 d-------- C:\Users\Akos\AppData\Roaming\Nero
2008-06-07 15:57:37 0 d-------- C:\Program Files\Nero
2008-06-07 15:57:29 0 d-------- C:\Program Files\Common Files\Nero
2008-06-07 00:20:09 0 d-------- C:\Users\Akos\AppData\Roaming\GHISLER
2008-06-06 12:15:28 0 d-------- C:\Program Files\Microsoft Works
2008-06-06 12:15:14 0 d-------- C:\Program Files\MSBuild
2008-06-06 12:12:42 0 d-------- C:\Program Files\Microsoft Visual Studio 8
2008-05-30 16:05:03 0 d-------- C:\Users\Akos\AppData\Roaming\vlc
2008-05-30 16:03:50 0 d-------- C:\Program Files\VideoLAN
2008-05-30 10:19:27 0 d-------- C:\Program Files\DAEMON Tools Lite
2008-05-29 19:01:32 174 --ahs---- C:\Program Files\desktop.ini
2008-05-29 18:55:29 0 d-------- C:\Program Files\Windows Sidebar
2008-05-29 18:55:29 0 d-------- C:\Program Files\Windows Calendar
2008-05-29 18:55:29 0 d-------- C:\Program Files\Movie Maker
2008-05-29 18:55:28 0 d-------- C:\Program Files\Windows Photo Gallery
2008-05-29 18:55:28 0 d-------- C:\Program Files\Windows Journal
2008-05-29 18:55:28 0 d-------- C:\Program Files\Windows Collaboration
2008-05-29 18:55:27 0 d-------- C:\Program Files\Windows Defender
2008-05-29 18:17:40 0 d-------- C:\Users\Akos\AppData\Roaming\DAEMON Tools
2008-05-29 16:22:33 0 d-------- C:\Program Files\Microsoft Visual Studio 9.0
2008-05-29 16:22:33 0 d-------- C:\Program Files\Business Objects
2008-05-29 16:18:21 0 d-------- C:\Program Files\Microsoft.NET
2008-05-29 16:15:24 0 d-------- C:\Program Files\Microsoft Device Emulator
2008-05-29 16:15:11 0 d-------- C:\Program Files\Windows Mobile 5.0 SDK R2
2008-05-29 16:13:40 0 d-------- C:\Program Files\Microsoft Synchronization Services
2008-05-29 16:13:40 0 d-------- C:\Program Files\Microsoft SQL Server Compact Edition
2008-05-29 16:08:12 0 d-------- C:\Program Files\Common Files\Merge Modules
2008-05-29 16:06:08 0 d-------- C:\Program Files\HTML Help Workshop
2008-05-29 16:04:05 0 d-------- C:\Program Files\Microsoft SDKs
2008-05-29 16:04:05 0 d-------- C:\Program Files\CE Remote Tools
2008-05-29 16:02:21 0 d-------- C:\Program Files\Microsoft Web Designer Tools
2008-05-25 23:27:51 0 -rahs---- C:\MSDOS.SYS
2008-05-25 23:27:51 0 -rahs---- C:\IO.SYS
2008-05-24 13:16:04 0 --a------ C:\Windows\nsreg.dat
2008-05-24 10:55:00 60273 --a------ C:\Windows\system32\pthreadGC2.dll <Not Verified; Open Source Software community project; >
2008-05-24 10:55:00 7680 --a------ C:\Windows\system32\ff_vfw.dll
2008-05-23 23:08:52 0 --a------ C:\Windows\ativpsrm.bin


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2008.01.19. 09:38]
"RtHDVCpl"="RtHDVCpl.exe" [2006.12.29. 05:11 C:\Windows\RtHDVCpl.exe]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008.01.21. 12:17]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008.04.01. 20:49]
"TerraTec Remote Control"="C:\Program Files\Common Files\TerraTec\Remote\TTTvRc.exe" [2008.05.14. 11:32]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008.01.11. 22:16]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008.06.10. 04:27]
"Windows Mobile Device Center"="%windir%\WindowsMobile\wmdc.exe" []
"Windows Mobile-based device management"="%windir%\WindowsMobile\wmdc.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008.05.27. 10:50]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008.07.29. 20:15]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008.01.19. 09:33]
"WindowsWelcomeCenter"="oobefldr.dll,ShowWelcomeCenter" []
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007.10.18. 11:34]
"uTorrent"="C:\Users\Akos\Desktop\utorrent.exe" [2008.05.27. 17:40]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008.04.01. 11:39]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableLUA"=0 (0x0)
"EnableUIADesktopToggle"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE WebClient SstpSvc
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc CscService TabletInputService UmRdpService wlansvc WPDBusEnum EMDMgmt
LocalServiceNoNetwork PLA DPS BFE mpssvc
LocalServiceNetworkRestricted DHCP eventlog AudioSrv LmHosts wscsvc p2pimsvc PNRPSvc p2psvc PnrpAutoReg
GPSvcGroup GPSvc
WindowsMobile wcescomm rapimgr
LocalServiceRestricted WcesComm RapiMgr


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-07-29 21:56:45 ------------

Thanks again

Edited by jaunos, 29 July 2008 - 03:13 PM.


#4 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:58 PM

Posted 29 July 2008 - 07:03 PM

Yep looks better I want to check these files please:

Please submit the following files to one of these online file scanners.
(All you have to do is copy and paste them in one at a time)

C:\Windows\ativpsrm.bin
C:\Windows\yedlata.dll

Jotti File Scan
VirusTotal File Scan
This will produce a report after the scan is complete, please copy and paste those results in your next post.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#5 jaunos

jaunos
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:58 PM

Posted 30 July 2008 - 06:53 AM

File yedlata.dll received on 07.30.2008 13:41:07 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.7.29.1 2008.07.30 -
AntiVir 7.8.1.12 2008.07.30 -
Authentium 5.1.0.4 2008.07.30 -
Avast 4.8.1195.0 2008.07.29 -
AVG 8.0.0.130 2008.07.30 -
BitDefender 7.2 2008.07.30 -
CAT-QuickHeal 9.50 2008.07.29 -
ClamAV 0.93.1 2008.07.30 -
DrWeb 4.44.0.09170 2008.07.30 -
eSafe 7.0.17.0 2008.07.29 -
eTrust-Vet 31.6.5995 2008.07.30 -
Ewido 4.0 2008.07.30 -
F-Prot 4.4.4.56 2008.07.30 -
F-Secure 7.60.13501.0 2008.07.30 -
Fortinet 3.14.0.0 2008.07.30 -
GData 2.0.7306.1023 2008.07.30 -
Ikarus T3.1.1.34.0 2008.07.30 -
Kaspersky 7.0.0.125 2008.07.30 -
McAfee 5349 2008.07.29 -
Microsoft 1.3704 2008.07.28 -
NOD32v2 3309 2008.07.30 -
Norman 5.80.02 2008.07.30 -
Panda 9.0.0.4 2008.07.29 -
PCTools 4.4.2.0 2008.07.30 -
Prevx1 V2 2008.07.30 -
Rising 20.55.22.00 2008.07.30 -
Sophos 4.31.0 2008.07.30 -
Sunbelt 3.1.1537.1 2008.07.29 -
Symantec 10 2008.07.30 -
TheHacker 6.2.96.389 2008.07.25 -
TrendMicro 8.700.0.1004 2008.07.30 -
VBA32 3.12.8.1 2008.07.29 -
ViRobot 2008.7.30.1317 2008.07.30 -
VirusBuster 4.5.11.0 2008.07.29 -
Webwasher-Gateway 6.6.2 2008.07.30 -
Additional information
File size: 1 bytes
MD5...: 7215ee9c7d9dc229d2921a40e899ec5f
SHA1..: b858cb282617fb0956d960215c8e84d1ccf909c6
SHA256: 36a9e7f1c95b82ffb99743e0c5c4ce95d83c9a430aac59f84ef3cbfab6145068
SHA512: f90ddd77e400dfe6a3fcf479b00b1ee29e7015c5bb8cd70f5f15b4886cc33927<br>5ff553fc8a053f8ddc7324f45168cffaf81f8c3ac93996f6536eef38e5e40768
PEiD..: -
PEInfo: -

The another file's(ativpsrm.bin) size is 0. i cant upload it.

#6 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:58 PM

Posted 30 July 2008 - 11:36 AM

  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\Windows\ativpsrm.bin
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
================================
Cleanup::
  • Make sure you have an Internet Connection.
  • Double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OtMoveit2 to reach the Internet, please allow the application to do so.
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.
===============
Delete\uninstall anything else that we have used.

System Restore
Then I will need you to reset your System Restore points.
The link below shows how to create a clean restore point.
How to Turn On and Turn Off System Restore in Windows Vista
http://www.bleepingcomputer.com/tutorials/...143.html#manual
=====================================
After that your log is clean. :thumbsup:

The following is a list of tools and utilities that I like to suggest to people.
You do not have to have all or any of them they are only suggestions.
This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

Spybot Search & Destroy-Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.

Spyware Blaster - Great prevention tool to keep nasties from installing on your system.

Spywareguard-Works as a Spyware "Shield" to protect your computer from getting malware in the first place.

IE-SPYAD- puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Tony Klein article To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#7 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:58 PM

Posted 16 August 2008 - 08:18 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :thumbsup:

If your the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users