Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Massive Multiple Infections! Help?


  • This topic is locked This topic is locked
16 replies to this topic

#1 kalebbroo

kalebbroo

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:04:09 AM

Posted 03 August 2008 - 08:08 PM

i told a friend i would clean up his computer but i dident know what i was getting into!!! this is way beyond anything i can do

Deckard's System Scanner v20071014.68
Run by brokebackbuddy on 2008-08-03 20:43:27
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------



-- Last 5 Restore Point(s) --
5: 2008-08-04 03:11:25 UTC - RP5 - Deckard's System Scanner Restore Point
4: 2008-08-03 23:47:24 UTC - RP4 - Installed Kaspersky Anti-Virus 2009.
3: 2008-08-03 23:39:36 UTC - RP3 - Software Distribution Service 3.0
2: 2008-08-03 23:19:29 UTC - RP2 - Software Distribution Service 3.0
1: 2008-08-03 23:52:56 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 352 MiB (512 MiB recommended).


-- HijackThis (run as brokebackbuddy.exe) --------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:44: VIRUS ALERT!, on 8/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\brokebackbuddy\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\brokebackbuddy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {55D17579-F6FF-4A63-981B-6683F99B9972} - C:\WINDOWS\system32\ssqRLFvt.dll
O2 - BHO: (no name) - {924C746C-66D0-46EA-B7D0-A413E47EFFB2} - C:\WINDOWS\system32\ddcYPgHa.dll
O2 - BHO: QXK Olive - {B763BE68-B1D1-41F4-9087-8BF71BB93155} - C:\WINDOWS\nfavxwdbdfm.dll
O3 - Toolbar: fdkowvbp - {FB3486FF-2A37-4536-B847-D999BA4E7776} - C:\WINDOWS\fdkowvbp.dll
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe"
O4 - HKCU\..\Run: [s9201] "C:\Documents and Settings\All Users\Application Data\SecuriSoft SARL\WinSpywareProtect\wspwprtct.exe" /autorun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd.dll
O20 - Winlogon Notify: ssqRLFvt - C:\WINDOWS\SYSTEM32\ssqRLFvt.dll
O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\SYSTEM32\WinCtrl32.dll
O21 - SSODL: wnslvxtf - {759C672E-D65C-4E05-8336-744BF8CA7B13} - C:\WINDOWS\wnslvxtf.dll
O21 - SSODL: eqvwamkl - {0CAB8BEF-331C-4594-896E-3F015E557E62} - C:\WINDOWS\eqvwamkl.dll
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 3282 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 Winhl47 - c:\windows\system32\drivers\winhl47.sys

S0 Winsv68 - c:\windows\system32\drivers\winsv68.sys (file missing)
S0 Winua25 - c:\windows\system32\drivers\winua25.sys (file missing)
S0 Winwa25 - c:\windows\system32\drivers\winwa25.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Multimedia Audio Controller
Device ID: PCI\VEN_1106&DEV_3059&SUBSYS_90121509&REV_50\3&61AAA01&0&8D
Manufacturer:
Name: Multimedia Audio Controller
PNP Device ID: PCI\VEN_1106&DEV_3059&SUBSYS_90121509&REV_50\3&61AAA01&0&8D
Service:


-- Files created between 2008-07-03 and 2008-08-03 -----------------------------

2008-08-03 20:41:50 0 d-------- C:\WINDOWS\privacy_danger
2008-08-03 20:31:51 0 d-------- C:\Program Files\Trend Micro
2008-08-03 19:48:58 322816 --a------ C:\WINDOWS\system32\ddcYPgHa.dll
2008-08-03 19:48:57 36864 --a------ C:\WINDOWS\system32\ssqRLFvt.dll
2008-08-03 18:06:48 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-03 17:00:30 1382197 ---hs---- C:\WINDOWS\system32\jvoijinh.ini2
2008-08-03 16:52:45 232701 --ahs---- C:\WINDOWS\system32\aHgPYcdd.ini2
2008-08-03 16:49:54 96559 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-08-03 16:49:54 87855 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-08-03 16:47:54 98336 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-08-03 16:47:54 548384 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-08-03 16:47:53 0 d-------- C:\Program Files\Kaspersky Lab
2008-08-03 16:47:53 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-08-03 16:47:01 16896 --a------ C:\WINDOWS\system32\WinCtrl32.dll
2008-08-03 16:46:36 0 d-------- C:\Documents and Settings\brokebackbuddy\Application Data\TmpRecentIcons
2008-08-03 16:46:21 393216 --a------ C:\WINDOWS\wnslvxtf.dll
2008-08-03 16:46:21 393216 --a------ C:\WINDOWS\nfavxwdbdfm.dll
2008-08-03 16:46:21 94208 --a------ C:\WINDOWS\grswptdl.exe
2008-08-03 16:46:21 192512 --a------ C:\WINDOWS\fdkowvbp.dll
2008-08-03 16:46:21 266240 --a------ C:\WINDOWS\eqvwamkl.dll
2008-08-03 16:46:21 163840 --a------ C:\WINDOWS\edot.exe
2008-08-03 16:46:05 0 d-------- C:\Documents and Settings\All Users\Application Data\SecuriSoft SARL
2008-08-03 16:45:52 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-08-03 16:21:24 0 d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-03 16:20:10 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-08-03 16:19:47 0 d-------- C:\WINDOWS\system32\PreInstall
2008-08-03 16:19:45 0 d--h----- C:\WINDOWS\$hf_mig$
2008-08-03 16:11:34 0 d---s---- C:\Documents and Settings\brokebackbuddy\UserData
2008-08-03 16:10:19 0 d-------- C:\Documents and Settings\brokebackbuddy\Application Data\Identities
2008-08-03 16:10:09 0 d--h----- C:\Documents and Settings\brokebackbuddy\Templates
2008-08-03 16:10:09 0 dr------- C:\Documents and Settings\brokebackbuddy\Start Menu
2008-08-03 16:10:09 0 dr-h----- C:\Documents and Settings\brokebackbuddy\SendTo
2008-08-03 16:10:09 0 dr-h----- C:\Documents and Settings\brokebackbuddy\Recent
2008-08-03 16:10:09 0 d--h----- C:\Documents and Settings\brokebackbuddy\PrintHood
2008-08-03 16:10:09 0 d--h----- C:\Documents and Settings\brokebackbuddy\NetHood
2008-08-03 16:10:09 0 dr------- C:\Documents and Settings\brokebackbuddy\My Documents
2008-08-03 16:10:09 0 d--h----- C:\Documents and Settings\brokebackbuddy\Local Settings
2008-08-03 16:10:09 0 dr------- C:\Documents and Settings\brokebackbuddy\Favorites
2008-08-03 16:10:09 0 d-------- C:\Documents and Settings\brokebackbuddy\Desktop
2008-08-03 16:10:09 0 d---s---- C:\Documents and Settings\brokebackbuddy\Cookies
2008-08-03 16:10:09 0 dr-h----- C:\Documents and Settings\brokebackbuddy\Application Data
2008-08-03 16:10:08 3407872 --ah----- C:\Documents and Settings\brokebackbuddy\NTUSER.DAT
2008-08-03 16:08:58 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-08-03 16:07:38 0 d-------- C:\WINDOWS\SoftwareDistribution
2008-08-03 16:07:27 0 d---s---- C:\WINDOWS\system32\Microsoft
2008-08-03 16:07:27 0 d-------- C:\WINDOWS\Prefetch
2008-08-03 16:07:26 0 d---s---- C:\Documents and Settings\LocalService\Cookies
2008-08-03 16:07:26 0 d-------- C:\Documents and Settings\LocalService\Application Data
2008-08-03 16:07:26 0 d---s---- C:\Documents and Settings\LocalService\Application Data\Microsoft
2008-08-03 16:07:25 225280 --ah----- C:\Documents and Settings\LocalService\NTUSER.DAT
2008-08-03 16:07:25 0 d--h----- C:\Documents and Settings\LocalService\Local Settings
2008-08-03 16:07:15 225280 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT
2008-08-03 16:07:15 0 d--h----- C:\Documents and Settings\NetworkService\Local Settings
2008-08-03 16:07:15 0 d---s---- C:\Documents and Settings\NetworkService\Cookies
2008-08-03 16:07:15 0 d-------- C:\Documents and Settings\NetworkService\Application Data
2008-08-03 16:07:15 0 d---s---- C:\Documents and Settings\NetworkService\Application Data\Microsoft
2008-08-03 16:02:37 0 d-------- C:\WINDOWS\system32\xircom
2008-08-03 16:02:37 0 d-------- C:\Program Files\microsoft frontpage
2008-08-03 16:02:14 225280 ---h----- C:\Documents and Settings\Default User\NTUSER.DAT
2008-08-03 16:02:01 0 -rahs---- C:\MSDOS.SYS
2008-08-03 16:02:01 0 -rahs---- C:\IO.SYS
2008-08-03 16:02:01 0 --a------ C:\CONFIG.SYS
2008-08-03 16:02:01 0 --a------ C:\AUTOEXEC.BAT
2008-08-03 16:00:14 0 d--hs---- C:\Documents and Settings\All Users\DRM
2008-08-03 15:59:56 0 dr------- C:\WINDOWS\Offline Web Pages
2008-08-03 15:59:56 0 d---s---- C:\WINDOWS\Downloaded Program Files
2008-08-03 15:59:38 0 d--h----- C:\Program Files\WindowsUpdate
2008-08-03 15:59:13 0 d-------- C:\WINDOWS\system32\DirectX
2008-08-03 15:58:46 0 d---s---- C:\WINDOWS\Tasks
2008-08-03 15:58:46 0 d-------- C:\Program Files\Common Files\MSSoap
2008-08-03 15:58:43 0 d-------- C:\WINDOWS\srchasst
2008-08-03 15:58:42 0 d-------- C:\WINDOWS\system32\Macromed
2008-08-03 15:58:36 0 d-------- C:\Program Files\Movie Maker
2008-08-03 15:58:30 0 d-------- C:\WINDOWS\system32\Restore
2008-08-03 15:57:36 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-08-03 15:57:11 0 d-------- C:\WINDOWS\Registration
2008-08-03 15:57:00 0 d-------- C:\Program Files\Online Services
2008-08-03 15:56:50 0 d-------- C:\Program Files\Messenger
2008-08-03 15:56:48 0 d-------- C:\Program Files\MSN Gaming Zone
2008-08-03 15:56:33 31616 --a------ C:\WINDOWS\system32\drivers\Winhl47.sys
2008-08-03 15:56:17 0 d-------- C:\Program Files\Windows NT
2008-08-03 15:56:14 0 d-------- C:\WINDOWS\system32\MsDtc
2008-08-03 15:56:13 0 d-------- C:\WINDOWS\system32\Com
2008-08-03 08:40:28 0 d--hs---- C:\WINDOWS\Installer
2008-08-03 08:40:27 0 d-------- C:\Program Files\Common Files\ODBC
2008-08-03 08:40:23 0 dr------- C:\Program Files
2008-08-03 08:40:23 0 d-------- C:\Program Files\Common Files
2008-08-03 08:40:23 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-08-03 08:39:56 0 d--h----- C:\Documents and Settings\Default User\Templates
2008-08-03 08:39:56 0 dr------- C:\Documents and Settings\Default User\Start Menu
2008-08-03 08:39:56 0 dr-h----- C:\Documents and Settings\Default User\SendTo
2008-08-03 08:39:56 0 d--h----- C:\Documents and Settings\Default User\Recent
2008-08-03 08:39:56 0 d--h----- C:\Documents and Settings\Default User\PrintHood
2008-08-03 08:39:56 0 d--h----- C:\Documents and Settings\Default User\NetHood
2008-08-03 08:39:56 0 d-------- C:\Documents and Settings\Default User\My Documents
2008-08-03 08:39:56 0 dr-h----- C:\Documents and Settings\Default User\Local Settings
2008-08-03 08:39:56 0 d-------- C:\Documents and Settings\Default User\Favorites
2008-08-03 08:39:56 0 d-------- C:\Documents and Settings\Default User\Desktop
2008-08-03 08:39:56 0 d---s---- C:\Documents and Settings\Default User\Cookies
2008-08-03 08:39:56 0 d--h----- C:\Documents and Settings\All Users\Templates
2008-08-03 08:39:56 0 dr------- C:\Documents and Settings\All Users\Start Menu
2008-08-03 08:39:56 0 d-------- C:\Documents and Settings\All Users\Favorites
2008-08-03 08:39:56 0 dr------- C:\Documents and Settings\All Users\Documents
2008-08-03 08:39:56 0 d-------- C:\Documents and Settings\All Users\Desktop
2008-08-03 08:39:40 0 d-------- C:\WINDOWS\system32\CatRoot2
2008-08-03 08:39:40 0 d-------- C:\WINDOWS\system32\CatRoot
2008-08-03 08:39:34 0 dr-h----- C:\Documents and Settings\Default User\Application Data
2008-08-03 08:39:34 0 d---s---- C:\Documents and Settings\Default User\Application Data\Microsoft
2008-08-03 08:39:34 0 dr-h----- C:\Documents and Settings\All Users\Application Data
2008-08-03 08:39:34 0 d---s---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-08-03 08:39:12 0 d-------- C:\Documents and Settings
2008-08-03 08:39:11 0 d--hs---- C:\System Volume Information
2008-08-03 08:32:08 0 d-------- C:\WINDOWS
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\WinSxS
2008-08-03 08:32:08 0 dr------- C:\WINDOWS\Web
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\twain_32
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\wins
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\wbem
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\usmt
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\spool
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\ShellExt
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\Setup
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\ras
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\oobe
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\npp
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\mui
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\inetsrv
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\IME
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\icsxml
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\ias
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\export
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\drivers
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\drivers\etc
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\drivers\disdn
2008-08-03 08:32:08 0 dr-hs--c- C:\WINDOWS\system32\dllcache
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\dhcp
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\config
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\3com_dmi
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\3076
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\2052
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\1054
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\1042
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\1041
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\1037
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\1033
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\1031
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\1028
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\1025
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\security
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\Resources
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\repair
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\Provisioning
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\PeerNet
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\pchealth
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\mui
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\msapps
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\msagent
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\Media
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\java
2008-08-03 08:32:08 0 d--h----- C:\WINDOWS\inf
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\ime
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\Help
2008-08-03 08:32:08 0 dr--s---- C:\WINDOWS\Fonts
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\ehome
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\Driver Cache
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\Debug
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\Cursors
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\Connection Wizard
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\Config
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\AppPatch
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\addins


-- Find3M Report ---------------------------------------------------------------

2008-08-03 08:39:56 62 --ahs---- C:\Documents and Settings\brokebackbuddy\Application Data\desktop.ini


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{55D17579-F6FF-4A63-981B-6683F99B9972}]
08/03/2008 19:48: VIRUS ALERT! 36864 --a------ C:\WINDOWS\system32\ssqRLFvt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{924C746C-66D0-46EA-B7D0-A413E47EFFB2}]
08/03/2008 19:48: VIRUS ALERT! 322816 --a------ C:\WINDOWS\system32\ddcYPgHa.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B763BE68-B1D1-41F4-9087-8BF71BB93155}]
08/01/2008 03:27: VIRUS ALERT! 393216 --a------ C:\WINDOWS\nfavxwdbdfm.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [04/25/2008 18:21: VIRUS ALERT!]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"s9201"="C:\Documents and Settings\All Users\Application Data\SecuriSoft SARL\WinSpywareProtect\wspwprtct.exe" []
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [07/07/2008 09:42: VIRUS ALERT!]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)
"DisableRegistryTools"=1 (0x1)
"NoDispCPL"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoToolbarCustomize"=1 (0x1)
"StartMenuLogoff"=1 (0x1)
"NoStartMenuMorePrograms"=1 (0x1)
"NoSetFolders"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= file:///C:\WINDOWS\privacy_danger\index.htm
FriendlyName= Privacy Protection

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{55D17579-F6FF-4A63-981B-6683F99B9972}"= C:\WINDOWS\system32\ssqRLFvt.dll [08/03/2008 19:48: VIRUS ALERT! 36864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"wnslvxtf"= {759C672E-D65C-4E05-8336-744BF8CA7B13} - C:\WINDOWS\wnslvxtf.dll [08/01/2008 03:27: VIRUS ALERT! 393216]
"eqvwamkl"= {0CAB8BEF-331C-4594-896E-3F015E557E62} - C:\WINDOWS\eqvwamkl.dll [08/01/2008 03:27: VIRUS ALERT! 266240]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqRLFvt]
ssqRLFvt.dll 08/03/2008 19:48: VIRUS ALERT! 36864 C:\WINDOWS\system32\ssqRLFvt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WinCtrl32]
WinCtrl32.dll 08/03/2008 20:41: VIRUS ALERT! 16896 C:\WINDOWS\system32\WinCtrl32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=c:\progra~1\kasper~1\kasper~1\mzvkbd.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\ddcYPgHa

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winhl47.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winsv68.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winua25.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winwa25.sys]
@="Driver"




-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8940 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-08-03 20:50:44 ------------











Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ XP 2000+
Percentage of Memory in Use: 60%
Physical Memory (total/avail): 351.49 MiB / 139.09 MiB
Pagefile Memory (total/avail): 854.06 MiB / 569.23 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1926.46 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 37.26 GiB total, 34.02 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - WDC WD400EB-00CPF0 - 37.27 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 37.26 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: Kaspersky Anti-Virus v8.0.0.357 (Kaspersky Lab)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\brokebackbuddy\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=BUDDY
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\brokebackbuddy
LOGONSERVER=\\BUDDY
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 0, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0800
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\BROKEB~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\BROKEB~1\LOCALS~1\Temp
USERDOMAIN=BUDDY
USERNAME=brokebackbuddy
USERPROFILE=C:\Documents and Settings\brokebackbuddy
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

brokebackbuddy (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Kaspersky Anti-Virus 2009 --> MsiExec.exe /I{6580C5A3-2336-4EC5-85F1-3448C5F6208A}
Kaspersky Anti-Virus 2009 --> MsiExec.exe /I{6580C5A3-2336-4EC5-85F1-3448C5F6208A}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
WebVideo Support --> C:\WINDOWS\grswptdl.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type45 / Error
Event Submitted/Written: 08/03/2008 08:18:16 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type43 / Error
Event Submitted/Written: 08/03/2008 07:57:49 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 6.0.2900.2180, faulting module unknown, version 0.0.0.0, fault address 0x00000000.
Processing media-specific event for [iexplore.exe!ws!]

Event Record #/Type18 / Warning
Event Submitted/Written: 08/03/2008 04:01:19 PM
Event ID/Source: 5603 / WinMgmt
Event Description:
A provider, Rsop Planning Mode Provider, has been registered in the WMI namespace, root\RSOP, but did not specify the HostingModel property. This provider will be run using the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality.

Event Record #/Type17 / Warning
Event Submitted/Written: 08/03/2008 04:01:19 PM
Event ID/Source: 5603 / WinMgmt
Event Description:
A provider, Rsop Planning Mode Provider, has been registered in the WMI namespace, root\RSOP, but did not specify the HostingModel property. This provider will be run using the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality.

Event Record #/Type13 / Warning
Event Submitted/Written: 08/03/2008 03:58:03 PM
Event ID/Source: 63 / WinMgmt
Event Description:
A provider, CmdTriggerConsumer, has been registered in the WMI namespace, Root\cimv2, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type123 / Warning
Event Submitted/Written: 08/03/2008 05:37:52 PM
Event ID/Source: 57 / Ftdisk
Event Description:
The system failed to flush data to the transaction log. Corruption may occur.

Event Record #/Type122 / Warning
Event Submitted/Written: 08/03/2008 05:37:52 PM
Event ID/Source: 57 / Ftdisk
Event Description:
The system failed to flush data to the transaction log. Corruption may occur.

Event Record #/Type121 / Warning
Event Submitted/Written: 08/03/2008 05:37:52 PM
Event ID/Source: 57 / Ftdisk
Event Description:
The system failed to flush data to the transaction log. Corruption may occur.

Event Record #/Type120 / Warning
Event Submitted/Written: 08/03/2008 05:37:52 PM
Event ID/Source: 57 / Ftdisk
Event Description:
The system failed to flush data to the transaction log. Corruption may occur.

Event Record #/Type118 / Warning
Event Submitted/Written: 08/03/2008 05:31:37 PM
Event ID/Source: 57 / Ftdisk
Event Description:
The system failed to flush data to the transaction log. Corruption may occur.



-- End of Deckard's System Scanner: finished at 2008-08-03 20:50:44 ------------

BC AdBot (Login to Remove)

 


#2 kalebbroo

kalebbroo
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:04:09 AM

Posted 04 August 2008 - 11:05 PM

bump

#3 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:09 AM

Posted 08 August 2008 - 10:52 PM

Hello kalebbroo,


It is not a good idea to "Bump" your post, as it will only delay
help for your log.

When selecting logs we generally use two criteria to
look for unanswered logs.

1. We started from the oldest to the most recent. That means if you
keep bumping, your log is at the top of the list, and since we do not work
from the top, it will be looked at last!! :thumbsup:

2. We look for first for posts with no replies. A bump is a reply so
you get pushed further down the response ladder.
:)



Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish, so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Copy and Paste the entire Malwarebytes' Anti-Malware report in your next reply along with a fresh DSS Main.txt log.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediatly.

If you encounter this message:"c:\program files\malwarebytes' Anti-Malware\mbamext.dll Unable to register the dll/ocx: RegSvr32 failed with exit code 0x5" Click on ignore mbamext.dll

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#4 kalebbroo

kalebbroo
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:04:09 AM

Posted 09 August 2008 - 12:26 AM

srry for the bump.

heres the new logs, thx for the help.

Deckard's System Scanner v20071014.68
Run by brokebackbuddy on 2008-08-09 01:13:35
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 352 MiB (512 MiB recommended).


-- HijackThis (run as brokebackbuddy.exe) --------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:14:32 AM, on 8/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\brokebackbuddy\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\BROKEB~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hotmail.com/
O2 - BHO: (no name) - {29F3289E-01FD-4198-8184-908C74297732} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {55D17579-F6FF-4A63-981B-6683F99B9972} - (no file)
O2 - BHO: (no name) - {AFFA2A1B-4B47-4767-9271-8E4623DB09D5} - (no file)
O3 - Toolbar: fdkowvbp - {FB3486FF-2A37-4536-B847-D999BA4E7776} - C:\WINDOWS\fdkowvbp.dll (file missing)
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd.dll
O20 - Winlogon Notify: ssqRLFvt - C:\WINDOWS\
O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe

--
End of file - 2565 bytes

-- Files created between 2008-07-09 and 2008-08-09 -----------------------------

2008-08-09 00:49:47 0 d-------- C:\Documents and Settings\brokebackbuddy\Application Data\Malwarebytes
2008-08-09 00:48:13 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-09 00:47:57 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-03 20:53:09 0 d-------- C:\WINDOWS\pss
2008-08-03 20:31:51 0 d-------- C:\Program Files\Trend Micro
2008-08-03 18:06:48 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-03 17:00:30 1382197 ---hs---- C:\WINDOWS\system32\jvoijinh.ini2
2008-08-03 16:49:54 96976 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-08-03 16:49:54 87855 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-08-03 16:47:54 98336 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-08-03 16:47:54 555552 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-08-03 16:47:53 0 d-------- C:\Program Files\Kaspersky Lab
2008-08-03 16:47:53 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-08-03 16:46:36 0 d-------- C:\Documents and Settings\brokebackbuddy\Application Data\TmpRecentIcons
2008-08-03 16:45:52 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-08-03 16:21:24 0 d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-03 16:20:10 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-08-03 16:19:47 0 d-------- C:\WINDOWS\system32\PreInstall
2008-08-03 16:19:45 0 d--h----- C:\WINDOWS\$hf_mig$
2008-08-03 16:11:34 0 d---s---- C:\Documents and Settings\brokebackbuddy\UserData
2008-08-03 16:10:19 0 d-------- C:\Documents and Settings\brokebackbuddy\Application Data\Identities
2008-08-03 16:10:09 0 d--h----- C:\Documents and Settings\brokebackbuddy\Templates
2008-08-03 16:10:09 0 dr------- C:\Documents and Settings\brokebackbuddy\Start Menu
2008-08-03 16:10:09 0 dr-h----- C:\Documents and Settings\brokebackbuddy\SendTo
2008-08-03 16:10:09 0 dr-h----- C:\Documents and Settings\brokebackbuddy\Recent
2008-08-03 16:10:09 0 d--h----- C:\Documents and Settings\brokebackbuddy\PrintHood
2008-08-03 16:10:09 0 d--h----- C:\Documents and Settings\brokebackbuddy\NetHood
2008-08-03 16:10:09 0 dr------- C:\Documents and Settings\brokebackbuddy\My Documents
2008-08-03 16:10:09 0 d--h----- C:\Documents and Settings\brokebackbuddy\Local Settings
2008-08-03 16:10:09 0 dr------- C:\Documents and Settings\brokebackbuddy\Favorites
2008-08-03 16:10:09 0 d-------- C:\Documents and Settings\brokebackbuddy\Desktop
2008-08-03 16:10:09 0 d---s---- C:\Documents and Settings\brokebackbuddy\Cookies
2008-08-03 16:10:09 0 dr-h----- C:\Documents and Settings\brokebackbuddy\Application Data
2008-08-03 16:10:08 3407872 --ah----- C:\Documents and Settings\brokebackbuddy\NTUSER.DAT
2008-08-03 16:08:58 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-08-03 16:07:38 0 d-------- C:\WINDOWS\SoftwareDistribution
2008-08-03 16:07:27 0 d---s---- C:\WINDOWS\system32\Microsoft
2008-08-03 16:07:27 0 d-------- C:\WINDOWS\Prefetch
2008-08-03 16:07:26 0 d---s---- C:\Documents and Settings\LocalService\Cookies
2008-08-03 16:07:26 0 d-------- C:\Documents and Settings\LocalService\Application Data
2008-08-03 16:07:26 0 d---s---- C:\Documents and Settings\LocalService\Application Data\Microsoft
2008-08-03 16:07:25 225280 --ah----- C:\Documents and Settings\LocalService\NTUSER.DAT
2008-08-03 16:07:25 0 d--h----- C:\Documents and Settings\LocalService\Local Settings
2008-08-03 16:07:15 225280 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT
2008-08-03 16:07:15 0 d--h----- C:\Documents and Settings\NetworkService\Local Settings
2008-08-03 16:07:15 0 d---s---- C:\Documents and Settings\NetworkService\Cookies
2008-08-03 16:07:15 0 d-------- C:\Documents and Settings\NetworkService\Application Data
2008-08-03 16:07:15 0 d---s---- C:\Documents and Settings\NetworkService\Application Data\Microsoft
2008-08-03 16:02:37 0 d-------- C:\WINDOWS\system32\xircom
2008-08-03 16:02:37 0 d-------- C:\Program Files\microsoft frontpage
2008-08-03 16:02:14 225280 ---h----- C:\Documents and Settings\Default User\NTUSER.DAT
2008-08-03 16:02:01 0 -rahs---- C:\MSDOS.SYS
2008-08-03 16:02:01 0 -rahs---- C:\IO.SYS
2008-08-03 16:02:01 0 --a------ C:\CONFIG.SYS
2008-08-03 16:02:01 0 --a------ C:\AUTOEXEC.BAT
2008-08-03 16:00:14 0 d--hs---- C:\Documents and Settings\All Users\DRM
2008-08-03 15:59:56 0 dr------- C:\WINDOWS\Offline Web Pages
2008-08-03 15:59:56 0 d---s---- C:\WINDOWS\Downloaded Program Files
2008-08-03 15:59:38 0 d--h----- C:\Program Files\WindowsUpdate
2008-08-03 15:59:13 0 d-------- C:\WINDOWS\system32\DirectX
2008-08-03 15:58:46 0 d---s---- C:\WINDOWS\Tasks
2008-08-03 15:58:46 0 d-------- C:\Program Files\Common Files\MSSoap
2008-08-03 15:58:43 0 d-------- C:\WINDOWS\srchasst
2008-08-03 15:58:42 0 d-------- C:\WINDOWS\system32\Macromed
2008-08-03 15:58:36 0 d-------- C:\Program Files\Movie Maker
2008-08-03 15:58:30 0 d-------- C:\WINDOWS\system32\Restore
2008-08-03 15:57:36 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-08-03 15:57:11 0 d-------- C:\WINDOWS\Registration
2008-08-03 15:57:00 0 d-------- C:\Program Files\Online Services
2008-08-03 15:56:50 0 d-------- C:\Program Files\Messenger
2008-08-03 15:56:48 0 d-------- C:\Program Files\MSN Gaming Zone
2008-08-03 15:56:17 0 d-------- C:\Program Files\Windows NT
2008-08-03 15:56:14 0 d-------- C:\WINDOWS\system32\MsDtc
2008-08-03 15:56:13 0 d-------- C:\WINDOWS\system32\Com
2008-08-03 08:40:28 0 d--hs---- C:\WINDOWS\Installer
2008-08-03 08:40:27 0 d-------- C:\Program Files\Common Files\ODBC
2008-08-03 08:40:23 0 dr------- C:\Program Files
2008-08-03 08:40:23 0 d-------- C:\Program Files\Common Files
2008-08-03 08:40:23 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-08-03 08:39:56 0 d--h----- C:\Documents and Settings\Default User\Templates
2008-08-03 08:39:56 0 dr------- C:\Documents and Settings\Default User\Start Menu
2008-08-03 08:39:56 0 dr-h----- C:\Documents and Settings\Default User\SendTo
2008-08-03 08:39:56 0 d--h----- C:\Documents and Settings\Default User\Recent
2008-08-03 08:39:56 0 d--h----- C:\Documents and Settings\Default User\PrintHood
2008-08-03 08:39:56 0 d--h----- C:\Documents and Settings\Default User\NetHood
2008-08-03 08:39:56 0 d-------- C:\Documents and Settings\Default User\My Documents
2008-08-03 08:39:56 0 dr-h----- C:\Documents and Settings\Default User\Local Settings
2008-08-03 08:39:56 0 d-------- C:\Documents and Settings\Default User\Favorites
2008-08-03 08:39:56 0 d-------- C:\Documents and Settings\Default User\Desktop
2008-08-03 08:39:56 0 d---s---- C:\Documents and Settings\Default User\Cookies
2008-08-03 08:39:56 0 d--h----- C:\Documents and Settings\All Users\Templates
2008-08-03 08:39:56 0 dr------- C:\Documents and Settings\All Users\Start Menu
2008-08-03 08:39:56 0 d-------- C:\Documents and Settings\All Users\Favorites
2008-08-03 08:39:56 0 dr------- C:\Documents and Settings\All Users\Documents
2008-08-03 08:39:56 0 d-------- C:\Documents and Settings\All Users\Desktop
2008-08-03 08:39:40 0 d-------- C:\WINDOWS\system32\CatRoot2
2008-08-03 08:39:40 0 d-------- C:\WINDOWS\system32\CatRoot
2008-08-03 08:39:34 0 dr-h----- C:\Documents and Settings\Default User\Application Data
2008-08-03 08:39:34 0 d---s---- C:\Documents and Settings\Default User\Application Data\Microsoft
2008-08-03 08:39:34 0 dr-h----- C:\Documents and Settings\All Users\Application Data
2008-08-03 08:39:34 0 d---s---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-08-03 08:39:12 0 d-------- C:\Documents and Settings
2008-08-03 08:39:11 0 d--hs---- C:\System Volume Information
2008-08-03 08:32:08 0 d-------- C:\WINDOWS
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\WinSxS
2008-08-03 08:32:08 0 dr------- C:\WINDOWS\Web
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\twain_32
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\wins
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\wbem
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\usmt
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\spool
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\ShellExt
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\Setup
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\ras
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\oobe
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\npp
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\mui
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\inetsrv
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\IME
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\icsxml
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\ias
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\export
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\drivers
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\drivers\etc
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\drivers\disdn
2008-08-03 08:32:08 0 dr-hs--c- C:\WINDOWS\system32\dllcache
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\dhcp
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\config
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\3com_dmi
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\3076
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\2052
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\1054
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\1042
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\1041
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\1037
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\1033
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\1031
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\1028
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\1025
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\security
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\Resources
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\repair
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\Provisioning
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\PeerNet
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\pchealth
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\mui
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\msapps
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\msagent
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\Media
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\java
2008-08-03 08:32:08 0 d--h----- C:\WINDOWS\inf
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\ime
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\Help
2008-08-03 08:32:08 0 dr--s---- C:\WINDOWS\Fonts
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\ehome
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\Driver Cache
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\Debug
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\Cursors
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\Connection Wizard
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\Config
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\AppPatch
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\addins


-- Find3M Report ---------------------------------------------------------------

2008-08-03 08:39:56 62 --ahs---- C:\Documents and Settings\brokebackbuddy\Application Data\desktop.ini


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{29F3289E-01FD-4198-8184-908C74297732}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{55D17579-F6FF-4A63-981B-6683F99B9972}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AFFA2A1B-4B47-4767-9271-8E4623DB09D5}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [04/25/2008 06:21 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [07/07/2008 09:42 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)
"DisableRegistryTools"=0 (0x0)
"NoDispCPL"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoStartMenuMorePrograms"=0 (0x0)
"NoSetFolders"=0 (0x0)
"StartMenuLogOff"=0 (0x0)
"NoToolbarCustomize"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqRLFvt]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WinCtrl32]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=c:\progra~1\kasper~1\kasper~1\mzvkbd.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winhl47.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winsv68.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winua25.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winwa25.sys]
@="Driver"




-- End of Deckard's System Scanner: finished at 2008-08-09 01:17:28 ------------








Malwarebytes' Anti-Malware 1.24
Database version: 1034
Windows 5.1.2600 Service Pack 2

1:08:52 AM 8/9/2008
mbam-log-8-9-2008 (01-08-52).txt

Scan type: Full Scan (C:\|)
Objects scanned: 47324
Time elapsed: 15 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 4
Registry Keys Infected: 19
Registry Values Infected: 3
Registry Data Items Infected: 13
Folders Infected: 2
Files Infected: 15

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\ddcYPgHa.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\WinCtrl32.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\ssqRLFvt.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\nfavxwdbdfm.dll (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{29f3289e-01fd-4198-8184-908c74297732} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{29f3289e-01fd-4198-8184-908c74297732} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{55d17579-f6ff-4a63-981b-6683f99b9972} (Trojan.BHO) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{55d17579-f6ff-4a63-981b-6683f99b9972} (Trojan.BHO) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WinCtrl32 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ssqrlfvt (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{1486f5bc-05bf-42f2-9f91-ccf8319f6685} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{5ae30d98-c235-4030-8360-b7b652d8d64a} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{699e5d2a-0c7a-49e4-a84a-da454a48fe71} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b763be68-b1d1-41f4-9087-8bf71bb93155} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b763be68-b1d1-41f4-9087-8bf71bb93155} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VSPlugin (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\fdkowvbp.bpeb (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\fdkowvbp.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{55d17579-f6ff-4a63-981b-6683f99b9972} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\eqvwamkl (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\wnslvxtf (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\ddcypgha -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\ddcypgha -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductId (Trojan.FakeAlert) -> Bad: (VIRUS ALERT!) Good: (76487-640-1464517-23617) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\International\sTimeFormat (Trojan.FakeAlert) -> Bad: (HH:mm: VIRUS ALERT!) Good: (h:mm:ss tt) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowControlPanel (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowRun (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives (Hijack.Drives) -> Bad: (12) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoToolbarCustomize (Hijack.Explorer) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\privacy_danger (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\privacy_danger\images (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\ddcYPgHa.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\aHgPYcdd.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\aHgPYcdd.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ssqRLFvt.dll (Trojan.BHO) -> Delete on reboot.
C:\Deckard\System Scanner\20080803204310\backup\DOCUME~1\BROKEB~1\LOCALS~1\Temp\lwpwer.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\edot.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\Winhl47.sys (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\privacy_danger\images\capt.gif (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\privacy_danger\images\danger.jpg (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\privacy_danger\images\down.gif (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\privacy_danger\images\spacer.gif (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\WinCtrl32.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\WinCtrl32.dl_ (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\grswptdl.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\nfavxwdbdfm.dll (Trojan.FakeAlert) -> Delete on reboot.

#5 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:09 AM

Posted 09 August 2008 - 12:32 AM

Hi kalebbroo,

I think Teatimer is stopping MalwareBytes from working, so we need to disable it.

To disable Spybot's Teatimer:
Run Spybot-S&D
Go to the Mode menu, and make sure "Advanced Mode" is selected
On the left hand side, choose Tools -> Resident
Uncheck "Resident TeaTimer" and OK any prompts

Then run Malwarebytes again and post its log along with a fresh DSS Main.txt
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 kalebbroo

kalebbroo
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:04:09 AM

Posted 09 August 2008 - 01:57 AM

new logs i wasent paying attention and auto update installed SP3 lol, Olympics distracted me.

Malwarebytes' Anti-Malware 1.24
Database version: 1034
Windows 5.1.2600 Service Pack 3

2:46:38 AM 8/9/2008
mbam-log-8-9-2008 (02-46-38).txt

Scan type: Quick Scan
Objects scanned: 36667
Time elapsed: 4 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WinCtrl32 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\ (Trojan.Agent) -> Delete on reboot.








Deckard's System Scanner v20071014.68
Run by brokebackbuddy on 2008-08-09 02:50:35
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 352 MiB (512 MiB recommended).


-- HijackThis (run as brokebackbuddy.exe) --------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:51:24 AM, on 8/9/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\brokebackbuddy\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\BROKEB~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hotmail.com/
O2 - BHO: (no name) - {29F3289E-01FD-4198-8184-908C74297732} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {55D17579-F6FF-4A63-981B-6683F99B9972} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {AFFA2A1B-4B47-4767-9271-8E4623DB09D5} - (no file)
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: fdkowvbp - {FB3486FF-2A37-4536-B847-D999BA4E7776} - C:\WINDOWS\fdkowvbp.dll (file missing)
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd.dll
O20 - Winlogon Notify: ssqRLFvt - C:\WINDOWS\
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe

--
End of file - 3368 bytes

-- Files created between 2008-07-09 and 2008-08-09 -----------------------------

2008-08-09 02:37:52 0 d-------- C:\WINDOWS\Prefetch
2008-08-09 02:26:53 0 d-------- C:\WINDOWS\system32\scripting
2008-08-09 02:26:52 0 d-------- C:\WINDOWS\l2schemas
2008-08-09 02:26:50 0 d-------- C:\WINDOWS\system32\en
2008-08-09 02:26:50 0 d-------- C:\WINDOWS\system32\bits
2008-08-09 02:21:40 0 d-------- C:\WINDOWS\ServicePackFiles
2008-08-09 02:17:48 0 d-------- C:\WINDOWS\network diagnostic
2008-08-09 01:53:34 0 d-------- C:\Program Files\uTorrent
2008-08-09 01:53:31 0 d-------- C:\Documents and Settings\brokebackbuddy\Application Data\uTorrent
2008-08-09 01:52:44 0 --a------ C:\WINDOWS\nsreg.dat
2008-08-09 01:52:39 0 d-------- C:\Documents and Settings\brokebackbuddy\Application Data\Mozilla
2008-08-09 01:42:47 0 d-------- C:\Program Files\Java
2008-08-09 01:42:44 0 d-------- C:\Program Files\Common Files\Java
2008-08-09 01:42:19 0 d-------- C:\Documents and Settings\brokebackbuddy\Application Data\Sun
2008-08-09 01:41:29 0 d-------- C:\Program Files\FrostWire
2008-08-09 01:41:27 0 d-------- C:\Program Files\AskSBar
2008-08-09 01:38:52 0 d-------- C:\Program Files\Combined Community Codec Pack
2008-08-09 01:34:23 0 d-------- C:\WINDOWS\system32\ReinstallBackups
2008-08-09 00:49:47 0 d-------- C:\Documents and Settings\brokebackbuddy\Application Data\Malwarebytes
2008-08-09 00:48:13 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-09 00:47:57 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-03 20:53:09 0 d-------- C:\WINDOWS\pss
2008-08-03 20:31:51 0 d-------- C:\Program Files\Trend Micro
2008-08-03 18:06:48 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-03 17:00:30 1382197 ---hs---- C:\WINDOWS\system32\jvoijinh.ini2
2008-08-03 16:49:54 96976 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-08-03 16:49:54 87855 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-08-03 16:47:54 180256 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-08-03 16:47:54 824352 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-08-03 16:47:53 0 d-------- C:\Program Files\Kaspersky Lab
2008-08-03 16:47:53 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-08-03 16:46:36 0 d-------- C:\Documents and Settings\brokebackbuddy\Application Data\TmpRecentIcons
2008-08-03 16:45:52 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-08-03 16:20:10 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-08-03 16:19:47 0 d-------- C:\WINDOWS\system32\PreInstall
2008-08-03 16:19:45 0 d--h----- C:\WINDOWS\$hf_mig$
2008-08-03 16:11:34 0 d---s---- C:\Documents and Settings\brokebackbuddy\UserData
2008-08-03 16:10:19 0 d-------- C:\Documents and Settings\brokebackbuddy\Application Data\Identities
2008-08-03 16:10:09 0 d--h----- C:\Documents and Settings\brokebackbuddy\Templates
2008-08-03 16:10:09 0 dr------- C:\Documents and Settings\brokebackbuddy\Start Menu
2008-08-03 16:10:09 0 dr-h----- C:\Documents and Settings\brokebackbuddy\SendTo
2008-08-03 16:10:09 0 dr-h----- C:\Documents and Settings\brokebackbuddy\Recent
2008-08-03 16:10:09 0 d--h----- C:\Documents and Settings\brokebackbuddy\PrintHood
2008-08-03 16:10:09 0 d--h----- C:\Documents and Settings\brokebackbuddy\NetHood
2008-08-03 16:10:09 0 dr------- C:\Documents and Settings\brokebackbuddy\My Documents
2008-08-03 16:10:09 0 d--h----- C:\Documents and Settings\brokebackbuddy\Local Settings
2008-08-03 16:10:09 0 dr------- C:\Documents and Settings\brokebackbuddy\Favorites
2008-08-03 16:10:09 0 d-------- C:\Documents and Settings\brokebackbuddy\Desktop
2008-08-03 16:10:09 0 d---s---- C:\Documents and Settings\brokebackbuddy\Cookies
2008-08-03 16:10:09 0 dr-h----- C:\Documents and Settings\brokebackbuddy\Application Data
2008-08-03 16:10:08 3407872 --ah----- C:\Documents and Settings\brokebackbuddy\NTUSER.DAT
2008-08-03 16:08:58 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-08-03 16:07:38 0 d-------- C:\WINDOWS\SoftwareDistribution
2008-08-03 16:07:27 0 d---s---- C:\WINDOWS\system32\Microsoft
2008-08-03 16:07:26 0 d---s---- C:\Documents and Settings\LocalService\Cookies
2008-08-03 16:07:26 0 d-------- C:\Documents and Settings\LocalService\Application Data
2008-08-03 16:07:26 0 d---s---- C:\Documents and Settings\LocalService\Application Data\Microsoft
2008-08-03 16:07:25 225280 --ah----- C:\Documents and Settings\LocalService\NTUSER.DAT
2008-08-03 16:07:25 0 d--h----- C:\Documents and Settings\LocalService\Local Settings
2008-08-03 16:07:15 225280 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT
2008-08-03 16:07:15 0 d--h----- C:\Documents and Settings\NetworkService\Local Settings
2008-08-03 16:07:15 0 d---s---- C:\Documents and Settings\NetworkService\Cookies
2008-08-03 16:07:15 0 d-------- C:\Documents and Settings\NetworkService\Application Data
2008-08-03 16:07:15 0 d---s---- C:\Documents and Settings\NetworkService\Application Data\Microsoft
2008-08-03 16:02:37 0 d-------- C:\WINDOWS\system32\xircom
2008-08-03 16:02:37 0 d-------- C:\Program Files\microsoft frontpage
2008-08-03 16:02:14 262144 --ah----- C:\Documents and Settings\Default User\NTUSER.DAT
2008-08-03 16:02:01 0 -rahs---- C:\MSDOS.SYS
2008-08-03 16:02:01 0 -rahs---- C:\IO.SYS
2008-08-03 16:02:01 0 --a------ C:\CONFIG.SYS
2008-08-03 16:02:01 0 --a------ C:\AUTOEXEC.BAT
2008-08-03 16:00:14 0 d--hs---- C:\Documents and Settings\All Users\DRM
2008-08-03 15:59:56 0 dr------- C:\WINDOWS\Offline Web Pages
2008-08-03 15:59:56 0 d---s---- C:\WINDOWS\Downloaded Program Files
2008-08-03 15:59:38 0 d--h----- C:\Program Files\WindowsUpdate
2008-08-03 15:59:13 0 d-------- C:\WINDOWS\system32\DirectX
2008-08-03 15:58:46 0 d---s---- C:\WINDOWS\Tasks
2008-08-03 15:58:46 0 d-------- C:\Program Files\Common Files\MSSoap
2008-08-03 15:58:43 0 d-------- C:\WINDOWS\srchasst
2008-08-03 15:58:42 0 d-------- C:\WINDOWS\system32\Macromed
2008-08-03 15:58:36 0 d-------- C:\Program Files\Movie Maker
2008-08-03 15:58:30 0 d-------- C:\WINDOWS\system32\Restore
2008-08-03 15:57:36 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-08-03 15:57:11 0 d-------- C:\WINDOWS\Registration
2008-08-03 15:57:00 0 d-------- C:\Program Files\Online Services
2008-08-03 15:56:50 0 d-------- C:\Program Files\Messenger
2008-08-03 15:56:48 0 d-------- C:\Program Files\MSN Gaming Zone
2008-08-03 15:56:17 0 d-------- C:\Program Files\Windows NT
2008-08-03 15:56:14 0 d-------- C:\WINDOWS\system32\MsDtc
2008-08-03 15:56:13 0 d-------- C:\WINDOWS\system32\Com
2008-08-03 08:40:28 0 d--hs---- C:\WINDOWS\Installer
2008-08-03 08:40:27 0 d-------- C:\Program Files\Common Files\ODBC
2008-08-03 08:40:23 0 dr------- C:\Program Files
2008-08-03 08:40:23 0 d-------- C:\Program Files\Common Files
2008-08-03 08:40:23 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-08-03 08:39:56 0 d--h----- C:\Documents and Settings\Default User\Templates
2008-08-03 08:39:56 0 dr------- C:\Documents and Settings\Default User\Start Menu
2008-08-03 08:39:56 0 dr-h----- C:\Documents and Settings\Default User\SendTo
2008-08-03 08:39:56 0 d--h----- C:\Documents and Settings\Default User\Recent
2008-08-03 08:39:56 0 d--h----- C:\Documents and Settings\Default User\PrintHood
2008-08-03 08:39:56 0 d--h----- C:\Documents and Settings\Default User\NetHood
2008-08-03 08:39:56 0 d-------- C:\Documents and Settings\Default User\My Documents
2008-08-03 08:39:56 0 dr-h----- C:\Documents and Settings\Default User\Local Settings
2008-08-03 08:39:56 0 d-------- C:\Documents and Settings\Default User\Favorites
2008-08-03 08:39:56 0 d-------- C:\Documents and Settings\Default User\Desktop
2008-08-03 08:39:56 0 d---s---- C:\Documents and Settings\Default User\Cookies
2008-08-03 08:39:56 0 d--h----- C:\Documents and Settings\All Users\Templates
2008-08-03 08:39:56 0 dr------- C:\Documents and Settings\All Users\Start Menu
2008-08-03 08:39:56 0 d-------- C:\Documents and Settings\All Users\Favorites
2008-08-03 08:39:56 0 dr------- C:\Documents and Settings\All Users\Documents
2008-08-03 08:39:56 0 d-------- C:\Documents and Settings\All Users\Desktop
2008-08-03 08:39:40 0 d-------- C:\WINDOWS\system32\CatRoot2
2008-08-03 08:39:40 0 d-------- C:\WINDOWS\system32\CatRoot
2008-08-03 08:39:34 0 dr-h----- C:\Documents and Settings\Default User\Application Data
2008-08-03 08:39:34 0 d---s---- C:\Documents and Settings\Default User\Application Data\Microsoft
2008-08-03 08:39:34 0 dr-h----- C:\Documents and Settings\All Users\Application Data
2008-08-03 08:39:34 0 d---s---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-08-03 08:39:12 0 d-------- C:\Documents and Settings
2008-08-03 08:39:11 0 d--hs---- C:\System Volume Information
2008-08-03 08:32:08 0 d-------- C:\WINDOWS
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\WinSxS
2008-08-03 08:32:08 0 dr------- C:\WINDOWS\Web
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\twain_32
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\wins
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\wbem
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\usmt
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\spool
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\ShellExt
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\Setup
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\ras
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\oobe
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\npp
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\mui
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\inetsrv
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\IME
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\icsxml
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\ias
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\export
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\drivers
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\drivers\etc
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\drivers\disdn
2008-08-03 08:32:08 0 dr-hs--c- C:\WINDOWS\system32\dllcache
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\dhcp
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\config
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\3com_dmi
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\3076
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\2052
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\1054
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\1042
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\1041
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\1037
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\1033
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\1031
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\1028
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system32\1025
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\system
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\security
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\Resources
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\repair
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\Provisioning
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\PeerNet
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\pchealth
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\mui
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\msapps
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\msagent
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\Media
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\java
2008-08-03 08:32:08 0 d--h----- C:\WINDOWS\inf
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\ime
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\Help
2008-08-03 08:32:08 0 dr--s---- C:\WINDOWS\Fonts
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\ehome
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\Driver Cache
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\Debug
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\Cursors
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\Connection Wizard
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\Config
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\AppPatch
2008-08-03 08:32:08 0 d-------- C:\WINDOWS\addins


-- Find3M Report ---------------------------------------------------------------

2008-08-03 08:39:56 62 --ahs---- C:\Documents and Settings\brokebackbuddy\Application Data\desktop.ini


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{29F3289E-01FD-4198-8184-908C74297732}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{55D17579-F6FF-4A63-981B-6683F99B9972}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AFFA2A1B-4B47-4767-9271-8E4623DB09D5}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
08/09/2008 01:41 AM 267592 --a------ C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [04/25/2008 06:21 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 01:11 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)
"DisableRegistryTools"=0 (0x0)
"NoDispCPL"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoStartMenuMorePrograms"=0 (0x0)
"NoSetFolders"=0 (0x0)
"StartMenuLogOff"=0 (0x0)
"NoToolbarCustomize"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqRLFvt]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=c:\progra~1\kasper~1\kasper~1\mzvkbd.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winhl47.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winsv68.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winua25.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winwa25.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\S3TRAY2]
S3tray2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc




-- End of Deckard's System Scanner: finished at 2008-08-09 02:53:02 ------------

#7 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:09 AM

Posted 09 August 2008 - 10:34 AM

Hi kalebbroo,

This infection is being sticky, so we will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.


You need to disable your Kaspersky Antivirus and Spybot Teatimer before running ComboFix, as they will prevent it from running.


To disable Kaspersky Antivirus:
Please navigate to the system tray on the bottom right hand corner and look for a Posted Image sign.
  • right click it-> select Pause Protection.
  • click on -> By User Request
  • a popup will claim that protection is now disabled and a sign like this: Posted Image will now be shown.
You succesfully disabled the Kaspersky Antivirus Guard.


To disable Spybot's Teatimer:
Run Spybot-S&D
Go to the Mode menu, and make sure "Advanced Mode" is selected
On the left hand side, choose Tools -> Resident
Uncheck "Resident TeaTimer" and OK any prompts



Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop.

When following the instructions install the Windows XP Recovery Console if you are using XP. <== IMPORTANT
It is a simple procedure that will only take a few moments of your time. It is our safety net.


You DO NOT need to have the Windows CD to install Recovery Console!

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.


We need Recovery Console because malware damages a lot and causes an instable system - and because of that, it may happen that your computer won't be able to boot anymore. With the Recovery Console installed, there are extra options present to repair whatever malware damaged.
Also, even though you're not infected, the presence of the Recovery Console is a useful feature in case a computer won't boot anymore because of several other reasons. Read here what you can do with the Recovery Console.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

A caution -
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post the ComboFix log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 kalebbroo

kalebbroo
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:04:09 AM

Posted 09 August 2008 - 01:35 PM

ComboFix 08-08-08.08 - brokebackbuddy 2008-08-09 14:24:34.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.198 [GMT -7:00]
Running from: C:\Documents and Settings\brokebackbuddy\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\brokebackbuddy\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\jvoijinh.ini2
C:\WINDOWS\system32\jvoijinh.tmp
C:\WINDOWS\system32\ukhywjap.ini
E:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-07-09 to 2008-08-09 )))))))))))))))))))))))))))))))
.

2008-08-09 02:38 . 2008-04-13 17:12 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-08-09 02:26 . 2008-08-09 02:26 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-09 02:26 . 2008-08-09 02:26 <DIR> d-------- C:\WINDOWS\system32\en
2008-08-09 02:26 . 2008-08-09 02:26 <DIR> d-------- C:\WINDOWS\system32\bits
2008-08-09 02:26 . 2008-08-09 02:26 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-09 02:21 . 2008-08-09 02:28 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-08-09 01:53 . 2008-08-09 01:53 <DIR> d-------- C:\Program Files\uTorrent
2008-08-09 01:53 . 2008-08-09 01:54 <DIR> d-------- C:\Documents and Settings\brokebackbuddy\Application Data\uTorrent
2008-08-09 01:52 . 2008-08-09 01:52 0 --a------ C:\WINDOWS\nsreg.dat
2008-08-09 01:43 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-09 01:42 . 2008-08-09 02:11 <DIR> d-------- C:\Program Files\Java
2008-08-09 01:42 . 2008-08-09 01:42 <DIR> d-------- C:\Program Files\Common Files\Java
2008-08-09 01:41 . 2008-08-09 01:41 <DIR> d-------- C:\Program Files\FrostWire
2008-08-09 01:41 . 2008-08-09 01:41 <DIR> d-------- C:\Program Files\AskSBar
2008-08-09 01:38 . 2008-08-09 01:38 <DIR> d-------- C:\Program Files\Combined Community Codec Pack
2008-08-09 00:49 . 2008-08-09 00:49 <DIR> d-------- C:\Documents and Settings\brokebackbuddy\Application Data\Malwarebytes
2008-08-09 00:49 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-09 00:48 . 2008-08-09 00:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-09 00:48 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-09 00:47 . 2008-08-09 00:49 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-03 22:07 . 2008-08-03 22:15 182 --a------ C:\WINDOWS\wininit.ini
2008-08-03 20:31 . 2008-08-03 20:31 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-03 20:10 . 2008-08-03 20:10 <DIR> d-------- C:\Deckard
2008-08-03 19:19 . 2008-05-08 07:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-08-03 19:16 . 2008-06-13 04:05 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-08-03 19:16 . 2008-06-13 04:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-08-03 18:06 . 2008-08-03 18:07 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-03 18:06 . 2008-08-03 20:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-03 16:49 . 2008-08-09 00:39 96,976 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-08-03 16:49 . 2008-08-03 17:11 87,855 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-08-03 16:47 . 2008-08-03 16:47 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-08-03 16:47 . 2008-08-09 02:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-08-03 16:47 . 2008-08-09 14:30 835,104 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-08-03 16:47 . 2008-08-09 14:27 196,640 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-08-03 16:47 . 2008-08-09 14:30 8,652 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-08-03 16:47 . 2008-08-09 14:27 2,800 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-08-03 16:45 . 2008-08-03 16:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-08-03 16:35 . 2004-08-03 22:29 1,897,408 --------- C:\WINDOWS\system32\drivers\nv4_mini.sys
2008-08-03 16:33 . 2004-08-03 22:29 701,440 --------- C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-08-03 16:19 . 2008-08-09 01:25 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-08-03 16:19 . 2007-08-10 20:46 26,488 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-08-03 16:11 . 2008-08-03 16:11 <DIR> d---s---- C:\Documents and Settings\brokebackbuddy\UserData
2008-08-03 16:10 . 2008-08-09 14:26 <DIR> d-------- C:\Documents and Settings\brokebackbuddy
2008-08-03 16:07 . 2008-08-03 16:07 <DIR> d---s---- C:\WINDOWS\system32\Microsoft
2008-08-03 16:07 . 2008-08-03 16:07 <DIR> d--hs---- C:\Documents and Settings\NetworkService
2008-08-03 16:07 . 2008-08-03 16:07 <DIR> d--hs---- C:\Documents and Settings\LocalService
2008-08-03 16:07 . 2008-08-03 16:07 8,192 --a------ C:\WINDOWS\REGLOCS.OLD
2008-08-03 16:04 . 2008-04-13 17:09 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-08-03 16:03 . 2004-08-04 05:00 1,677,824 --a--c--- C:\WINDOWS\system32\dllcache\chsbrkr.dll
2008-08-03 16:02 . 2008-08-03 16:02 <DIR> d-------- C:\WINDOWS\system32\xircom
2008-08-03 16:02 . 2008-08-03 16:02 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-08-03 16:01 . 2008-08-09 02:41 316,640 --a------ C:\WINDOWS\WMSysPr9.prx
2008-08-03 16:01 . 2008-08-03 16:01 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2008-08-03 16:01 . 2008-08-03 16:01 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2008-08-03 16:00 . 2008-08-03 16:01 <DIR> d--hs---- C:\Documents and Settings\All Users\DRM

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2008-04-25 18:21 201992]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winhl47.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winsv68.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winua25.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winwa25.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\S3TRAY2]
--a------ 2003-02-25 04:33 69632 C:\WINDOWS\system32\S3tray2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;C:\WINDOWS\system32\drivers\klbg.sys [2008-01-29 18:29]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2008-03-25 20:07]
S0 Winhl47;Winhl47;C:\WINDOWS\system32\Drivers\Winhl47.sys []
S0 Winsv68;Winsv68;C:\WINDOWS\system32\Drivers\Winsv68.sys []
S0 Winua25;Winua25;C:\WINDOWS\system32\Drivers\Winua25.sys []
S0 Winwa25;Winwa25;C:\WINDOWS\system32\Drivers\Winwa25.sys []
.
- - - - ORPHANS REMOVED - - - -

BHO-{29F3289E-01FD-4198-8184-908C74297732} - (no file)
BHO-{AFFA2A1B-4B47-4767-9271-8E4623DB09D5} - (no file)
Notify-ssqRLFvt - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\brokebackbuddy\Application Data\Mozilla\Firefox\Profiles\hltjf0xg.default\


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-09 14:29:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-08-09 14:31:53 - machine was rebooted [brokebackbuddy]
ComboFix-quarantined-files.txt 2008-08-09 21:31:45

Pre-Run: 34,767,896,576 bytes free
Post-Run: 34,703,560,704 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

147 --- E O F --- 2008-08-09 09:35:31

#9 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:09 AM

Posted 09 August 2008 - 02:02 PM

Hi kalebbroo,

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 7.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 7".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language jre-6u7-windows-i586.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java 2 Runtime Environment, SE v1.4.2
    J2SE Runtime Environment 5.0
    J2SE Runtime Environment 5.0 Update 6
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u7-windows-i586-p.exe to install the newest version.

You will need to disable your Kaspersky Antivirus while running ESET online scanner.

Please go to the following link ESET Online Scanner Link
Tick the box YES, I accept the Terms Of Use
Click the Start button
Now click the Install button
Click Start

The scanner engine will initialise and update

Do Not tick the box Remove found threats
Click the Scan button

The scan will now run, please be patient

When the scan finishes click the Details tab
Copy and paste the contents of the C:\Program Files\EsetOnlineScanner\log.txt back here along with a fresh Hijackthis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 kalebbroo

kalebbroo
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:04:09 AM

Posted 09 August 2008 - 08:02 PM

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3342 (20080809)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=9c5a9b67163b4641b3ffc08a00e2dc0f
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2008-08-10 03:57:59
# local_time=2008-08-09 08:57:59 (-0800, Pacific Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=145455
# found=1
# scan_time=1841
C:\Deckard\System Scanner\20080803204310\backup\DOCUME~1\BROKEB~1\LOCALS~1\Temp\removalfile.bat Win32/Adware.Virtumonde application 9A7EF09167A6F4433681B94351509043







Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:01:20 PM, on 8/9/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe

--
End of file - 3323 bytes

#11 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:09 AM

Posted 09 August 2008 - 08:13 PM

Hi kalebbroo,

Kaspersky found some malware in your temp files so we will clean them..

Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Please tell me how your computer is running. :thumbsup:

We still have to do the program clean up.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 kalebbroo

kalebbroo
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:04:09 AM

Posted 09 August 2008 - 08:26 PM

its running 300 times better!!!! considering its an older computer with only 352 mb of ram. im actually surprised how well its running, just because of the lil ram it has

#13 kalebbroo

kalebbroo
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:04:09 AM

Posted 09 August 2008 - 08:28 PM

heres a new hijackthis log after running atf in case you needed it. thx for the help in advance!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:27:15 PM, on 8/9/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe

--
End of file - 3274 bytes

#14 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:09 AM

Posted 09 August 2008 - 09:33 PM

Hi kalebbroo,

Your log looks clean! :thumbsup: Good job on the cleanup!

Uninstall ComboFix, go to to Start > Run & type in ComboFix /u
Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete any of its related folders and files (Qoobox
VundoFix Backups, Avenger, Deckard, _OTMoveIt), reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.


Please read and follow How did I get infected?, With steps so it does not happen again!
as well as
How to prevent Malware' by miekiemoes


If you want to improve speed/system performance after malware removal, take a look here.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 kalebbroo

kalebbroo
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:04:09 AM

Posted 09 August 2008 - 11:41 PM

THANK YOU!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users