Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Explorer.exe


  • This topic is locked This topic is locked
2 replies to this topic

#1 omais

omais

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:42 AM

Posted 05 August 2008 - 01:52 AM

Deckard's System Scanner v20071014.68
Run by Omais on 2008-08-05 12:42:16
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
85: 2008-08-05 07:42:18 UTC - RP85 - Deckard's System Scanner Restore Point
84: 2008-08-05 07:16:57 UTC - RP84 - Last known good configuration
83: 2008-08-05 07:16:54 UTC - RP83 - Installed Windows XP KB938828.
82: 2008-08-05 07:16:54 UTC - RP82 - Uniblue RegistryBooster
81: 2008-08-05 07:16:54 UTC - RP81 - Removed Raptor.


-- First Restore Point --
1: 2008-08-05 07:16:47 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Omais.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:42:46 PM, on 8/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Antipoisoner\AntiPoisoner.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\CleanMyPC\Registry Cleaner\RCHelper.exe
C:\Documents and Settings\Omais\My Documents\Downloads\Programs\dss.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Omais.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: TorrentMan Toolbar - {7c5c0f58-e061-457d-9033-77307f5ed00c} - C:\Program Files\TorrentMan\tbTor1.dll
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: winhost_app.winhost_appdll - {5E06398E-3017-467B-A399-18425A20F655} - C:\WINDOWS\winhost_app.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: TorrentMan Toolbar - {7c5c0f58-e061-457d-9033-77307f5ed00c} - C:\Program Files\TorrentMan\tbTor1.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: CBHOObject Object - {C721F480-198A-47D2-BEE9-DB11D881EF3D} - E:\Child Protector\AllPornGoneBHO.dll
O2 - BHO: (no name) - {D2C2ED2A-3943-43B4-8490-BB980B186C08} - C:\WINDOWS\system32\rqRLcYOe.dll
O3 - Toolbar: TorrentMan Toolbar - {7c5c0f58-e061-457d-9033-77307f5ed00c} - C:\Program Files\TorrentMan\tbTor1.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKCU\..\Run: [Registry Cleaner Scheduler] "C:\Program Files\CleanMyPC\Registry Cleaner\RCHelper.exe" /startup
O4 - Startup: AntiPoisoner.lnk = C:\Program Files\Antipoisoner\AntiPoisoner.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: ????????P
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 5879 bytes

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 BDSelfPr - c:\program files\bitdefender\bitdefender 2008\bdselfpr.sys <Not Verified; BitDefender S.R.L.; BitDefender>

S3 catchme - c:\docume~1\omais\locals~1\temp\catchme.sys (file missing)
S3 ddsxeiservice (ddsxeiservice2) - c:\program files\sxe injected\ddsxei.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S3 AresChatServer (Ares Chatroom server) - c:\program files\ares\chatserver.exe <Not Verified; Ares Development Group; Ares Chat Server>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: SM Bus Controller
Device ID: PCI\VEN_1002&DEV_4385&SUBSYS_73271462&REV_13\3&267A616A&0&A0
Manufacturer:
Name: SM Bus Controller
PNP Device ID: PCI\VEN_1002&DEV_4385&SUBSYS_73271462&REV_13\3&267A616A&0&A0
Service:


-- Files created between 2008-07-05 and 2008-08-05 -----------------------------

2008-08-05 12:17:28 0 d-------- C:\Program Files\Trend Micro
2008-08-05 12:17:04 446100 --ahs---- C:\WINDOWS\system32\eOYcLRqr.ini2
2008-08-05 12:03:01 0 d-------- C:\Program Files\PC Washer
2008-08-05 11:58:32 0 d-a------ C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2008-08-05 11:58:17 0 d-------- C:\Program Files\CleanMyPC
2008-08-05 11:50:41 0 d-------- C:\Program Files\Eusing Free Registry Cleaner
2008-08-05 11:48:09 0 d-------- C:\WINDOWS\LastGood
2008-08-05 11:42:27 0 d-------- C:\Documents and Settings\Omais\Application Data\Malwarebytes
2008-08-05 11:42:22 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-05 11:42:22 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-08-05 00:15:53 0 d-------- C:\WINDOWS\ERUNT
2008-08-04 23:49:01 0 dr-h----- C:\Documents and Settings\Omais\Recent
2008-08-04 22:46:39 0 d-------- C:\Program Files\CBS Software
2008-08-04 22:40:50 0 d-------- C:\Program Files\WinPcap
2008-08-04 22:40:41 0 d-------- C:\Program Files\Cain
2008-08-04 22:37:38 0 d-------- C:\Documents and Settings\Omais\Application Data\Direct Folders
2008-08-04 22:33:11 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\WLInstaller
2008-08-04 21:45:17 0 d-------- C:\WINDOWS\system32\Crack
2008-08-04 21:22:11 0 d-------- C:\Program Files\KaraFun
2008-08-04 21:14:28 32 --a------ C:\WINDOWS\go
2008-08-04 20:50:18 0 d-------- C:\Program Files\Rapid.DeCoder
2008-08-04 20:45:58 0 d-------- C:\Program Files\RapidLeecher
2008-08-04 20:26:07 0 d-------- C:\Program Files\Intelore
2008-08-04 15:18:29 0 d-------- C:\Program Files\Ares
2008-08-04 14:07:28 932 --a------ C:\WINDOWS\system32\asst03.dll
2008-08-04 14:05:16 40 --a------ C:\WINDOWS\system32\hrwd8.dll
2008-08-04 14:04:13 299008 --a------ C:\WINDOWS\system32\winwmbcay.dll
2008-08-04 14:04:13 18432 --a------ C:\WINDOWS\system32\winint.dll
2008-08-04 14:04:13 266240 --a------ C:\WINDOWS\system32\Mp3Doctor2.dll <Not Verified; NCT Company; NCTAudioTransform ActiveX DLL>
2008-08-04 14:04:13 1089536 --a------ C:\WINDOWS\system32\Mp3Doctor1.dll <Not Verified; Pro-Software; Mp3Doctor1 ActiveX DLL>
2008-08-04 14:04:13 204800 --a------ C:\WINDOWS\system32\lame_enc.dll
2008-08-04 14:04:13 90112 --a------ C:\WINDOWS\system32\ID3v23xBase.DLL <Not Verified; inGEO Solutions; ID3v23x>
2008-08-04 14:04:12 0 d-------- C:\Program Files\Mp3Doctor
2008-08-04 13:30:07 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\SRS Labs
2008-08-04 00:16:43 90624 --a------ C:\WINDOWS\system32\sxpovuxl.dll
2008-08-03 20:49:11 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\SRSLabs
2008-08-03 20:48:38 0 d-------- C:\Program Files\Common Files\SRS
2008-08-03 20:48:36 0 d-------- C:\Program Files\SRSLabs
2008-08-03 14:58:27 0 --a------ C:\WINDOWS\nsreg.dat
2008-08-02 23:33:39 90624 --a------ C:\WINDOWS\system32\hklaqqlv.dll
2008-08-02 16:24:15 0 d-------- C:\Program Files\My-Proxy
2008-08-02 16:24:15 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\EPS
2008-08-01 23:34:38 90624 --a------ C:\WINDOWS\system32\uarqgfhu.dll
2008-08-01 19:23:29 0 d-------- C:\Program Files\Rapidshare Unlimited
2008-08-01 18:45:02 0 d-------- C:\Program Files\Rapid Hacker
2008-08-01 13:46:28 0 d-------- C:\Documents and Settings\Omais\Application Data\BitDefender
2008-08-01 13:43:57 0 d-------- C:\Program Files\BitDefender
2008-08-01 13:43:57 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\BitDefender
2008-08-01 13:02:24 90112 --a------ C:\WINDOWS\system32\jwolxbna.dll
2008-08-01 00:30:53 0 d-------- C:\WINDOWS\rapidup 1.3.5
2008-08-01 00:25:59 90112 --a------ C:\WINDOWS\system32\xocvjfuf.dll
2008-07-31 23:57:09 246272 --a------ C:\WINDOWS\system32\rqRLcYOe.dll
2008-07-31 22:32:00 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Kaspersky Lab Setup Files
2008-07-31 16:49:26 0 d-------- C:\Program Files\ETD Security Scanner
2008-07-31 10:42:04 0 d-------- C:\Documents and Settings\Omais\Application Data\UseNeXT
2008-07-31 08:38:09 0 d-------- C:\downloads
2008-07-31 08:36:27 0 d-------- C:\Program Files\Raptor
2008-07-31 08:30:42 0 d-------- C:\Documents and Settings\Omais\Application Data\Yahoo! Messenger
2008-07-30 16:09:16 0 d-------- C:\Program Files\Download Direct
2008-07-30 14:50:22 0 d-------- C:\Program Files\ZipALot
2008-07-30 14:46:33 36864 --a------ C:\WINDOWS\winhost_app.dll <Not Verified; Microsoft Corporation; WinHost Application>
2008-07-30 14:23:30 0 d-------- C:\Documents and Settings\Omais\Application Data\GrabPro
2008-07-30 14:23:28 0 d-------- C:\Documents and Settings\Omais\Application Data\Orbit
2008-07-30 14:23:27 0 d-------- C:\Program Files\Orbitdownloader
2008-07-29 17:51:51 81984 --a------ C:\WINDOWS\system32\bdod.bin
2008-07-29 15:03:36 155648 --a------ C:\WINDOWS\system32\libssl32.dll
2008-07-29 15:03:34 0 d-------- C:\OpenSSL
2008-07-28 22:02:01 0 d-------- C:\Documents and Settings\Omais\Application Data\RapidGet
2008-07-28 13:35:10 0 d-------- C:\Program Files\DC++
2008-07-28 13:01:55 0 d-------- C:\Program Files\7-Zip
2008-07-27 23:21:57 0 d-------- C:\Documents and Settings\Omais\dwhelper
2008-07-27 12:52:15 0 d-------- C:\Program Files\Yahoo!
2008-07-26 19:23:35 0 d-------- C:\Program Files\HWiNFO32
2008-07-26 15:59:08 0 d-------- C:\Documents and Settings\Omais\Application Data\Help
2008-07-25 16:20:53 0 d-------- C:\Program Files\sXe Injected
2008-07-25 15:42:36 0 d-------- C:\Program Files\Power Meter Plus
2008-07-24 01:03:53 0 d-------- C:\Program Files\Common Files\EasyInfo
2008-07-20 21:20:14 101888 --a------ C:\WINDOWS\system32\VB6STKIT.DLL <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2008-07-20 21:20:14 0 d-------- C:\Program Files\SoftwareClub.ws
2008-07-20 20:38:20 0 d-------- C:\Program Files\uTorrent
2008-07-20 20:38:11 0 d-------- C:\Documents and Settings\Omais\Application Data\uTorrent
2008-07-19 17:25:50 0 d-------- C:\Program Files\Conduit
2008-07-19 17:25:49 0 d-------- C:\Program Files\TorrentMan
2008-07-19 17:25:31 0 d-------- C:\Program Files\BitLord
2008-07-17 23:17:44 0 d-------- C:\Program Files\Valve3
2008-07-17 21:58:24 0 d-------- C:\Documents and Settings\Omais\Application Data\Uniblue
2008-07-17 21:58:20 0 d-------- C:\Program Files\Uniblue
2008-07-17 08:49:27 139 --a------ C:\WarCraft3TheFrozenThrone-pccheat
2008-07-15 10:47:40 0 d-------- C:\Program Files\4U Computing
2008-07-14 07:43:55 0 d-------- C:\Program Files\Cheatbook Database 2006
2008-07-13 15:43:18 0 d-------- C:\YouTubeVideos
2008-07-12 19:51:52 0 d-------- C:\Program Files\Power Mp3 Cutter(Mp3 Sound Cutter)
2008-07-09 21:06:28 2829 --a------ C:\WINDOWS\War3Unin.pif
2008-07-09 21:06:28 139264 --a------ C:\WINDOWS\War3Unin.exe <Not Verified; Blizzard Entertainment; Warcraft III Uninstaller>
2008-07-09 21:06:28 61616 --a------ C:\WINDOWS\War3Unin.dat
2008-07-07 22:55:17 0 d-------- C:\Program Files\MagicISO
2008-07-07 19:47:00 0 d-------- C:\Program Files\ExtractNow


-- Find3M Report ---------------------------------------------------------------

2008-08-05 11:41:08 0 d-------- C:\Documents and Settings\Omais\Application Data\DMCache
2008-08-03 20:48:38 0 d-------- C:\Program Files\Common Files
2008-08-03 14:48:03 0 d-------- C:\Program Files\Opera
2008-08-03 14:07:20 0 d-------- C:\Program Files\Antipoisoner
2008-08-01 18:11:50 0 d-------- C:\Documents and Settings\Omais\Application Data\TeraCopy
2008-07-21 13:43:21 0 d-------- C:\Documents and Settings\Omais\Application Data\IDM
2008-07-06 20:05:32 0 d-------- C:\Documents and Settings\Omais\Application Data\Real
2008-07-06 00:02:11 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-04 20:21:06 0 d-------- C:\Program Files\nwsp
2008-07-04 19:16:32 79066 --a------ C:\WINDOWS\hpfins05.dat
2008-07-04 19:11:03 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-04 17:41:31 618 --a------ C:\WINDOWS\PowerReg.dat
2008-07-03 20:33:01 0 d-------- C:\Documents and Settings\Omais\Application Data\Mozilla
2008-07-02 14:16:56 0 d-------- C:\Program Files\Realtek
2008-07-02 13:49:58 315392 --a------ C:\WINDOWS\HideWin.exe <Not Verified; Realtek Semiconductor Corp.; HD Audio Hide windows program>
2008-07-02 13:47:22 0 d-------- C:\Program Files\Driver Sweeper
2008-06-30 15:03:34 0 d-------- C:\Program Files\ffdshow
2008-06-30 15:00:21 0 d-------- C:\Program Files\PlayFLV
2008-06-29 02:08:51 0 d-------- C:\Program Files\DAEMON Tools Lite
2008-06-29 00:30:52 0 d-------- C:\Documents and Settings\Omais\Application Data\DAEMON Tools
2008-06-28 16:32:57 0 d-------- C:\Program Files\K-Lite Codec Pack
2008-06-28 00:03:43 0 d-------- C:\Program Files\Internet Download Manager
2008-06-26 11:01:38 0 d-------- C:\Program Files\Vypress Chat
2008-06-26 10:37:15 0 d-------- C:\Documents and Settings\Omais\Application Data\VyPRESS
2008-06-25 17:16:25 0 d-------- C:\Documents and Settings\Omais\Application Data\Adobe
2008-06-25 12:20:34 0 d-------- C:\Program Files\AMD
2008-06-24 22:54:47 62 --ahs---- C:\Documents and Settings\Omais\Application Data\desktop.ini
2008-06-24 19:24:56 0 d-------- C:\Documents and Settings\Omais\Application Data\Media Player Classic
2008-06-24 19:05:41 0 d-------- C:\Documents and Settings\Omais\Application Data\Macromedia
2008-06-24 18:53:16 0 d-------- C:\Program Files\MSN Messenger
2008-06-24 18:30:47 430080 --a------ C:\WINDOWS\system32\wmpheadphones.dll
2008-06-24 18:30:47 0 d-------- C:\Program Files\4front-headphones-1
2008-06-24 18:30:38 2912256 --a------ C:\WINDOWS\system32\wmposs3d.dll <Not Verified; ; oss3dgui Module>
2008-06-24 18:30:38 0 d-------- C:\Program Files\4front-oss3d-7
2008-06-24 18:28:52 0 d-------- C:\Program Files\Java
2008-06-24 18:24:30 0 d-------- C:\Documents and Settings\Omais\Application Data\WinRAR
2008-06-24 18:18:16 0 d-------- C:\Documents and Settings\Omais\Application Data\vlc
2008-06-24 18:16:29 0 d-------- C:\Program Files\VideoLAN
2008-06-24 18:13:08 0 d-------- C:\Program Files\Microsoft Silverlight
2008-06-24 18:09:33 0 d-------- C:\Documents and Settings\Omais\Application Data\Identities
2008-06-24 18:08:38 0 d-------- C:\Documents and Settings\Omais\Application Data\Opera
2008-06-24 18:07:47 0 d-------- C:\Program Files\HP
2008-06-24 18:07:16 0 d-------- C:\Program Files\Hewlett-Packard
2008-06-24 18:06:12 0 d-------- C:\Documents and Settings\Omais\Application Data\HP
2008-06-24 18:01:30 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-06-24 18:01:02 0 d-------- C:\Program Files\Messenger
2008-06-24 17:57:40 0 d-------- C:\Documents and Settings\Omais\Application Data\Sun
2008-06-24 17:35:19 0 d-------- C:\Program Files\Arrange Startup
2008-06-23 15:50:23 0 d-------- C:\Program Files\Common Files\DFX
2008-06-22 21:14:59 0 d-------- C:\Program Files\EvilLyrics
2008-06-22 21:12:29 0 d-------- C:\Program Files\Common Files\Filseclab
2008-06-22 20:39:49 0 d-------- C:\Program Files\Movie Maker
2008-06-13 15:51:21 0 d-------- C:\Program Files\Common Files\InstallShield
2008-05-16 14:01:00 1630208 --a------ C:\WINDOWS\system32\nwiz.exe
2008-05-16 14:01:00 1019904 --a------ C:\WINDOWS\system32\nvwimg.dll
2008-05-16 14:01:00 1703936 --a------ C:\WINDOWS\system32\nvwdmcpl.dll
2008-05-16 14:01:00 466944 --a------ C:\WINDOWS\system32\nvshell.dll
2008-05-16 14:01:00 1486848 --a------ C:\WINDOWS\system32\nview.dll
2008-05-16 14:01:00 1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe
2008-05-16 14:01:00 442368 --a------ C:\WINDOWS\system32\nvappbar.exe
2008-05-16 14:01:00 425984 --a------ C:\WINDOWS\system32\keystone.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5E06398E-3017-467B-A399-18425A20F655}]
02/17/2008 04:11 AM 36864 --a------ C:\WINDOWS\winhost_app.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7c5c0f58-e061-457d-9033-77307f5ed00c}]
07/27/2008 03:05 AM 1569304 --a------ C:\Program Files\TorrentMan\tbTor1.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C721F480-198A-47D2-BEE9-DB11D881EF3D}]
10/26/2005 05:21 PM 106496 --a------ E:\Child Protector\AllPornGoneBHO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D2C2ED2A-3943-43B4-8490-BB980B186C08}]
07/31/2008 11:57 PM 246272 --a------ C:\WINDOWS\system32\rqRLcYOe.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7C5C0F58-E061-457D-9033-77307F5ED00C}"= C:\Program Files\TorrentMan\tbTor1.dll [07/27/2008 03:05 AM 1569304]
"{C55BBCD6-41AD-48AD-9953-3609C48EACC7}"= C:\Program Files\Orbitdownloader\GrabPro.dll [07/21/2008 05:57 PM 433272]

[-HKEY_CLASSES_ROOT\CLSID\{7C5C0F58-E061-457D-9033-77307F5ED00C}]

[-HKEY_CLASSES_ROOT\CLSID\{C55BBCD6-41AD-48AD-9953-3609C48EACC7}]
[HKEY_CLASSES_ROOT\GrabPro.FindBar.1]
[HKEY_CLASSES_ROOT\TypeLib\{8091D09E-B01D-4D32-AC66-BBF8916BB1CF}]
[HKEY_CLASSES_ROOT\GrabPro.FindBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [05/16/2008 02:01 PM]
"BitDefender Antiphishing Helper"="C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe" [10/09/2007 03:46 PM]
"BDAgent"="C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe" [02/16/2008 05:45 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Registry Cleaner Scheduler"="C:\Program Files\CleanMyPC\Registry Cleaner\RCHelper.exe" [06/22/2008 08:59 PM]

C:\Documents and Settings\Omais\Start Menu\Programs\Startup\
AntiPoisoner.lnk - C:\Program Files\Antipoisoner\AntiPoisoner.exe [2/28/2008 4:20:21 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=???????
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\rqRLcYOe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent Client]
btorrentcli.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"ose"=3 (0x3)
"usnjsvc"=2 (0x2)
"NVSvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx scan

*Newly Created Service* - MBAMSWISSARMY



-- End of Deckard's System Scanner: finished at 2008-08-05 12:43:28 ------------

Attached Files



BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:42 AM

Posted 09 August 2008 - 12:23 AM

Hello omais,


Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish, so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Copy and Paste the entire Malwarebytes' Anti-Malware report in your next reply along with a fresh DSS Main.txt log.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediatly.

If you encounter this message:"c:\program files\malwarebytes' Anti-Malware\mbamext.dll Unable to register the dll/ocx: RegSvr32 failed with exit code 0x5" Click on ignore mbamext.dll

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:42 AM

Posted 19 August 2008 - 11:44 AM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact me or a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users