Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hard Drive Has A Red X For Icon


  • This topic is locked This topic is locked
10 replies to this topic

#1 Rondar

Rondar

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:08 PM

Posted 09 August 2008 - 08:55 PM

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, August 9, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, August 09, 2008 22:15:05
Records in database: 1076270
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\

Scan statistics:
Files scanned: 33107
Threat name: 20
Infected objects: 38
Suspicious objects: 0
Duration of the scan: 01:44:12


File name / Threat name / Threats count
C:\Program Files\Common Files\Real\Toolbar\RealBar.dll Infected: not-a-virus:AdWare.Win32.MegaSearch.s 1
C:\Program Files\Common Files\WinAnonymous\stm.exe Infected: not-a-virus:FraudTool.Win32.SanitarDiska.ao 1
C:\Program Files\WinAnonymous\GDC.exe Infected: not-a-virus:FraudTool.Win32.SanitarDiska.aa 1
C:\Program Files\WinAnonymous\plug\stpHlpr.dll Infected: not-a-virus:FraudTool.Win32.SanitarDiska.aa 1
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3BROVLY.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.at 1
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3DTACTL.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc 1
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3HISTSW.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch 1
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.l 1
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.af 1
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3IMSTUB.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.au 1
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3POPSWT.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.au 1
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch 1
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3REPROX.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.au 1
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3RESTUB.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch 1
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3SCHMON.EXE.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.a 1
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.an 1
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3SHLLVW.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.aq 1
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.bh 1
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3HTML.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc 1
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3IDLE.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.ax 1
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3MSG.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc 1
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch 1
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.as 1
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3SKIN.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.ad 1
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3SLSRCH.EXE.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.au 1
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch 1
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.au 1
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch 1
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.i 1
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL_tobedeleted_old.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.as 1
C:\quarantine\!update.exe.Vir.0 Infected: Trojan-Downloader.Win32.PurityScan.fk 1
C:\quarantine\Av-test.txt.Vir Infected: EICAR-Test-File 1
C:\quarantine\kb713501[1].Vir Infected: Trojan.Win32.LowZones.gb 1
C:\quarantine\NDR5.tmp.Vir Infected: Trojan-Downloader.Win32.PurityScan.fk 1
C:\quarantine\NDRA.tmp.Vir.0 Infected: Trojan-Downloader.Win32.PurityScan.fk 1
C:\quarantine\wuaclt.exe.Vir Infected: Trojan-Downloader.Win32.PurityScan.fk 1
C:\quarantine\wuaclt.exe.Vir.0 Infected: Trojan-Downloader.Win32.PurityScan.fk 1
C:\quarantine\wuaclt.exe.Vir.1 Infected: Trojan-Downloader.Win32.PurityScan.fk 1

The selected area was scanned.







Deckard's System Scanner v20071014.68
Run by Owner on 2008-08-09 20:46:26
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 4 Restore Point(s) --
4: 2008-08-10 01:46:38 UTC - RP32 - Deckard's System Scanner Restore Point
3: 2008-08-09 20:29:35 UTC - RP31 - ComboFix created restore point
2: 2008-08-04 04:33:19 UTC - RP30 - Software Distribution Service 3.0
1: 2008-08-04 04:18:01 UTC - RP29 - Software Distribution Service 3.0


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 383 MiB (512 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-08-09 20:47:57
Platform: Windows XP Service Pack 3 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Network Associates\VirusScan\shstat.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Owner\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Search - ?p=ZJ
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase9563.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1146340152123
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab57213.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1238.0601.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1238.0601.dll
O18 - Protocol: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\Platform\puresp3.dll
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe


--
End of file - 7563 bytes

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S3 GTNDIS5 (GTNDIS5 NDIS Protocol Driver) - c:\windows\system32\gtndis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
S3 iAimTV2 - c:\windows\system32\drivers\watv03nt.sys (file missing)
S3 IPN2120 (Instant Wireless-B PCI Adapter Driver) - c:\windows\system32\drivers\lsipnds.sys <Not Verified; Inprocomm, Inc.; Driver for INPROCOMM IPN2120 Wireless LAN Cards>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 McAfeeFramework (McAfee Framework Service) - c:\program files\network associates\common framework\frameworkservice.exe /servicestart <Not Verified; Network Associates, Inc.; McAfee Common Framework>
R2 McTaskManager (Network Associates Task Manager) - "c:\program files\network associates\virusscan\vstskmgr.exe" <Not Verified; Network Associates, Inc.; VirusScan Enterprise>

S3 clr_optimization_v2.0.50215_32 (.NET Runtime Optimization Service v2.0.50215_X86) - c:\windows\microsoft.net\framework\v2.0.50215\mscorsvw.exe <Not Verified; Microsoft Corporation; Microsoft® .NET Framework>
S3 nmraapache (Pure Networks Net2Go Service) - "c:\program files\pure networks\network magic\webserver\bin\nmraapache.exe" -k runservice <Not Verified; Pure Networks, Inc.; Pure Networks Net2Go Service>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97D-E325-11CE-BFC1-08002BE10318}
Description: Intel® AIM External TV Encoder Driver 2
Device ID: DISPLAY\WATV03NT\4&1B50E3C7&0&80863007&00&01
Manufacturer: Intel Corporation
Name: Intel® AIM External TV Encoder Driver 2
PNP Device ID: DISPLAY\WATV03NT\4&1B50E3C7&0&80863007&00&01
Service: iAimTV2

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Instant Wireless-B PCI Adapter
Device ID: PCI\VEN_17FE&DEV_2120&SUBSYS_00201737&REV_00\4&B80044F&0&58F0
Manufacturer: Linksys
Name: Instant Wireless-B PCI Adapter
PNP Device ID: PCI\VEN_17FE&DEV_2120&SUBSYS_00201737&REV_00\4&B80044F&0&58F0
Service: IPN2120

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 3Com 3C920 Integrated Fast Ethernet Controller (3C905C-TX Compatible)
Device ID: PCI\VEN_10B7&DEV_9200&SUBSYS_00B41028&REV_78\4&B80044F&0&60F0
Manufacturer: 3Com
Name: 3Com 3C920 Integrated Fast Ethernet Controller (3C905C-TX Compatible)
PNP Device ID: PCI\VEN_10B7&DEV_9200&SUBSYS_00B41028&REV_78\4&B80044F&0&60F0
Service: EL90XBC


-- Files created between 2008-07-09 and 2008-08-09 -----------------------------

2008-08-09 15:28:57 68096 --a------ C:\WINDOWS\zip.exe
2008-08-09 15:28:57 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-08-09 15:28:57 98816 --a------ C:\WINDOWS\sed.exe
2008-08-09 15:28:57 80412 --a------ C:\WINDOWS\grep.exe
2008-08-09 15:28:57 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-08-09 15:28:56 49152 --a------ C:\WINDOWS\VFind.exe
2008-08-09 15:28:56 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-08-09 15:28:56 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-08-09 14:38:14 0 d-------- C:\WINDOWS\system32\NtmsData
2008-08-03 21:53:54 0 d-------- C:\WINDOWS\system32\scripting
2008-08-03 21:53:46 0 d-------- C:\WINDOWS\l2schemas
2008-08-03 21:53:43 0 d-------- C:\WINDOWS\system32\en
2008-08-03 19:22:21 0 d-------- C:\Program Files\Pure Networks
2008-08-03 19:08:38 0 d-------- C:\Program Files\Common Files\Pure Networks Shared
2008-08-03 17:53:57 0 dr-h----- C:\Documents and Settings\Owner\Recent
2008-08-03 17:48:10 0 d-------- C:\Program Files\CCleaner


-- Find3M Report ---------------------------------------------------------------

2008-08-09 15:33:35 0 d-------- C:\Program Files\Common Files
2008-08-03 23:12:29 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-08-03 21:55:20 0 d-------- C:\Program Files\Messenger
2008-08-03 21:53:40 0 d-------- C:\Program Files\Movie Maker
2008-08-03 21:36:44 0 d-------- C:\Program Files\Windows NT
2008-08-03 19:07:42 0 d-------- C:\Program Files\Network magic
2008-08-03 17:40:02 0 d-------- C:\Program Files\Java
2008-06-03 23:07:09 23348 --a----c- C:\WINDOWS\system32\emptyregdb.dat
2008-06-03 17:30:21 335 --a----c- C:\WINDOWS\mozregistry.dat
2008-05-18 21:01:19 2539 --a----c- C:\WINDOWS\unins000.dat
2008-05-18 20:58:28 691545 --a----c- C:\WINDOWS\unins000.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [03/06/2003 07:00 AM]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [02/25/2003 05:00 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]
"nmctxth"="C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [01/08/2008 05:20 PM]
"nmapp"="C:\Program Files\Pure Networks\Network Magic\nmapp.exe" [01/18/2008 10:32 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/13/2008 07:12 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aida]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f8e3ed40-bf38-11d9-ab8a-000c41b4ea19}]




-- End of Deckard's System Scanner: finished at 2008-08-09 20:50:15 ------------



Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 3.0
Architecture: X86; Language: English

CPU 0: Intel Pentium III processor
Percentage of Memory in Use: 60%
Physical Memory (total/avail): 382.23 MiB / 150.13 MiB
Pagefile Memory (total/avail): 921.08 MiB / 470.95 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1922.05 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 14.24 GiB total, 8.59 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - Maxtor 51536U3 - 14.25 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 14.24 GiB - C:

\\.\PHYSICALDRIVE1 - Maxtor Quasar 5400 - 4.04 GiB - partitions



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=RYAN
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner
LOGONSERVER=\\RYAN
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\WBEM
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 3, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0803
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
USERDOMAIN=RYAN
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Owner (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Download Manager 1.2 (Remove Only) --> "C:\Program Files\Common Files\Adobe\ESD\uninst.exe"
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 6.0.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A00000000001}
Backup Dell-Installed Programs --> MsiExec.exe /X{2A2766A4-6AE4-11D4-AC8E-52544C1966EE}
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
J2SE Runtime Environment 5.0 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150030}
Java 2 Runtime Environment, SE v1.4.1_02 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EFCE5837-FC21-11D6-9D24-00010240CE95}\setup.exe" Anytext
Java Web Start --> "C:\Program Files\Java Web Start\uninst-javaws.exe"
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java™ 6 Update 7 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
McAfee VirusScan Enterprise --> MsiExec.exe /I{1912F734-6580-4620-8AFD-ECCCEA19CDE2}
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
MSN Music Assistant --> rundll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msninst.inf,Uninstall
Netscape (7.1) --> C:\WINDOWS\NSUninst.exe /ua "7.1b1 (en)"
Netscape (7.2) --> C:\WINDOWS\NSUninst.exe /ua "7.2 (en)"
Network Magic --> C:\Documents and Settings\All Users\Application Data\Pure Networks\Setup\nmsetup.exe /uninstall
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Spybot - Search & Destroy 1.5.2.20 --> "C:\WINDOWS\unins000.exe"
Viewpoint Media Player (Remove Only) --> C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Live installer --> MsiExec.exe /I{621AF8B2-75D2-4074-BA44-79178A617255}
Windows Live Messenger --> MsiExec.exe /X{33F8EAD4-B6EC-498B-B487-696B973D1C0C}
Windows Live OneCare safety scanner --> RunDll32.exe "C:\Program Files\Windows Live Safety Center\wlscCore.dll",UninstallFunction WLSC_SCANNER_PRODUCT
Windows Live Sign-in Assistant --> MsiExec.exe /I{49672EC2-171B-47B4-8CE7-50D7806360D7}
Windows XP Service Pack 3 --> "C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type22389 / Warning
Event Submitted/Written: 08/03/2008 09:56:19 PM
Event ID/Source: 63 / WinMgmt
Event Description:
A provider, HiPerfCooker_v1, has been registered in the WMI namespace, Root\WMI, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

Event Record #/Type22382 / Warning
Event Submitted/Written: 08/03/2008 07:04:32 PM
Event ID/Source: 1015 / MsiInstaller
Event Description:
Failed to connect to server. Error: 0x800401F0



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type31074 / Error
Event Submitted/Written: 08/09/2008 08:37:10 PM
Event ID/Source: 9 / atapi
Event Description:
The device, \Device\Ide\IdePort0, did not respond within the timeout period.

Event Record #/Type31073 / Error
Event Submitted/Written: 08/09/2008 07:37:09 PM
Event ID/Source: 9 / atapi
Event Description:
The device, \Device\Ide\IdePort0, did not respond within the timeout period.

Event Record #/Type31072 / Error
Event Submitted/Written: 08/09/2008 06:37:09 PM
Event ID/Source: 9 / atapi
Event Description:
The device, \Device\Ide\IdePort0, did not respond within the timeout period.

Event Record #/Type31071 / Error
Event Submitted/Written: 08/09/2008 05:37:08 PM
Event ID/Source: 9 / atapi
Event Description:
The device, \Device\Ide\IdePort0, did not respond within the timeout period.

Event Record #/Type31070 / Error
Event Submitted/Written: 08/09/2008 04:37:07 PM / 08/09/2008 04:37:08 PM
Event ID/Source: 9 / atapi
Event Description:
The device, \Device\Ide\IdePort0, did not respond within the timeout period.



-- End of Deckard's System Scanner: finished at 2008-08-09 20:50:15 ------------

BC AdBot (Login to Remove)

 


#2 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 10 August 2008 - 05:45 PM

Hi

As you have already run Combofix - please post the log from it ...

THEN ...

Open a new notepad ...

Copy the text from the code box below into it ...

regedit /e search.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons"

Click > File > Save as > save as type "all files"

save it on the desktop & save it as search.bat

Doubleclick the bat file, if you get a popup saying a script is trying to run, please let it...

doubleclick the search.bat and a new text file will be created in the desktop search.txt

Please paste the contents of the text file in your next reply...

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#3 Rondar

Rondar
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:08 PM

Posted 10 August 2008 - 08:27 PM

ComboFix 08-08-08.08 - Owner 2008-08-09 15:30:28.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.156 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\storageprotector
C:\Documents and Settings\All Users\Application Data\storageprotector\Data\ac
C:\Documents and Settings\All Users\Application Data\storageprotector\Data\em
C:\Documents and Settings\All Users\Application Data\storageprotector\Data\oid
C:\Documents and Settings\All Users\Application Data\storageprotector\Data\StorageProtector.exe.cer
C:\Documents and Settings\All Users\Application Data\storageprotector\Data\user
C:\Documents and Settings\Owner\Application Data\SMANTE~1
C:\Documents and Settings\Owner\Application Data\SMANTE~1\S?mantec\
C:\Documents and Settings\Owner\Application Data\SSEMBL~1
C:\Documents and Settings\Owner\Application Data\storageprotector
C:\Documents and Settings\Owner\Application Data\storageprotector\Logs\update.log
C:\Documents and Settings\Owner\My Documents\YSTEM3~1
C:\Documents and Settings\Owner\ResErrors.log
C:\Program Files\Common Files\asks~1
C:\Program Files\Common Files\StorageProtector
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\1.bin\F3BKGERR.JPG
C:\Program Files\MyWebSearch\bar\1.bin\F3BROVLY.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3CJPEG.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3DTACTL.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3HISTSW.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3IMSTUB.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3POPSWT.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR
C:\Program Files\MyWebSearch\bar\1.bin\F3REPROX.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3RESTUB.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3SCHMON.EXE
C:\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3SHLLVW.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3SPACER.WMV
C:\Program Files\MyWebSearch\bar\1.bin\F3WALLPP.DAT
C:\Program Files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.JAR
C:\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.MANIFEST
C:\Program Files\MyWebSearch\bar\1.bin\M3HTML.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3IDLE.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3IMPIPE.EXE
C:\Program Files\MyWebSearch\bar\1.bin\M3MSG.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3NTSTBR.JAR
C:\Program Files\MyWebSearch\bar\1.bin\M3NTSTBR.MANIFEST
C:\Program Files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3SKIN.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3SKPLAY.EXE
C:\Program Files\MyWebSearch\bar\1.bin\M3SLSRCH.EXE
C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
C:\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL
C:\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL
C:\Program Files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL
C:\Program Files\MyWebSearch\bar\Avatar\COMMON.F3S
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\avatar.htm
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\bgfadel.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\bgfader.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\common-x.css
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\common.css
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\cornerbl.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\cornerbr.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\ext_def.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\ext_roll.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\include.js
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\index.htm
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\loader.htm
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\loading.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\logo.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\max_def.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\max_roll.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\min_def.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\min_roll.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\noflash.htm
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\res_def.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\res_roll.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\spacer.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\spacer.swf
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\topgrad.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\window.ico
C:\Program Files\MyWebSearch\bar\Cache\001E362B
C:\Program Files\MyWebSearch\bar\Cache\files.ini
C:\Program Files\MyWebSearch\bar\Game\CHECKERS.F3S
C:\Program Files\MyWebSearch\bar\Game\CHESS.F3S
C:\Program Files\MyWebSearch\bar\Game\REVERSI.F3S
C:\Program Files\MyWebSearch\bar\icons\CM.ICO
C:\Program Files\MyWebSearch\bar\icons\MFC.ICO
C:\Program Files\MyWebSearch\bar\icons\PSS.ICO
C:\Program Files\MyWebSearch\bar\icons\SMILEY.ICO
C:\Program Files\MyWebSearch\bar\icons\WB.ICO
C:\Program Files\MyWebSearch\bar\icons\ZWINKY.ICO
C:\Program Files\MyWebSearch\bar\Message\COMMON.F3S
C:\Program Files\MyWebSearch\bar\Notifier\COMMON.F3S
C:\Program Files\MyWebSearch\bar\Notifier\DOG.F3S
C:\Program Files\MyWebSearch\bar\Notifier\FISH.F3S
C:\Program Files\MyWebSearch\bar\Notifier\KUNGFU.F3S
C:\Program Files\MyWebSearch\bar\Notifier\LIFEGARD.F3S
C:\Program Files\MyWebSearch\bar\Notifier\MAID.F3S
C:\Program Files\MyWebSearch\bar\Notifier\MAILBOX.F3S
C:\Program Files\MyWebSearch\bar\Notifier\OPERA.F3S
C:\Program Files\MyWebSearch\bar\Notifier\ROBOT.F3S
C:\Program Files\MyWebSearch\bar\Notifier\SEDUCT.F3S
C:\Program Files\MyWebSearch\bar\Notifier\SURFER.F3S
C:\Program Files\MyWebSearch\bar\Settings\prevcfg2.htm
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL_tobedeleted_old
C:\Program Files\StorageProtector
C:\Program Files\StorageProtector\swupd.log
C:\Temp\isgTi19
C:\WINDOWS\BMa3f1c60b.txt
C:\WINDOWS\BMa3f1c60b.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\afikofqc.ini
C:\WINDOWS\system32\dciecgoy.ini
C:\WINDOWS\system32\deymkwrf.ini
C:\WINDOWS\system32\ejawnnjc.ini
C:\WINDOWS\system32\emfucqlp.ini
C:\WINDOWS\system32\erowhnwc.ini
C:\WINDOWS\system32\fjvyqtvh.ini
C:\WINDOWS\system32\gifuwnfv.ini
C:\WINDOWS\system32\gkibqjyg.ini
C:\WINDOWS\system32\gtbsymps.ini
C:\WINDOWS\system32\idefyxjt.ini
C:\WINDOWS\system32\iepegvok.ini
C:\WINDOWS\system32\igyjbwfg.ini
C:\WINDOWS\system32\isfifrqg.ini
C:\WINDOWS\system32\iwvguatj.ini
C:\WINDOWS\system32\jabyiguw.ini
C:\WINDOWS\system32\juggsenv.ini
C:\WINDOWS\system32\juisqpju.ini
C:\WINDOWS\system32\kpjvbcvk.ini
C:\WINDOWS\system32\llihoosq.ini
C:\WINDOWS\system32\llnvsrkw.ini
C:\WINDOWS\system32\lxmcavqs.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mntwpueo.ini
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\muygagfg.ini
C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\system32\nkpjobhe.ini
C:\WINDOWS\system32\nldjydgq.ini
C:\WINDOWS\system32\oedpdbhp.ini
C:\WINDOWS\system32\ohonvyih.ini
C:\WINDOWS\system32\omuybgjc.ini
C:\WINDOWS\system32\omywaudw.ini
C:\WINDOWS\system32\ormmymrf.ini
C:\WINDOWS\system32\pdsqemgx.ini
C:\WINDOWS\system32\pfuufnbj.dllbox
C:\WINDOWS\system32\pkjopdqk.ini
C:\WINDOWS\system32\pocyflud.ini
C:\WINDOWS\system32\qfuyqrfj.ini
C:\WINDOWS\system32\qhdvhlfh.ini
C:\WINDOWS\system32\qnwxjpno.ini
C:\WINDOWS\system32\qthjmphd.ini
C:\WINDOWS\system32\qxmhaasj.ini
C:\WINDOWS\system32\qyeuipxn.ini
C:\WINDOWS\system32\racle~1
C:\WINDOWS\system32\rmfylepl.ini
C:\WINDOWS\system32\rnbxrqec.ini2
C:\WINDOWS\system32\rnbxrqec.tmp
C:\WINDOWS\system32\rpxikugn.ini
C:\WINDOWS\system32\rtslfdbh.ini
C:\WINDOWS\system32\sgpadahp.ini
C:\WINDOWS\system32\sowbmsnw.ini
C:\WINDOWS\system32\sryaqvtu.ini
C:\WINDOWS\system32\sykavukp.ini
C:\WINDOWS\system32\tacueeqp.ini
C:\WINDOWS\system32\tfptdkth.ini
C:\WINDOWS\system32\tgctsoxo.ini
C:\WINDOWS\system32\tkxmiwqo.ini
C:\WINDOWS\system32\tvotfnnw.ini
C:\WINDOWS\system32\txqnoefu.ini
C:\WINDOWS\system32\uemwmegc.ini
C:\WINDOWS\system32\uhwkxmht.ini
C:\WINDOWS\system32\ukbmcore.ini
C:\WINDOWS\system32\usjqgaxt.ini
C:\WINDOWS\system32\uuksqvun.ini
C:\WINDOWS\system32\uuxyb.ini
C:\WINDOWS\system32\uuxyb.ini2
C:\WINDOWS\system32\vayhahyt.ini
C:\WINDOWS\system32\vqppngct.ini
C:\WINDOWS\system32\wkhlbiaj.ini
C:\WINDOWS\system32\wqjrlopk.ini
C:\WINDOWS\system32\wvccjqan.ini
C:\WINDOWS\system32\xxvpoejp.ini
C:\WINDOWS\system32\yedvblte.ini
C:\WINDOWS\system32\yggoitio.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DHLP


((((((((((((((((((((((((( Files Created from 2008-07-09 to 2008-08-09 )))))))))))))))))))))))))))))))
.

2008-08-09 14:38 . 2008-08-09 14:38 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-08-03 21:53 . 2008-08-03 21:53 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-03 21:53 . 2008-08-03 21:53 <DIR> d-------- C:\WINDOWS\system32\en
2008-08-03 21:53 . 2008-08-03 21:53 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-03 21:17 . 2008-08-03 23:27 1,355 --a------ C:\WINDOWS\imsins.BAK
2008-08-03 20:47 . 2008-04-13 19:12 712,704 --------- C:\WINDOWS\system32\windowscodecs.dll
2008-08-03 20:47 . 2008-04-13 19:12 346,112 --------- C:\WINDOWS\system32\windowscodecsext.dll
2008-08-03 20:47 . 2008-04-13 19:12 276,992 --------- C:\WINDOWS\system32\wmphoto.dll
2008-08-03 20:47 . 2008-04-13 19:12 69,120 --------- C:\WINDOWS\system32\wlanapi.dll
2008-08-03 20:46 . 2008-04-13 19:12 53,248 --------- C:\WINDOWS\system32\tsgqec.dll
2008-08-03 20:46 . 2008-04-13 19:12 50,688 --------- C:\WINDOWS\system32\tspkg.dll
2008-08-03 20:45 . 2008-04-13 19:12 291,328 --------- C:\WINDOWS\system32\qagentrt.dll
2008-08-03 20:45 . 2008-04-13 19:12 290,304 --------- C:\WINDOWS\system32\rhttpaa.dll
2008-08-03 20:45 . 2008-04-13 19:12 150,528 --------- C:\WINDOWS\system32\qagent.dll
2008-08-03 20:45 . 2008-04-13 19:12 76,800 --------- C:\WINDOWS\system32\qutil.dll
2008-08-03 20:45 . 2008-04-13 19:12 62,464 --------- C:\WINDOWS\system32\qcliprov.dll
2008-08-03 20:45 . 2008-04-13 19:12 61,952 --------- C:\WINDOWS\system32\rasqec.dll
2008-08-03 20:45 . 2008-04-13 19:12 32,768 --------- C:\WINDOWS\system32\setupn.exe
2008-08-03 20:45 . 2008-04-13 13:40 10,240 --------- C:\WINDOWS\system32\drivers\sffp_mmc.sys
2008-08-03 20:44 . 2008-04-13 19:12 412,160 --------- C:\WINDOWS\system32\photometadatahandler.dll
2008-08-03 20:44 . 2008-04-13 19:12 144,384 --------- C:\WINDOWS\system32\onex.dll
2008-08-03 20:43 . 2008-04-13 19:12 1,306,624 --------- C:\WINDOWS\system32\msxml6.dll
2008-08-03 20:43 . 2008-04-13 19:12 1,306,624 -----c--- C:\WINDOWS\system32\dllcache\msxml6.dll
2008-08-03 20:43 . 2008-04-13 19:12 193,024 --------- C:\WINDOWS\system32\napmontr.dll
2008-08-03 20:43 . 2008-04-13 19:12 176,640 --------- C:\WINDOWS\system32\napstat.exe
2008-08-03 20:43 . 2008-04-13 19:12 155,136 --------- C:\WINDOWS\system32\mssha.dll
2008-08-03 20:43 . 2008-04-13 12:27 79,872 --------- C:\WINDOWS\system32\msxml6r.dll
2008-08-03 20:43 . 2008-04-13 12:27 79,872 -----c--- C:\WINDOWS\system32\dllcache\msxml6r.dll
2008-08-03 20:43 . 2008-04-13 13:14 76,800 --------- C:\WINDOWS\system32\msshavmsg.dll
2008-08-03 20:43 . 2008-04-13 19:12 30,208 --------- C:\WINDOWS\system32\napipsec.dll
2008-08-03 20:42 . 2008-04-13 19:11 397,312 --------- C:\WINDOWS\system32\mmcex.dll
2008-08-03 20:42 . 2008-04-13 19:11 184,320 --------- C:\WINDOWS\system32\microsoft.managementconsole.dll
2008-08-03 20:42 . 2008-04-13 19:11 106,496 --------- C:\WINDOWS\system32\mmcfxcommon.dll
2008-08-03 20:42 . 2008-04-13 19:12 33,792 --------- C:\WINDOWS\system32\mmcperf.exe
2008-08-03 20:41 . 2008-04-13 19:11 61,440 --------- C:\WINDOWS\system32\kmsvc.dll
2008-08-03 20:41 . 2008-04-13 19:11 37,376 --------- C:\WINDOWS\system32\l2gpstore.dll
2008-08-03 20:41 . 2008-04-13 19:09 6,144 --------- C:\WINDOWS\system32\kbdpash.dll
2008-08-03 20:41 . 2008-04-13 19:09 6,144 --------- C:\WINDOWS\system32\kbdnepr.dll
2008-08-03 20:41 . 2008-04-13 19:09 6,144 --------- C:\WINDOWS\system32\kbdiultn.dll
2008-08-03 20:41 . 2008-04-13 19:09 6,144 --------- C:\WINDOWS\system32\kbdbhc.dll
2008-08-03 20:39 . 2008-04-13 19:11 650,752 --------- C:\WINDOWS\system32\dot3ui.dll
2008-08-03 20:39 . 2008-04-13 19:11 132,096 --------- C:\WINDOWS\system32\dot3svc.dll
2008-08-03 20:39 . 2008-04-13 19:11 57,856 --------- C:\WINDOWS\system32\dot3cfg.dll
2008-08-03 20:39 . 2008-04-13 19:11 56,320 --------- C:\WINDOWS\system32\dot3msm.dll
2008-08-03 20:39 . 2008-04-13 19:11 48,640 --------- C:\WINDOWS\system32\dhcpqec.dll
2008-08-03 20:39 . 2008-04-13 19:11 39,936 --------- C:\WINDOWS\system32\dot3gpclnt.dll
2008-08-03 20:39 . 2008-04-13 19:11 39,936 --------- C:\WINDOWS\system32\dimsroam.dll
2008-08-03 20:39 . 2008-04-13 19:11 26,112 --------- C:\WINDOWS\system32\dot3api.dll
2008-08-03 20:39 . 2008-04-13 19:11 19,456 --------- C:\WINDOWS\system32\dimsntfy.dll
2008-08-03 20:39 . 2008-04-13 19:11 12,800 --------- C:\WINDOWS\system32\credssp.dll
2008-08-03 20:39 . 2008-04-13 19:11 9,216 --------- C:\WINDOWS\system32\dot3dlg.dll
2008-08-03 20:38 . 2008-04-13 19:11 233,472 --------- C:\WINDOWS\system32\azroles.dll
2008-08-03 20:38 . 2008-04-13 19:11 136,192 --------- C:\WINDOWS\system32\aaclient.dll
2008-08-03 20:38 . 2008-04-13 19:11 7,168 --------- C:\WINDOWS\system32\bitsprx4.dll
2008-08-03 19:22 . 2008-08-03 19:22 <DIR> d-------- C:\Program Files\Pure Networks
2008-08-03 19:09 . 2008-01-08 17:16 25,272 --a------ C:\WINDOWS\system32\drivers\purendis.sys
2008-08-03 19:09 . 2008-01-08 17:16 23,992 --a------ C:\WINDOWS\system32\drivers\pnarp.sys
2008-08-03 19:08 . 2008-08-03 19:08 <DIR> d-------- C:\Program Files\Common Files\Pure Networks Shared
2008-08-03 17:48 . 2008-08-03 17:48 <DIR> d-------- C:\Program Files\CCleaner
2008-08-03 17:41 . 2008-06-13 06:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-08-03 17:41 . 2008-05-08 09:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-04 04:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-04 04:12 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-04 00:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Pure Networks
2008-08-04 00:07 --------- d-----w C:\Program Files\Network magic
2008-08-03 22:40 --------- d-----w C:\Program Files\Java
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-19 01:58 691,545 -c--a-w C:\WINDOWS\unins000.exe
2008-04-24 02:24 43 -c--a-w C:\Program Files\spacer.gif
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 19:12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" [2003-03-06 07:00 90182]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2003-02-25 05:00 139347]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"nmctxth"="C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-01-08 17:20 451896]
"nmapp"="C:\Program Files\Pure Networks\Network Magic\nmapp.exe" [2008-01-18 10:32 451896]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aida

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

S3 IPN2120;Instant Wireless-B PCI Adapter Driver;C:\WINDOWS\system32\DRIVERS\LSIPNDS.sys [2003-06-24 22:17]
.
- - - - ORPHANS REMOVED - - - -

Notify-efcyxvs - efcyxvs.dll
Notify-pfuufnbj - pfuufnbj.dll


.
------- Supplementary Scan -------
.
R0 -: HKLM-Main,Search Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/ymj/*http://www.yahoo.com/ext/search/search.html
R1 -: HKCU-SearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/ymj/*http://www.yahoo.com
O8 -: &Search - ?p=ZJ

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

O16 -: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA}


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-09 15:39:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
.
**************************************************************************
.
Completion time: 2008-08-09 15:44:52 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-08-09 20:44:38

Pre-Run: 9,102,577,664 bytes free
Post-Run: 9,297,604,608 bytes free

339 --- E O F --- 2008-08-04 04:34:33





Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\c]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\c\DefaultIcon]
@="%SystemRoot%\\system32\\shell32.dll,131"

#4 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 11 August 2008 - 04:06 PM

Hi

Open a new notepad ...

Copy the text from the code box below into it ...

@ECHO OFF
If exist Query.txt Del Query.txt
@ECHO Working.......
Reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons" /s >> Query.txt
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons" /f
start notepad Query.txt

Click > File > Save as > save as type "all files"

save it on the desktop & save it as Query.bat

Doubleclick the bat file, if you get a popup saying a script is trying to run, please let it...

A new text file will be created in the desktop Query.txt

Reboot

post the contents of the Query.txt

Has the Red X gone ?

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#5 Rondar

Rondar
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:08 PM

Posted 11 August 2008 - 09:03 PM

I created and ran the Query.bat file. I got a pop up that was on screen for a split second, but no Query.txt file was created.

#6 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 12 August 2008 - 08:29 AM

HI

OK .. After a reboot Has the Red X gone ?

Please delete the search.txt from your desktop ... then run the search.bat again & post the contents of the new search.txt

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#7 Rondar

Rondar
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:08 PM

Posted 12 August 2008 - 08:12 PM

No... The red X is still there.



Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\c]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\c\DefaultIcon]
@="%SystemRoot%\\system32\\shell32.dll,131"

#8 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 13 August 2008 - 02:26 PM

HI

OK ...

Open a new notepad & copy & paste the text from the code box below :-

REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons]

Click > File > Save as > save as type "all files"

save it on the desktop & save it as fix.reg

Doubleclick the reg file, & when it asks you if you want to merge the contents to the registry, click yes/OK.

Reboot for the registry change to take effect ... has the red X gone ?

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#9 Rondar

Rondar
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:08 PM

Posted 13 August 2008 - 08:33 PM

The red X is gone!!!

Thank you so much for all your help!

#10 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 14 August 2008 - 03:07 PM

HI

Great :thumbsup:

Please do this now :-

Empty the contents of this folder :-

C:\quarantine

THEN ...

Go to Start > Run > copy and paste ComboFix /u into the Open: box & press OK

Posted Image

This will uninstall Combofix, delete any of its related folders and files (Qoobox, VundoFix Backups, Avenger, Deckard, _OTMoveIt), reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Before you leave the site ...

Please Have a look here at ways to keep your computer safe :-

Simple steps to keep your computer secure! By Grinler > http://www.bleepingcomputer.com/forums/t/1628/simple-steps-to-keep-your-computer-secure/

& here :-

So how did I get infected in the first place? By TonyKlein > http://forums.spybot.info/showthread.php?t=279

Happy surfing :)

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#11 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 12 September 2008 - 05:17 PM

As this thread is resolved, :thumbsup: it is now locked.

If the original poster would like it re-opened, please send me a PM with a link to this thread.

cheers

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users