Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Log


  • This topic is locked This topic is locked
14 replies to this topic

#1 turkanator

turkanator

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Rings of Saturn
  • Local time:06:06 PM

Posted 11 September 2008 - 10:57 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:52:07 PM, on 9/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\NetZero\qsacc\x1exec.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ufc.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:7900
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 64.136.44.66;64.136.52.66;64.136.52.70;searchap.untd.com;127.0.0.1;localhost;*microsoft.com;*windowsupdate.com;*wustat.windows.com;*.pogo.com;*test-speed.com;liveupdate.symantecliveupdate.com;*symantec.com;*.nai.com;*.networkassociates.com;*.dir.untd.com;cf.netzero.net;qs.netzero.net;*.aolcdn.com;<local>
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NetZero\SearchEnh1.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Pop-up Blocker - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {63AB48C9-01A8-495C-8194-A715DB8A37A2} - (no file)
O2 - BHO: (no name) - {DFDCFCE7-56B0-4B17-A903-3B918555BD46} - (no file)
O2 - BHO: {9bd877fa-79ad-e579-1af4-805b0798bc0f} - {f0cb8970-b508-4fa1-975e-da97af778db9} - C:\WINDOWS\system32\rrgccovh.dll
O2 - BHO: Aero skin - {FFFFFFFF-85A3-452b-B7A8-759AD9B42162} - swin32.dll (file missing)
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O4 - HKLM\..\RunOnce: [wextract_cleanup0] rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\Turk\LOCALS~1\Temp\IXP000.TMP\"
O4 - HKLM\..\RunOnce: [wextract_cleanup1] rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\Turk\LOCALS~1\Temp\IXP000.TMP\"
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1207942096109
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1211435122199
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://ca.com/in/securityadvisor/virusinfo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{917928AE-E9E2-4970-A746-348C42FAB77B}: NameServer = 64.136.44.74 64.136.52.74
O20 - Winlogon Notify: jkkHYsTL - jkkHYsTL.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe (file missing)

--
End of file - 6591 bytes

BC AdBot (Login to Remove)

 


m

#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:06 AM

Posted 12 September 2008 - 10:28 AM

Hi,

I understand that you need help in order to get rid of the malware that is present on your system - But you need to help us first..
I notice that you never scanned with an Antivirus previously before starting this thread - because you don't even have an Antivirus installed!
This is somewhat suicidal in today's digital world.
That's why I want you to install one first!!

* Please install Avira Antivirus: http://www.free-av.com/
This is a free Antivirus.

Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThislog.
Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirusscan is not present which should be able to deal with most and prevent further reinfection.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 turkanator

turkanator
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Rings of Saturn
  • Local time:06:06 PM

Posted 12 September 2008 - 06:12 PM

Avira AntiVir Personal
Report file date: Friday, September 12, 2008 17:07

Scanning for 1612438 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 3) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: MAC

Version information:
BUILD.DAT : 8.1.0.331 16934 Bytes 8/12/2008 11:46:00
AVSCAN.EXE : 8.1.4.7 315649 Bytes 6/26/2008 17:57:53
AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 16:56:40
LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 21:44:19
LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 16:58:52
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 19:33:34
ANTIVIR1.VDF : 7.0.5.1 8182784 Bytes 6/24/2008 22:54:15
ANTIVIR2.VDF : 7.0.6.153 3341312 Bytes 9/12/2008 23:59:18
ANTIVIR3.VDF : 7.0.6.154 2048 Bytes 9/12/2008 23:59:20
Engineversion : 8.1.1.28
AEVDF.DLL : 8.1.0.5 102772 Bytes 2/25/2008 18:58:21
AESCRIPT.DLL : 8.1.0.70 319866 Bytes 9/13/2008 00:03:47
AESCN.DLL : 8.1.0.23 119156 Bytes 7/10/2008 21:44:49
AERDL.DLL : 8.1.1.1 397683 Bytes 9/13/2008 00:03:21
AEPACK.DLL : 8.1.2.1 364917 Bytes 7/15/2008 21:58:35
AEOFFICE.DLL : 8.1.0.23 196987 Bytes 9/13/2008 00:02:40
AEHEUR.DLL : 8.1.0.51 1397111 Bytes 9/13/2008 00:02:19
AEHELP.DLL : 8.1.0.15 115063 Bytes 7/10/2008 21:44:48
AEGEN.DLL : 8.1.0.36 315764 Bytes 9/13/2008 00:00:17
AEEMU.DLL : 8.1.0.7 430452 Bytes 7/31/2008 17:33:21
AECORE.DLL : 8.1.1.11 172406 Bytes 9/12/2008 23:59:44
AEBB.DLL : 8.1.0.1 53617 Bytes 7/10/2008 21:44:48
AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 17:40:05
AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 18:28:01
AVREP.DLL : 8.0.0.2 98344 Bytes 9/12/2008 23:59:25
AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 20:26:40
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 17:29:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 21:27:49
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/23/2008 02:28:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 21:49:40
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 21:05:10
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 22:48:07
RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 22:34:37

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Friday, September 12, 2008 17:07

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'X1Exec.exe' - '1' Module(s) have been scanned
Scan process 'exec.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'exec.exe' - '1' Module(s) have been scanned
Scan process 'TeaTimer.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'aawservice.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
28 processes with 28 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '54' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\LocalService\ftp34.dll
[DETECTION] Is the TR/Spy.Gen Trojan
[NOTE] The file was deleted!
C:\Documents and Settings\Turk\Application Data\AntispywareBot\Quarantine\23-05-2008-12-32-54\4.qit
[DETECTION] Is the TR/Spy.Banker.Gen Trojan
[NOTE] The file was deleted!
C:\Program Files\True Sword 5\backuped\13\cftmon.exe
[DETECTION] Is the TR/Agent.26624 Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP156\A0037241.dll
[0] Archive type: HIDDEN
--> FIL\\\?\C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP156\A0037241.dll
[DETECTION] Is the TR/Dldr.Small.vba Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP158\A0037291.exe
[DETECTION] Is the TR/Agent.26624 Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP160\A0038582.exe
[DETECTION] Is the TR/Agent.26624 Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP161\A0038649.exe
[DETECTION] Is the TR/Agent.26624 Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP163\A0039678.exe
[DETECTION] Is the TR/Agent.26624 Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP168\A0041934.exe
[DETECTION] Is the TR/Agent.26624 Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP168\A0041935.exe
[DETECTION] Is the TR/Agent.26624 Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP169\A0042936.exe
[DETECTION] Is the TR/Agent.26624 Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP170\A0043018.exe
[DETECTION] Is the TR/Agent.26624 Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP171\A0044049.dll
[0] Archive type: HIDDEN
--> FIL\\\?\C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP171\A0044049.dll
[DETECTION] Is the TR/Dldr.Small.vba Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP173\A0045084.exe
[DETECTION] Is the TR/Agent.26624 Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP173\A0045085.exe
[DETECTION] Is the TR/Agent.26624 Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP173\A0046085.exe
[DETECTION] Is the TR/Agent.26624 Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP174\A0046105.exe
[DETECTION] Is the TR/Agent.26624 Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP175\A0047102.exe
[DETECTION] Is the TR/Agent.26624 Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP175\A0047103.exe
[DETECTION] Is the TR/Agent.26624 Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP176\A0048107.exe
[DETECTION] Is the TR/Agent.26624 Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP176\A0048108.exe
[DETECTION] Is the TR/Agent.26624 Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP187\A0050513.dll
[DETECTION] Is the TR/Spy.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP187\A0050515.dll
[DETECTION] Is the TR/Spy.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP187\A0050517.exe
[DETECTION] Is the TR/Agent.26624 Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP187\A0050531.dll
[DETECTION] Is the TR/Spy.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP187\A0050532.dll
[DETECTION] Is the TR/Spy.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP187\A0050545.exe
[DETECTION] Is the TR/Agent.26624 Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP187\A0050546.dll
[DETECTION] Is the TR/Spy.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP187\A0050549.dll
[DETECTION] Is the TR/Spy.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP187\A0050550.dll
[DETECTION] Is the TR/Spy.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP187\A0050566.dll
[DETECTION] Is the TR/Spy.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP187\A0050567.dll
[DETECTION] Is the TR/Spy.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP187\A0050575.dll
[DETECTION] Is the TR/Spy.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP187\A0050576.dll
[DETECTION] Is the TR/Spy.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP187\A0051575.dll
[DETECTION] Is the TR/Spy.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP187\A0051576.dll
[DETECTION] Is the TR/Spy.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP187\A0051580.dll
[DETECTION] Is the TR/Spy.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP187\A0051581.dll
[DETECTION] Is the TR/Spy.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP187\A0051582.dll
[DETECTION] Is the TR/Spy.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP187\A0051583.exe
[DETECTION] Is the TR/Agent.26624 Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP187\A0051661.dll
[DETECTION] Is the TR/Spy.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP187\A0051662.dll
[DETECTION] Is the TR/Spy.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP187\A0051664.dll
[DETECTION] Is the TR/Spy.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP187\A0051665.exe
[DETECTION] Is the TR/Agent.26624 Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP187\A0051680.dll
[DETECTION] Is the TR/Spy.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP187\A0051681.dll
[DETECTION] Is the TR/Spy.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP187\A0051683.dll
[DETECTION] Is the TR/Spy.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP187\A0051684.exe
[DETECTION] Is the TR/Agent.26624 Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP187\A0051685.exe
[DETECTION] Is the TR/Agent.26624 Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP187\A0051715.dll
[DETECTION] Is the TR/Spy.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP187\A0051716.dll
[DETECTION] Is the TR/Spy.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP187\A0051719.dll
[DETECTION] Is the TR/Spy.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP187\A0051726.dll
[DETECTION] Is the TR/Spy.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP187\A0051727.exe
[DETECTION] Is the TR/Agent.26624 Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP187\A0051741.dll
[DETECTION] Is the TR/Spy.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP187\A0051742.dll
[DETECTION] Is the TR/Spy.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP187\A0051744.exe
[DETECTION] Is the TR/Agent.26624 Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP187\A0051759.dll
[DETECTION] Is the TR/Spy.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP187\A0051760.dll
[DETECTION] Is the TR/Spy.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP187\A0051762.dll
[DETECTION] Is the TR/Spy.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP187\A0051782.dll
[DETECTION] Is the TR/Spy.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP187\A0051783.dll
[DETECTION] Is the TR/Spy.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP187\A0051785.dll
[DETECTION] Is the TR/Spy.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP187\A0051787.exe
[DETECTION] Is the TR/Agent.26624 Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP187\A0051812.dll
[DETECTION] Is the TR/Spy.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP187\A0051813.dll
[DETECTION] Is the TR/Spy.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP187\A0051815.dll
[DETECTION] Is the TR/Spy.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP187\A0051816.exe
[DETECTION] Is the TR/Agent.26624 Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP187\A0051817.exe
[DETECTION] Is the TR/Agent.26624 Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP188\A0051868.dll
[DETECTION] Is the TR/Spy.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP188\A0051869.dll
[DETECTION] Is the TR/Spy.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP188\A0051873.dll
[DETECTION] Is the TR/Spy.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP189\A0051914.dll
[DETECTION] Is the TR/Spy.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP189\A0051915.dll
[DETECTION] Is the TR/Spy.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP189\A0051916.dll
[DETECTION] Is the TR/Spy.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP189\A0051925.dll
[DETECTION] Is the TR/Spy.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP189\A0051926.dll
[DETECTION] Is the TR/Spy.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP189\A0051928.dll
[DETECTION] Is the TR/Spy.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP189\A0051935.dll
[DETECTION] Is the TR/Spy.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP189\A0051936.dll
[DETECTION] Is the TR/Spy.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP189\A0051937.dll
[DETECTION] Is the TR/Spy.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP189\A0051938.exe
[DETECTION] Is the TR/Agent.26624 Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP189\A0052934.dll
[DETECTION] Is the TR/Spy.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP189\A0052935.dll
[DETECTION] Is the TR/Spy.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP189\A0052937.dll
[DETECTION] Is the TR/Spy.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP189\A0052938.exe
[DETECTION] Is the TR/Agent.26624 Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP189\A0052947.dll
[DETECTION] Is the TR/Spy.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP189\A0052948.dll
[DETECTION] Is the TR/Spy.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP189\A0052949.dll
[DETECTION] Is the TR/Spy.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP189\A0052950.exe
[DETECTION] Is the TR/Agent.26624 Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP190\A0053033.dll
[DETECTION] Is the TR/Spy.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP190\A0053034.dll
[DETECTION] Is the TR/Spy.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP190\A0053036.dll
[DETECTION] Is the TR/Spy.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP190\A0053037.exe
[DETECTION] Is the TR/Agent.26624 Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP190\A0053054.dll
[DETECTION] Is the TR/Spy.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP190\A0053055.dll
[DETECTION] Is the TR/Spy.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP190\A0053057.dll
[DETECTION] Is the TR/Spy.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP190\A0053058.exe
[DETECTION] Is the TR/Agent.26624 Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP190\A0053059.exe
[DETECTION] Is the TR/Agent.26624 Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP190\A0053069.exe
[DETECTION] Is the TR/Agent.26624 Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{5561C4A1-C526-481E-91D3-CB3B6D45C9E0}\RP190\A0053070.dll
[DETECTION] Is the TR/Spy.Gen Trojan
[NOTE] The file was deleted!
C:\WINDOWS\b138.exe
[DETECTION] Is the TR/Agent.11264.K Trojan
[NOTE] The file was deleted!
C:\WINDOWS\SoftwareDistribution\Download\4730fbe8056ad6eb56eb6cc23d82cd01\BITCD.tmp
[0] Archive type: CAB (Microsoft)
--> _sfx_0009._p
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\WINDOWS\SoftwareDistribution\Download\ee0e4ae3d1f978d90c79d3c22a41bf17\BITC0.tmp
[0] Archive type: CAB (Microsoft)
--> _sfx_0008._p
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\WINDOWS\system32\filekiller.dll
[DETECTION] Is the TR/Agent.57344.S Trojan
[NOTE] The file was deleted!
C:\WINDOWS\system32\drivers\acpii.sys
[WARNING] The file could not be opened!


End of the scan: Friday, September 12, 2008 17:49
Used time: 42:12 Minute(s)

The scan has been done completely.

3239 Scanning directories
124498 Files were scanned
103 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
103 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
3 Files cannot be scanned
124392 Files not concerned
605 Archives were scanned
5 Warnings
103 Notes

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:10:21 PM, on 9/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\NetZero\qsacc\x1exec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ufc.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:7900
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 64.136.44.66;64.136.52.66;64.136.52.70;searchap.untd.com;127.0.0.1;localhost;*microsoft.com;*windowsupdate.com;*wustat.windows.com;*.pogo.com;*test-speed.com;liveupdate.symantecliveupdate.com;*symantec.com;*.nai.com;*.networkassociates.com;*.dir.untd.com;cf.netzero.net;qs.netzero.net;*.aolcdn.com;<local>
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NetZero\SearchEnh1.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Pop-up Blocker - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {63AB48C9-01A8-495C-8194-A715DB8A37A2} - (no file)
O2 - BHO: (no name) - {DFDCFCE7-56B0-4B17-A903-3B918555BD46} - (no file)
O2 - BHO: {9bd877fa-79ad-e579-1af4-805b0798bc0f} - {f0cb8970-b508-4fa1-975e-da97af778db9} - C:\WINDOWS\system32\rrgccovh.dll
O2 - BHO: Aero skin - {FFFFFFFF-85A3-452b-B7A8-759AD9B42162} - swin32.dll (file missing)
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1207942096109
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1211435122199
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://ca.com/in/securityadvisor/virusinfo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{917928AE-E9E2-4970-A746-348C42FAB77B}: NameServer = 64.136.52.73 64.136.44.73
O20 - Winlogon Notify: jkkHYsTL - jkkHYsTL.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe (file missing)

--
End of file - 6821 bytes

#4 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,693 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:06:06 PM

Posted 12 September 2008 - 09:15 PM

Hello turkanator,

I have merged your latest topic with your previously existing topic. Please keep all posts regarding this issue to this topic by using the Add Reply button at the bottom of the topic. Starting new topics on the same issue confuses things and delays the assistance you receive.

Back to you miekiemoes,

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:06 AM

Posted 12 September 2008 - 11:57 PM

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 turkanator

turkanator
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Rings of Saturn
  • Local time:06:06 PM

Posted 13 September 2008 - 02:28 PM

Hi, turkanator here, I tried to install the windows recovery console (I have the CD) but I got a message that says it was inaccessable??!! anyhow I have the combofix log as well as a new hijackthis log:

ComboFix 08-09-13.02 - Turk 2008-09-13 13:58:44.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.62 [GMT -7:00]
Running from: C:\Documents and Settings\All Users\Documents\My Music\Sample Music\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Turk\Application Data\SpeedRunner
C:\Documents and Settings\Turk\Application Data\SpeedRunner\config.cfg
C:\Documents and Settings\Turk\lsass.exe
C:\Documents and Settings\Turk\My Documents\MANTEC~1
C:\Program Files\CPV
C:\Program Files\outlook
C:\Program Files\Temporary
C:\WINDOWS\b116.exe
C:\WINDOWS\b156.exe
C:\WINDOWS\b157.exe
C:\WINDOWS\BM6735806c.txt
C:\WINDOWS\BM6735806c.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\Fonts\-
C:\WINDOWS\system\smss.exe
C:\WINDOWS\system32\aumnovht.ini
C:\WINDOWS\system32\bfvlqeob.ini
C:\WINDOWS\system32\bkchgqlm.ini
C:\WINDOWS\system32\bllkqaax.ini
C:\WINDOWS\system32\brtlydmm.ini
C:\WINDOWS\system32\bxvmmbkf.ini
C:\WINDOWS\system32\cmd.com
C:\WINDOWS\system32\command.pif
C:\WINDOWS\system32\cxlatdmt.ini
C:\WINDOWS\system32\dqnlkdyg.ini
C:\WINDOWS\system32\drivers\core.cache(2).dsk
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\ds.dat
C:\WINDOWS\system32\dvcymubs.ini
C:\windows\system32\explorer.exe
C:\WINDOWS\system32\ftaaaved.ini
C:\WINDOWS\system32\gvkljxxo.ini
C:\WINDOWS\system32\htenqhat.ini
C:\WINDOWS\system32\ikmnwldb.ini
C:\WINDOWS\system32\iwaefxau.ini
C:\WINDOWS\system32\jmleipco.ini
C:\WINDOWS\system32\jqeomgoa.ini
C:\WINDOWS\system32\jwoawjee.ini
C:\WINDOWS\system32\koqrgtwu.ini
C:\WINDOWS\system32\kqqwmrcq.ini
C:\WINDOWS\system32\mkxdmdjs.ini
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\netstat.com
C:\WINDOWS\system32\obcswrwm.ini
C:\WINDOWS\system32\ofqsmira.ini
C:\WINDOWS\system32\ping.com
C:\WINDOWS\system32\PVxIPXyb.ini
C:\WINDOWS\system32\PVxIPXyb.ini2
C:\WINDOWS\system32\qxepyfgf.ini
C:\WINDOWS\system32\racle~1
C:\WINDOWS\system32\taskkill.com
C:\WINDOWS\system32\tasklist.com
C:\WINDOWS\system32\tgscukoe.ini
C:\WINDOWS\system32\tracert.com
C:\WINDOWS\system32\ucrbcswb.ini
C:\WINDOWS\system32\viusokvu.ini
C:\WINDOWS\system32\vjnfarkv.ini
C:\WINDOWS\system32\xmdqjpwo.ini
C:\WINDOWS\system32\xxdpljse.ini
C:\WINDOWS\system32\yhyrlbkc.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE


((((((((((((((((((((((((( Files Created from 2008-08-13 to 2008-09-13 )))))))))))))))))))))))))))))))
.

2008-09-12 16:42 . 2008-09-12 16:42 <DIR> d-------- C:\Program Files\Avira
2008-09-12 16:42 . 2008-09-12 16:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-09-11 21:35 . 2008-09-11 21:35 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-09-11 17:57 . 2008-09-12 11:04 229 --a------ C:\WINDOWS\wininit.ini
2008-09-11 16:53 . 2008-09-11 17:02 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-11 16:53 . 2008-09-11 20:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-11 15:22 . 2008-09-11 15:22 <DIR> d-------- C:\Program Files\NetZero
2008-09-11 15:22 . 2008-09-11 15:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NetZero
2008-09-10 21:38 . 2008-04-13 17:12 116,224 --a--c--- C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2008-09-10 21:38 . 2001-08-17 22:36 23,040 --a--c--- C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2008-09-10 21:38 . 2008-04-13 17:12 18,944 --a--c--- C:\WINDOWS\system32\dllcache\xrxscnui.dll
2008-09-10 21:36 . 2001-08-17 13:28 794,654 --a--c--- C:\WINDOWS\system32\dllcache\usr1801.sys
2008-09-10 21:35 . 2001-08-17 12:18 285,760 --a--c--- C:\WINDOWS\system32\dllcache\stlnata.sys
2008-09-10 21:34 . 2001-08-17 13:28 899,146 --a--c--- C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2008-09-10 21:33 . 2008-04-13 17:12 363,520 --a--c--- C:\WINDOWS\system32\dllcache\psisdecd.dll
2008-09-10 21:32 . 2008-04-13 11:31 2,023,936 --a--c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-09-10 21:31 . 2001-08-17 13:28 802,683 --a--c--- C:\WINDOWS\system32\dllcache\ltsm.sys
2008-09-10 21:30 . 2008-04-13 17:11 702,845 --a--c--- C:\WINDOWS\system32\dllcache\i81xdnt5.dll
2008-09-10 21:29 . 2001-08-17 14:56 1,733,120 --a--c--- C:\WINDOWS\system32\dllcache\g400d.dll
2008-09-10 21:28 . 2001-08-17 12:14 952,007 --a--c--- C:\WINDOWS\system32\dllcache\diwan.sys
2008-09-10 21:27 . 2001-08-17 12:13 980,034 --a--c--- C:\WINDOWS\system32\dllcache\cicap.sys
2008-09-10 21:26 . 2001-08-17 13:28 714,698 --a--c--- C:\WINDOWS\system32\dllcache\cbmdmkxx.sys
2008-09-10 21:25 . 2001-08-17 13:28 871,388 --a--c--- C:\WINDOWS\system32\dllcache\bcmdm.sys
2008-09-10 21:24 . 2001-08-17 12:19 747,392 --a--c--- C:\WINDOWS\system32\dllcache\adm8830.sys
2008-09-10 21:23 . 2008-04-13 12:24 2,145,280 --a--c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-09-10 18:31 . 2008-09-10 18:31 <DIR> d-------- C:\Program Files\Lavasoft
2008-09-10 18:31 . 2008-09-10 20:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-08 17:51 . 2008-09-08 17:51 57,728 --a------ C:\Documents and Settings\Turk\Application Data\GDIPFONTCACHEV1.DAT
2008-09-08 17:35 . 2008-09-08 17:35 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-07 15:17 . 2008-09-07 15:17 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-06 11:08 . 2008-09-06 11:08 <DIR> d-------- C:\VundoFix Backups
2008-09-02 08:45 . 2008-09-02 09:50 <DIR> d-------- C:\Program Files\True Sword 5
2008-09-02 08:45 . 2008-09-02 08:45 <DIR> d-------- C:\Documents and Settings\Turk\Application Data\True Sword
2008-08-29 08:44 . 2008-09-02 00:14 32 --a------ C:\WINDOWS\DxPlayer.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-12 00:57 --------- d-----w C:\Program Files\Antivirus Protection
2008-09-12 00:57 --------- d-----w C:\Documents and Settings\Turk\Application Data\AntispywareBot
2008-09-11 01:29 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-11 01:29 --------- d-----w C:\Program Files\ArcSoft
2008-09-11 01:28 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-07-28 21:12 --------- d-----w C:\Program Files\GustoSoft
2008-07-28 19:20 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-07-20 19:02 --------- d-----w C:\Program Files\Ares
2008-06-04 00:34 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008051920080526\index.dat
2008-06-04 00:34 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008060320080604\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f0cb8970-b508-4fa1-975e-da97af778db9}]
2008-05-27 23:57 105024 --a------ C:\WINDOWS\system32\rrgccovh.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]
"NetZero_uoltray"="C:\Program Files\NetZero\exec.exe" [2007-08-28 1629184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Ares\\Ares.exe"=

R3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2004-08-03 327040]
S1 acpii;acpii;C:\WINDOWS\system32\drivers\acpii.sys [ ]
S3 ati2mpaa;ati2mpaa;C:\WINDOWS\system32\DRIVERS\ati2mpaa.sys [2001-08-17 281856]
S3 samhid;samhid;C:\WINDOWS\system32\drivers\samhid.sys [ ]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{97c6742e-0985-11dd-bf03-a526273fdce5}]
\Shell\Auto\command - F:\Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{DFDCFCE7-56B0-4B17-A903-3B918555BD46} - (no file)
Notify-jkkHYsTL - jkkHYsTL.dll


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.ufc.com/
R1 -: HKCU-Internet Settings,ProxyOverride = <local>
R1 -: HKCU-SearchURL,(Default) = hxxp://my.netzero.net/s/search?r=minisearch
O8 -: Display All Images with Full Quality - C:\Program Files\NetZero\qsacc\appres.dll/228
O8 -: Display Image with Full Quality - C:\Program Files\NetZero\qsacc\appres.dll/227

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
.
.
------- File Associations (Beta) -------
.
inifile=fchertwerf.exe %1
txtfile=fchertwerf.exe %1
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-13 14:08:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\NetZero\qsacc\X1Exec.exe
.
**************************************************************************
.
Completion time: 2008-09-13 14:16:14 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-13 21:16:00

Pre-Run: 7,745,052,672 bytes free
Post-Run: 7,749,885,952 bytes free

191 --- E O F --- 2008-09-13 05:23:14
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:26:31 PM, on 9/13/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\NetZero\qsacc\x1exec.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ufc.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:7900
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 64.136.44.66;64.136.52.66;64.136.52.70;searchap.untd.com;127.0.0.1;localhost;*microsoft.com;*windowsupdate.com;*wustat.windows.com;*.pogo.com;*test-speed.com;liveupdate.symantecliveupdate.com;*symantec.com;*.nai.com;*.networkassociates.com;*.dir.untd.com;cf.netzero.net;qs.netzero.net;*.aolcdn.com;<local>
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NetZero\SearchEnh1.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Pop-up Blocker - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: {9bd877fa-79ad-e579-1af4-805b0798bc0f} - {f0cb8970-b508-4fa1-975e-da97af778db9} - C:\WINDOWS\system32\rrgccovh.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1207942096109
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1211435122199
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://ca.com/in/securityadvisor/virusinfo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{917928AE-E9E2-4970-A746-348C42FAB77B}: NameServer = 64.136.52.73 64.136.44.73
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe

--
End of file - 5956 bytes

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:06 AM

Posted 13 September 2008 - 03:49 PM

Hi,

I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
How to disable TeaTimer <== click me for instructions.
After you disabled Teatimer, download ResetTeaTimer.bat to your desktop. (In case you use Firefox, rightclick the link and choose "save as").
Doubleclick ResetTeaTimer.bat and let it run.
This will only take a few seconds.

Then, go to start > run and type cmd
This will open the command prompt.
In there, type next commands:

ftype txtfile=%systemroot%\system32\notepad.exe %1

Hit enter

Then type:

ftype inifile=%systemroot%\system32\notepad.exe %1

Hit enter

To delete some orphaned drivers in the registry, still, in the command window, type:

sc delete acpii

Hit enter

Then type:

sc delete samhid

Hit enter

Then type exit to close the command prompt.

Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{97c6742e-0985-11dd-bf03-a526273fdce5}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dbt]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DBTFILE]

Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.
(In case you are unsure how to create a reg file, take a look here with screenshots.)

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: {9bd877fa-79ad-e579-1af4-805b0798bc0f} - {f0cb8970-b508-4fa1-975e-da97af778db9} - C:\WINDOWS\system32\rrgccovh.dll


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Reboot your computer.

After reboot, navigate to and delete the following file if still present:

C:\WINDOWS\system32\rrgccovh.dll

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Then scan again with HijackThis and post a new HijackThislog in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 turkanator

turkanator
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Rings of Saturn
  • Local time:06:06 PM

Posted 13 September 2008 - 08:51 PM

Hi, here's the requested log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:47:47 PM, on 9/13/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\NetZero\exec.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\NetZero\qsacc\x1exec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ufc.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NetZero\SearchEnh1.dll
O2 - BHO: Pop-up Blocker - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1207942096109
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1211435122199
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://ca.com/in/securityadvisor/virusinfo/webscan.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe

--
End of file - 4661 bytes

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:06 AM

Posted 14 September 2008 - 01:58 AM

Hi,

This looks OK again. :thumbsup:

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 7.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 7".
  • Click the "Download" button to the right.
  • For Platform, select "Windows"
  • For language, select your language
  • Read the License agreement and then Check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement".
  • Click Continue
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • Java™ 6 Update 5
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u7-windows-i586-p.exe to install the newest version.
Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 turkanator

turkanator
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Rings of Saturn
  • Local time:06:06 PM

Posted 15 September 2008 - 01:14 AM

Hi, turkanator here, downloading java was taking forever because I am currently on a dial-up connection, however I did manage to find the same java update on a different site (java 6 update 7) the file size was smaller but seems to be the same one. So far my cpu seems to be doing great....I also was wondering what exactly does java do? I also would like to know is advanced windowscare v2 personal a good application to help keep my registry in good shape or have you even heard of this.....

#11 turkanator

turkanator
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Rings of Saturn
  • Local time:06:06 PM

Posted 15 September 2008 - 01:31 AM

Hi, turkanator again quickly, I forgot, what was the name of the firewall you reccomended, (which one would you choose).......

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:06 AM

Posted 15 September 2008 - 01:55 AM

Hi,

Java is required on some sites where java applets are used. For example some games, online scans etc..

I also would like to know is advanced windowscare v2 personal a good application to help keep my registry in good shape or have you even heard of this.....

I don't recommend Registry Tools anyway. Please see here: http://miekiemoes.blogspot.com/2008/02/reg...weaking_13.html

I forgot, what was the name of the firewall you reccomended, (which one would you choose).......

Look in my signature below under Firewalls for the ones I recommend. Only install 1!

And...

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 turkanator

turkanator
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Rings of Saturn
  • Local time:06:06 PM

Posted 15 September 2008 - 04:00 PM

thanks a million miekiemoes, you are a computer GOD....my cpu seems back to normal I really appreciate the help



turkanator

#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:06 AM

Posted 15 September 2008 - 04:16 PM

You're most welcome :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:06 AM

Posted 17 September 2008 - 04:27 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users