Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help me


  • This topic is locked This topic is locked
13 replies to this topic

#1 Y4kuz4

Y4kuz4

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:52 PM

Posted 06 January 2009 - 03:16 AM

Hello..
Mery cristmas n happy new year, my computer have infected by virus, this virus can inject to exe file..
This virus blocked :
-taskmanager
-photoshop cs
-regedit
-foxit reader
-clamwin
-proces explorer
and maybe, block many software , i don't know,
this is HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:04, on 1/6/2009
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NeroFilterCheck] C:\windows\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [BMa37566dd] Rundll32.exe "C:\WINDOWS\System32\ydqqibmy.dll",s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: BTTray.lnk = ?
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: .NET Runtime Optimization Service v2.0.50727_X86 (clr_optimization_v2.0.50727_32) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Network DDE (NetDDE) - Unknown owner - C:\WINDOWS\system32\netdde.exe (file missing)
O23 - Service: Network DDE DSDM (NetDDEdsdm) - Unknown owner - C:\WINDOWS\system32\netdde.exe (file missing)
O23 - Service: Symantec AVScan (SAVScan) - Unknown owner - C:\Program Files\Norton AntiVirus\SAVScan.exe (file missing)
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINDOWS\System32\ups.exe (file missing)

--
End of file - 5517 bytes

this virus dropped file in flash disk the name are:
xwlog.exe
roqnic.exe
autorun.inf

thanks very much..

BC AdBot (Login to Remove)

 


#2 Y4kuz4

Y4kuz4
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:52 PM

Posted 06 January 2009 - 03:27 AM

If you want the sample the virus you can get it :thumbsup: don't worry , i zipped that virus, without password, please everyone help me!!

Edited by Pandy, 06 January 2009 - 04:33 AM.
Malicious link removed by request of Jat90


#3 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:09:52 PM

Posted 06 January 2009 - 04:22 AM

Hello, Y4kuz4

Welcome to the Bleeping Computer Forums. My name is Jat, and I will be helping you with your situation.

Please give me some time to look over your logs and I will post back soon.

Do not post malicious links/files onto this site, ever.
It shall be removed.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#4 Y4kuz4

Y4kuz4
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:52 PM

Posted 06 January 2009 - 11:04 PM

Sorry im late, thanks for wait me, this is new HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:04, on 1/7/2009
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Rundll32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: (no name) - {10C08715-AD85-4FB5-BB96-A7F700AB2964} - C:\WINDOWS\System32\xxyvussr.dll
O2 - BHO: (no name) - {216fc1b7-d7cf-4b5d-8176-c48247faf371} - C:\WINDOWS\System32\nrhbsljo.dll
O2 - BHO: (no name) - {a109564c-b9dd-458b-be75-7d53062fb79f} - C:\WINDOWS\System32\qtegvqjb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NeroFilterCheck] C:\windows\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [BMa37566dd] Rundll32.exe "C:\WINDOWS\System32\ydqqibmy.dll",s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-2000478354-764733703-839522115-1009\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-21-2000478354-764733703-839522115-1009 Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe (User '?')
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: BTTray.lnk = ?
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O20 - Winlogon Notify: mszsrn32 - C:\WINDOWS\
O20 - Winlogon Notify: qtxumbgd - qtxumbgd.dll (file missing)
O20 - Winlogon Notify: winbfi32 - C:\WINDOWS\SYSTEM32\winbfi32.dll
O20 - Winlogon Notify: windnv32 - C:\WINDOWS\SYSTEM32\windnv32.dll
O20 - Winlogon Notify: xxyvussr - C:\WINDOWS\SYSTEM32\xxyvussr.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: .NET Runtime Optimization Service v2.0.50727_X86 (clr_optimization_v2.0.50727_32) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Network DDE (NetDDE) - Unknown owner - C:\WINDOWS\system32\netdde.exe (file missing)
O23 - Service: Network DDE DSDM (NetDDEdsdm) - Unknown owner - C:\WINDOWS\system32\netdde.exe (file missing)
O23 - Service: Symantec AVScan (SAVScan) - Unknown owner - C:\Program Files\Norton AntiVirus\SAVScan.exe (file missing)
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINDOWS\System32\ups.exe (file missing)

--
End of file - 6809 bytes

#5 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:09:52 PM

Posted 08 January 2009 - 06:53 AM

Hello, sorry for the delay.

There are signs of a previous infection, New.Net. This infection is known to cause connection problems. Are you having any trouble with the internet? (Slow connection, images not loading etc). Please take the following steps:

LSPFix

First, Download LSPFix.exe to a convenient location. Do NOT run this program yet.
This is only to be used if you lose Internet Access in the event of removing NewDotNet.

Install Antivirus

You are missing one important program on that computer: An antivirus.
I am not surprised you are infected. This is somewhat suicidal in today's digital world.
You need to install an antivirus program as soon as you can and run a complete scan of the computer:Install it and then run a full scan. Let it quarantine/delete anything it finds. Let me know if there is anything that it reports but can not remove.

Registry Backup

Backup Your Registry with ERUNT
  • Download from here
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

Registry Fix

Launch Notepad, and copy/paste the box below into a new text file. Save it on your desktop as fixme.reg. For the "save as type" choose all files
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"DisableRegedit"=0
  • Locate fixme.reg on your Desktop and double-click on it.
  • You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
  • Answer "Yes" and wait for a message to appear similar to "Merged Successfully".
Flash Disinfector

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.

Note: Flash_Disinfector will create a hidden file named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.


ComboFix

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. See this topic to find out how to disable your antivirus and firewall (post #1 and #2).
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

RSIT

Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<info.txt (<


In your next reply, please post:
  • ComboFix log
  • RSIT logs (both)
  • Answer to the question
  • How is your pc now?

- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#6 Y4kuz4

Y4kuz4
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:52 PM

Posted 11 January 2009 - 03:33 AM

This is RSIT log

#7 Y4kuz4

Y4kuz4
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:52 PM

Posted 11 January 2009 - 03:35 AM

Logfile of random's system information tool 1.05 (written by random/random)
Run by Gilang at 2009-01-11 11:58:32
Microsoft Windows XP Professional Service Pack 1
System drive C: has 4 GB (36%) free of 10 GB
Total RAM: 375 MB (50% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:04, on 1/7/2009
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Rundll32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: (no name) - {10C08715-AD85-4FB5-BB96-A7F700AB2964} - C:\WINDOWS\System32\xxyvussr.dll
O2 - BHO: (no name) - {216fc1b7-d7cf-4b5d-8176-c48247faf371} - C:\WINDOWS\System32\nrhbsljo.dll
O2 - BHO: (no name) - {a109564c-b9dd-458b-be75-7d53062fb79f} - C:\WINDOWS\System32\qtegvqjb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NeroFilterCheck] C:\windows\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [BMa37566dd] Rundll32.exe "C:\WINDOWS\System32\ydqqibmy.dll",s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-2000478354-764733703-839522115-1009\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-21-2000478354-764733703-839522115-1009 Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe (User '?')
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: BTTray.lnk = ?
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O20 - Winlogon Notify: mszsrn32 - C:\WINDOWS\
O20 - Winlogon Notify: qtxumbgd - qtxumbgd.dll (file missing)
O20 - Winlogon Notify: winbfi32 - C:\WINDOWS\SYSTEM32\winbfi32.dll
O20 - Winlogon Notify: windnv32 - C:\WINDOWS\SYSTEM32\windnv32.dll
O20 - Winlogon Notify: xxyvussr - C:\WINDOWS\SYSTEM32\xxyvussr.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: .NET Runtime Optimization Service v2.0.50727_X86 (clr_optimization_v2.0.50727_32) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Network DDE (NetDDE) - Unknown owner - C:\WINDOWS\system32\netdde.exe (file missing)
O23 - Service: Network DDE DSDM (NetDDEdsdm) - Unknown owner - C:\WINDOWS\system32\netdde.exe (file missing)
O23 - Service: Symantec AVScan (SAVScan) - Unknown owner - C:\Program Files\Norton AntiVirus\SAVScan.exe (file missing)
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINDOWS\System32\ups.exe (file missing)

--
End of file - 6809 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\AutorunsDisabled]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0347C33E-8762-4905-BF09-768834316C61}]
HP Print Enhancer - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll [2007-03-02 1298024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{053F9267-DC04-4294-A72C-58F732D338C0}]
HP Print Clips - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll [2007-03-02 177768]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{10C08715-AD85-4FB5-BB96-A7F700AB2964}]
C:\WINDOWS\System32\xxyvussr.dll [2008-10-31 33280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{216fc1b7-d7cf-4b5d-8176-c48247faf371}]
C:\WINDOWS\System32\nrhbsljo.dll [2008-04-23 99904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a109564c-b9dd-458b-be75-7d53062fb79f}]
C:\WINDOWS\System32\qtegvqjb.dll [2008-05-16 102976]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{8E718888-423F-11D2-876E-00A0C9082467} - &Radio - C:\WINDOWS\System32\msdxm.ocx [2002-08-29 842268]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"=C:\windows\system32\NeroCheck.exe [2008-02-02 335872]
"WinPatrol"=C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe [2008-10-09 415040]
"PCSuiteTrayApplication"=C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe [2007-06-18 355840]
"BMa37566dd"=C:\WINDOWS\System32\ydqqibmy.dll [2008-04-23 95296]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"=C:\WINDOWS\System32\ctfmon.exe [2002-08-29 19968]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced Tools Check]
C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlockAds]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
C:\Program Files\Common Files\Symantec Shared\ccApp.exe [2005-09-17 52848]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cmaudio]
RunDll32 cmicnfg.cpl []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\windows\System32\ctfmon.exe [2002-08-29 19968]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DataLayer]
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe [2007-05-04 940032]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Device Detector]
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe [2005-12-21 364544]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiskeeperSystray]
C:\Program Files\Executive Software\Diskeeper\DkIcon.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\System32\hkcmd.exe [2003-04-06 122880]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\System32\igfxtray.exe [2003-04-06 163840]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MemoryBoost]
C:\Program Files\MemoryBoost\MemoryBoost.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe [2002-08-20 1593373]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NAV CfgWiz]
C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe [2003-08-16 201920]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nokia Tray Application]
C:\Program Files\Common Files\Nokia\Tools\NclTray.exe [2003-12-19 512000]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RAM Idle]
C:\Program Files\Customizer XP\RAMIdle.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TransparentIcons]
C:\Program Files\Tweak-XP\tranicon.exe -ex []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tweak-XP]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UStorag]
c:\program files\u-storage tool2.9\ustorage.exe sys_auto_run C:\Program Files\U-Storage Tool2.9 []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE [1999-11-04 194048]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
C:\PROGRA~1\Adobe\ACROBA~2.0\Reader\READER~1.EXE []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk]
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTTray.exe [2003-09-15 512061]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
C:\PROGRA~1\WinZip\WZQKPICK.EXE []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"seclogon"=2
"BITS"=3
"Messenger"=2

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

C:\Documents and Settings\Gilang\Start Menu\Programs\Startup
Picture Motion Browser Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AutorunsDisabled]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxsrvc.dll [2003-04-06 315392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mszsrn32]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\qtxumbgd]
qtxumbgd.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winbfi32]
C:\WINDOWS\system32\winbfi32.dll [2008-10-31 32256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\windnv32]
C:\WINDOWS\system32\windnv32.dll [2008-03-02 0]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\xxyvussr]
C:\WINDOWS\system32\xxyvussr.dll [2008-10-31 33280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{10C08715-AD85-4FB5-BB96-A7F700AB2964}"=C:\WINDOWS\System32\xxyvussr.dll [2008-10-31 33280]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"authentication packages"=msv1_0
C:\windows\System32\pmnnk.dll

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=1
"DisableRegistryTools"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"LegalNoticeCaption"=
"LegalNoticeText"=
"EnableLUA"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoDriveAutoRun"=FFFFFF03

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"\??\C:\windows\system32\winlogon.exe"="\??\C:\WINDOWS\system32\winlogon.exe:*:enabled:@shell32.dll,-1"
"C:\windows\TEMP\win29D9.tmp.exe"="C:\windows\TEMP\win29D9.tmp.exe:*:Enabled:win29D9.tmp"
"C:\WINDOWS\mrofinu1001186.exe"="C:\WINDOWS\mrofinu1001186.exe:*:enabled:@shell32.dll,-1"
"F:\New Folder\Setup.exe"="F:\New Folder\Setup.exe:*:Enabled:ipsec"
"C:\WINDOWS\Explorer.EXE"="C:\WINDOWS\Explorer.EXE:*:Enabled:ipsec"
"K:\ANSAV_AIO\Ansav.exe"="K:\ANSAV_AIO\Ansav.exe:*:Enabled:ipsec"
"C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe"="C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe:*:Enabled:ipsec"
"C:\windows\system32\NeroCheck.exe"="C:\windows\system32\NeroCheck.exe:*:Enabled:ipsec"
"K:\roqnij.cmd"="K:\roqnij.cmd:*:Enabled:ipsec"
"D:\other\Virus Killer\procexp.exe"="D:\other\Virus Killer\procexp.exe:*:Enabled:ipsec"
"C:\WINDOWS\system32\TweakUI.exe"="C:\WINDOWS\system32\TweakUI.exe:*:Enabled:ipsec"
"C:\WINDOWS\System32\taskmgr.exe"="C:\WINDOWS\System32\taskmgr.exe:*:Enabled:ipsec"
"C:\DOCUME~1\Gilang\LOCALS~1\Temp\Rar$EX00.875\Nokia_PC_Suite_6_84_10_3_APAC.exe"="C:\DOCUME~1\Gilang\LOCALS~1\Temp\Rar$EX00.875\Nokia_PC_Suite_6_84_10_3_APAC.exe:*:Enabled:ipsec"
"C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe:*:Enabled:ipsec"
"C:\WINDOWS\System32\ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe:*:Enabled:ipsec"
"C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe"="C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe:*:Enabled:ipsec"
"C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_explorer.exe"="C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_explorer.exe:*:Enabled:ipsec"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======File associations======

.scr - open - "%1" %*

======List of files/folders created in the last 3 months======

2009-01-11 11:58:32 ----D---- C:\rsit
2009-01-11 11:58:32 ----A---- C:\Program Files\Gilang.exe
2009-01-11 11:18:59 ----A---- C:\WINDOWS\zip.exe
2009-01-11 11:18:59 ----A---- C:\WINDOWS\VFIND.exe
2009-01-11 11:18:59 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-01-11 11:18:59 ----A---- C:\WINDOWS\SWSC.exe
2009-01-11 11:18:59 ----A---- C:\WINDOWS\SWREG.exe
2009-01-11 11:18:59 ----A---- C:\WINDOWS\sed.exe
2009-01-11 11:18:59 ----A---- C:\WINDOWS\NIRCMD.exe
2009-01-11 11:18:59 ----A---- C:\WINDOWS\grep.exe
2009-01-11 11:18:59 ----A---- C:\WINDOWS\fdsv.exe
2009-01-11 11:18:56 ----D---- C:\Qoobox
2009-01-11 11:18:55 ----D---- C:\ComboFix
2009-01-11 11:18:55 ----A---- C:\WINDOWS\System32\CF5009.exe
2009-01-07 12:52:34 ----SHD---- C:\FOUND.055
2009-01-07 10:38:12 ----SHD---- C:\FOUND.054
2009-01-07 10:10:05 ----A---- C:\Program Files\HijackThis.exe
2009-01-06 14:10:32 ----SHD---- C:\FOUND.053
2009-01-06 12:28:42 ----SHD---- C:\FOUND.052
2009-01-06 12:24:08 ----SHD---- C:\[SmadCage]
2009-01-04 12:25:40 ----SHD---- C:\FOUND.051
2009-01-04 12:18:13 ----D---- C:\WINDOWS\Minidump
2009-01-04 12:13:34 ----SHD---- C:\FOUND.050
2009-01-04 06:43:05 ----D---- C:\Program Files\PC Connectivity Solution
2009-01-04 06:23:09 ----A---- C:\BIN.EXE
2009-01-04 06:11:46 ----A---- C:\VundoFix.txt
2009-01-04 06:07:46 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-01-03 16:59:44 ----SHD---- C:\FOUND.048
2008-12-28 08:41:48 ----A---- C:\WINDOWS\WAPXEAV.dll
2008-12-28 08:31:40 ----SHD---- C:\FOUND.049
2008-12-23 15:27:02 ----SHD---- C:\FOUND.047
2008-12-22 17:06:54 ----D---- C:\Documents and Settings\Gilang\Application Data\DivX
2008-12-20 21:12:08 ----D---- C:\Program Files\Mozilla Firefox
2008-12-20 20:50:22 ----D---- C:\Program Files\ACD Systems
2008-12-20 19:18:32 ----SHD---- C:\FOUND.046
2008-12-20 10:36:27 ----A---- C:\WINDOWS\System32\oeminfo.ini
2008-12-16 12:02:38 ----SHD---- C:\FOUND.045
2008-12-15 10:25:46 ----SHD---- C:\FOUND.044
2008-12-13 12:53:58 ----SHD---- C:\FOUND.043
2008-12-10 20:17:46 ----A---- C:\WINDOWS\System32\msrclr40.dll
2008-12-10 20:17:45 ----A---- C:\WINDOWS\System32\msrecr40.dll
2008-12-10 20:17:24 ----HD---- C:\WINDOWS\$NtUninstallKB282010$
2008-12-10 18:04:00 ----SHD---- C:\FOUND.042
2008-12-10 16:05:36 ----SHD---- C:\FOUND.041
2008-12-09 09:34:20 ----SHD---- C:\FOUND.040
2008-12-08 19:56:58 ----SHD---- C:\FOUND.039
2008-12-08 14:10:42 ----A---- C:\WINDOWS\PhantomOfVenice.INI
2008-12-08 13:07:57 ----D---- C:\Program Files\a-squared Free
2008-12-08 10:12:12 ----SHD---- C:\FOUND.038
2008-12-07 14:07:05 ----D---- C:\Program Files\Common Files\Vbox
2008-12-06 18:52:26 ----SHD---- C:\FOUND.037
2008-12-06 18:22:53 ----D---- C:\Documents and Settings\Gilang\Application Data\CasaPortale.de
2008-12-06 12:17:08 ----A---- C:\UsageTrack.txt
2008-12-06 12:07:46 ----SHD---- C:\FOUND.036
2008-12-06 11:34:50 ----SHD---- C:\FOUND.035
2008-12-06 09:36:36 ----SHD---- C:\FOUND.034
2008-12-06 07:38:12 ----A---- C:\WINDOWS\System32\wt_menu.dll
2008-12-06 07:38:11 ----D---- C:\Program Files\Smarty Uninstaller Pro
2008-12-05 12:27:08 ----D---- C:\Program Files\IObit
2008-12-04 17:23:26 ----SHD---- C:\FOUND.033
2008-12-04 14:53:14 ----D---- C:\Documents and Settings\Gilang\Application Data\WinPatrol
2008-12-04 14:53:09 ----D---- C:\Program Files\BillP Studios
2008-12-04 14:51:46 ----SHD---- C:\FOUND.032
2008-12-04 14:28:24 ----D---- C:\Program Files\Foxit Software
2008-12-04 13:25:06 ----SHD---- C:\FOUND.031
2008-12-02 14:35:56 ----N---- C:\WINDOWS\System32\logagent.exe
2008-12-02 14:35:56 ----A---- C:\WINDOWS\System32\wmadmoe.dll
2008-12-02 14:35:56 ----A---- C:\WINDOWS\System32\qasf.dll
2008-12-02 14:35:56 ----A---- C:\WINDOWS\System32\mpg4dmod.dll
2008-12-02 14:35:56 ----A---- C:\WINDOWS\System32\laprxy.dll
2008-12-02 14:35:55 ----A---- C:\WINDOWS\System32\wmvcore.dll
2008-12-02 14:35:55 ----A---- C:\WINDOWS\System32\wmnetmgr.dll
2008-12-02 14:35:55 ----A---- C:\WINDOWS\System32\wmasf.dll
2008-12-02 14:01:27 ----D---- C:\Program Files\Lavasoft
2008-12-02 14:01:10 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2008-12-02 13:51:22 ----AH---- C:\CF21233.exe
2008-11-30 08:02:16 ----D---- C:\Program Files\MP3Gain
2008-11-30 07:54:48 ----A---- C:\WINDOWS\System32\tsbyuv.dll
2008-11-30 07:54:48 ----A---- C:\WINDOWS\System32\iyuv_32.dll
2008-11-30 07:54:47 ----A---- C:\WINDOWS\System32\vfwwdm32.dll
2008-11-30 07:51:26 ----D---- C:\Program Files\WIDCOMM
2008-11-30 07:21:52 ----SHD---- C:\FOUND.030
2008-11-28 16:20:48 ----D---- C:\Documents and Settings\Gilang\Application Data\Macromedia
2008-11-26 11:07:56 ----SHD---- C:\FOUND.029
2008-11-26 09:58:58 ----SHD---- C:\FOUND.028
2008-11-25 15:43:42 ----SHD---- C:\FOUND.027
2008-11-25 15:12:38 ----SHD---- C:\FOUND.026
2008-11-22 07:18:50 ----SHD---- C:\FOUND.025
2008-11-18 11:45:38 ----A---- C:\WINDOWS\System32\CmdLineExt.dll
2008-11-18 11:27:44 ----D---- C:\Documents and Settings\Gilang\Application Data\Konrad Papala
2008-11-18 10:38:32 ----SHD---- C:\FOUND.024
2008-11-12 09:44:18 ----D---- C:\Program Files\reallyBoom.com
2008-11-12 09:22:26 ----SHD---- C:\FOUND.023
2008-11-12 08:27:40 ----SHD---- C:\FOUND.022
2008-11-04 15:24:16 ----SHD---- C:\FOUND.021
2008-11-03 16:49:55 ----D---- C:\Program Files\Super Fast Shutdown
2008-11-02 09:44:46 ----SHD---- C:\FOUND.020
2008-10-31 12:27:19 ----A---- C:\WINDOWS\System32\winbfi32.dll
2008-10-31 12:27:15 ----A---- C:\WINDOWS\System32\xxyvussr.dll
2008-10-31 12:27:15 ----A---- C:\WINDOWS\System32\ssqNDtQH.dll
2008-10-28 05:08:42 ----SHD---- C:\FOUND.019
2008-10-23 20:06:06 ----SHD---- C:\FOUND.018
2008-10-21 21:28:44 ----D---- C:\Program Files\RAM Optimizer
2008-10-21 21:02:50 ----SHD---- C:\FOUND.017
2008-10-19 19:23:18 ----SHD---- C:\FOUND.016
2008-10-19 19:18:36 ----D---- C:\Documents and Settings\Gilang\Application Data\Wildfire
2008-10-19 19:14:36 ----SHD---- C:\FOUND.015
2008-10-12 09:50:47 ----A---- C:\WINDOWS\winDecrypt.INI
2008-10-12 09:49:48 ----D---- C:\Program Files\PDF Password Remover v3.0

======List of files/folders modified in the last 3 months======

2009-01-06 13:21:02 ----ASH---- C:\WINDOWS\System32\knnmp.ini
2009-01-05 13:12:04 ----A---- C:\WINDOWS\system.ini
2008-12-22 17:07:34 ----A---- C:\WINDOWS\avisplitter.INI
2008-12-20 11:39:32 ----A---- C:\WINDOWS\pskt.ini
2008-12-06 11:31:30 ----A---- C:\WINDOWS\System32\PerfStringBackup.TMP
2008-11-28 16:19:32 ----A---- C:\WINDOWS\System32\mcrh.tmp
2008-10-19 19:18:38 ----A---- C:\WINDOWS\win.ini

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 ASPI32;ASPI32; C:\WINDOWS\System32\drivers\ASPI32.sys [2003-06-13 25244]
R1 cdrbsvsd;cdrbsvsd; C:\WINDOWS\System32\drivers\cdrbsvsd.sys [2003-12-03 13566]
R2 BTSERIAL;Bluetooth Serial Driver; \??\C:\WINDOWS\System32\drivers\btserial.sys []
R2 BTSLBCSP;Bluetooth Port Client Driver; \??\C:\WINDOWS\System32\drivers\btslbcsp.sys []
R2 irda;IrDA Protocol; C:\WINDOWS\System32\DRIVERS\irda.sys [2001-08-17 55296]
R3 {6080A529-897E-4629-A488-ABA0C29B635E};Intel® Graphics Platform (SoftBIOS) Driver; C:\WINDOWS\system32\drivers\ialmsbw.sys [2003-04-15 113504]
R3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91};Intel® Graphics Chipset (KCH) Driver; C:\WINDOWS\system32\drivers\ialmkchw.sys [2003-04-15 78752]
R3 abp470n5;abp470n5; \??\C:\WINDOWS\System32\drivers\npjgmn.sys []
R3 BtAudio;Bluetooth Audio; C:\WINDOWS\System32\DRIVERS\btaudio.sys [2003-09-15 21861]
R3 BTDriver;Bluetooth Virtual Communications Driver; C:\WINDOWS\System32\DRIVERS\btport.sys [2003-09-15 30235]
R3 BTWDNDIS;Bluetooth LAN Access Server; C:\WINDOWS\System32\DRIVERS\btwdndis.sys [2003-09-15 146812]
R3 BTWUSB;WIDCOMM USB Bluetooth Driver; C:\WINDOWS\System32\Drivers\btwusb.sys [2003-09-15 51848]
R3 cmuda;C-Media WDM Audio Interface; C:\WINDOWS\system32\drivers\cmuda.sys [2004-01-08 812416]
R3 ialm;ialm; C:\WINDOWS\System32\DRIVERS\ialmnt5.sys [2003-04-15 90907]
R3 padenum;Enumerador de dispositivos de NTPAD; C:\WINDOWS\System32\DRIVERS\padenum.sys [2002-03-07 10624]
R3 pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2008-12-02 10368]
R3 Rasirda;WAN Miniport (IrDA); C:\WINDOWS\System32\DRIVERS\rasirda.sys [2001-08-17 19584]
R3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\System32\DRIVERS\RTL8139.SYS [2001-08-17 23070]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2003-07-03 25216]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2003-07-03 53120]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2002-08-29 21760]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2003-07-03 19328]
R3 VendorJoystickEnabler;Driver para joystick paralelo de consola; C:\WINDOWS\system32\drivers\ntpad.sys [2002-07-29 20992]
S1 SYMTDI;SYMTDI; C:\WINDOWS\System32\Drivers\SYMTDI.SYS [2005-09-19 196240]
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\System32\DRIVERS\CCDECODE.sys [2004-07-09 16384]
S3 hidgame;Microsoft Hid to Joystick Port Enabler; C:\WINDOWS\System32\DRIVERS\hidgame.sys [2001-08-23 8576]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2001-08-23 9600]
S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\System32\DRIVERS\HPZid412.sys [2007-03-08 49920]
S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\System32\DRIVERS\HPZipr12.sys [2007-03-08 16496]
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\System32\DRIVERS\HPZius12.sys [2007-03-08 21568]
S3 HWACCESS;HWACCESS; \??\C:\WINDOWS\SYSTEM32\HWACCESS.SYS []
S3 irsir;Microsoft Serial Infrared Driver; C:\WINDOWS\System32\DRIVERS\irsir.sys []
S3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-23 12160]
S3 ms_mpu401;Microsoft MPU-401 MIDI UART Driver; C:\WINDOWS\system32\drivers\msmpu401.sys [2001-08-17 2944]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2002-12-12 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\System32\DRIVERS\NABTSFEC.sys [2004-07-09 83968]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\System32\DRIVERS\NdisIP.sys [2004-07-09 10112]
S3 nocashio;nocashio; C:\WINDOWS\system32\drivers\nocashio.sys [2008-02-20 4096]
S3 Nokia USB Generic;Nokia USB Generic; C:\WINDOWS\system32\drivers\nmwcdc.sys []
S3 Nokia USB Modem;Nokia USB Modem; C:\WINDOWS\system32\drivers\nmwcdcm.sys []
S3 Nokia USB Phone Parent;Nokia USB Phone Parent; C:\WINDOWS\system32\drivers\nmwcd.sys []
S3 Nokia USB Port;Nokia USB Port; C:\WINDOWS\system32\drivers\nmwcdcj.sys []
S3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINDOWS\System32\Drivers\RootMdm.sys [2001-08-23 5888]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\System32\DRIVERS\SLIP.sys [2004-07-09 10880]
S3 StillCam;Still Serial Digital Camera Driver; C:\WINDOWS\System32\DRIVERS\serscan.sys [2001-08-17 6784]
S3 streamip;BDA IPSink; C:\WINDOWS\System32\DRIVERS\StreamIP.sys [2004-07-09 14976]
S3 SYMDNS;SYMDNS; C:\WINDOWS\System32\Drivers\SYMDNS.SYS [2005-09-19 12944]
S3 SymEvent;SymEvent; \??\C:\Program Files\Symantec\SYMEVENT.SYS []
S3 SYMFW;SYMFW; C:\WINDOWS\System32\Drivers\SYMFW.SYS [2005-09-19 109200]
S3 SYMIDS;SYMIDS; C:\WINDOWS\System32\Drivers\SYMIDS.SYS [2005-09-19 31888]
S3 SYMNDIS;SYMNDIS; C:\WINDOWS\System32\Drivers\SYMNDIS.SYS [2005-09-19 27792]
S3 SYMREDRV;SYMREDRV; C:\WINDOWS\System32\Drivers\SYMREDRV.SYS [2005-09-19 24720]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2003-07-03 28160]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2002-08-29 24960]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\System32\DRIVERS\usbscan.sys [2002-08-29 14208]
S3 USTOR;U-Storage Controller; C:\WINDOWS\System32\DRIVERS\UStork.sys [2004-08-17 20218]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\System32\DRIVERS\WSTCODEC.SYS [2004-07-09 18688]
S4 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2001-08-23 12032]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-05-12 611664]
R2 btwdins;Bluetooth Service; C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe [2003-09-15 143360]
R2 Irmon;Infrared Monitor; C:\WINDOWS\System32\svchost.exe [2001-08-23 12800]
R2 LightScribeService;LightScribeService Direct Disc Labeling Service; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [2005-07-24 53248]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
R2 Net Driver HPZ12;Net Driver HPZ12; C:\WINDOWS\System32\svchost.exe [2001-08-23 12800]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\System32\svchost.exe [2001-08-23 12800]
S2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\System32\wdfmgr.exe []
S3 Adobe LM Service;Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [2008-05-21 144384]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe []
S3 ccPwdSvc;Symantec Password Validation; C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe [2003-08-15 87200]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe []
S3 hpqcxs08;hpqcxs08; C:\WINDOWS\system32\svchost.exe [2001-08-23 12800]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 159744]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 SAVScan;Symantec AVScan; C:\Program Files\Norton AntiVirus\SAVScan.exe []
S3 ServiceLayer;ServiceLayer; C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe [2006-06-05 258560]
S4 a2free;a-squared Free Service; C:\Program Files\a-squared Free\a2service.exe [2008-01-07 366712]

-----------------EOF-----------------

#8 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:09:52 PM

Posted 11 January 2009 - 04:55 AM

Have you ran ComboFix? Do you have the log?

To find the ComboFix log, do the following:
  • Go to My Computer
  • Double click Local Disk (C:)
  • Look for a text file called ComboFix.txt and paste that here.
Note: Do not go into the folder "ComboFix", the log will not be there.

Edited by Jat90, 11 January 2009 - 02:23 PM.

- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#9 Y4kuz4

Y4kuz4
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:52 PM

Posted 12 January 2009 - 04:32 AM

Dear, jat
sorry for my english before, i am sorry about combofix log, i can't run it well, because whe i ran the combofix, my pc also frezee, maybe it bios problem, i'm sorry making you wait, and i m now know why my photoshop can't ran well, the virus infected the exe file in c:/program file , my question how to remove the virus in exe file, about my pc internet, i don't know, because , i m not use it, in my home town not have internet conection , i'm using my phone to browsing, thank for you help, this is useful.

#10 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:09:52 PM

Posted 14 January 2009 - 03:20 AM

Hello,

Don't worry about the delay :thumbsup: Its weird for ComboFix to stall like that. From your log it seems it didn't get a chance to clean your PC. We shall have to do it manually instead. I think some malicious files may prevent Photoshop from starting up but I doubt Photoshop itself is infected.

Registry Backup

Backup Your Registry with ERUNT
  • Download from here
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

Registry Fix

Launch Notepad, and copy/paste the box below into a new text file. Save it on your desktop as fixme.reg. For the "save as type" choose all files
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=0
"DisableRegistryTools"=0
  • Locate fixme.reg on your Desktop and double-click on it.
  • You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
  • Answer "Yes" and wait for a message to appear similar to "Merged Successfully".
OTMoveIt

We need to execute an OTMoveIt3 script
  • Please download OTMoveIt3 by OldTimer and save it to your desktop.
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    :files
    C:\WINDOWS\System32\xxyvussr.dll
    C:\WINDOWS\System32\nrhbsljo.dll
    C:\WINDOWS\System32\qtegvqjb.dll
    C:\WINDOWS\System32\ydqqibmy.dll
    C:\WINDOWS\SYSTEM32\winbfi32.dll
    C:\WINDOWS\SYSTEM32\windnv32.dll
    C:\WINDOWS\SYSTEM32\xxyvussr.dll
    C:\WINDOWS\web\related.htm
    C:\windows\System32\pmnnk.dll
    C:\Program Files\Gilang.exe
    C:\BIN.EXE
    C:\WINDOWS\System32\CF5009.exe
    C:\WINDOWS\SchedLgU.Txt
    C:\FOUND.*
    C:\WINDOWS\WAPXEAV.dll
    C:\WINDOWS\System32\oeminfo.ini
    C:\WINDOWS\System32\tsbyuv.dll
    C:\WINDOWS\System32\iyuv_32.dll
    C:\WINDOWS\System32\vfwwdm32.dll
    C:\WINDOWS\System32\winbfi32.dll
    C:\WINDOWS\System32\xxyvussr.dll
    C:\WINDOWS\System32\ssqNDtQH.dll
    C:\WINDOWS\winDecrypt.INI
    C:\WINDOWS\pskt.ini
    C:\WINDOWS\System32\PerfStringBackup.TMP
    C:\WINDOWS\System32\mcrh.tmp
    C:\WINDOWS\System32\knnmp.ini
    
    :reg
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\AutorunsDisabled]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{10C08715-AD85-4FB5-BB96-A7F700AB2964}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{216fc1b7-d7cf-4b5d-8176-c48247faf371}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a109564c-b9dd-458b-be75-7d53062fb79f}]
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    "BMa37566dd"=-
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mszsrn32]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\qtxumbgd]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winbfi32]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\windnv32]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\xxyvussr]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{10C08715-AD85-4FB5-BB96-A7F700AB2964}"=-
    
    :commands
    [EmptyTemp]
    [Reboot]
  • Push the large Posted Image button.
  • OTMI3 may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Kaspersky Scan

Please go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.
ReScan

Please rescan with RSIT and post the log.


In your next reply, please post:
  • OTMoveIt log
  • Kaspersky Report
  • RSIT log

Edited by Jat90, 14 January 2009 - 03:23 AM.

- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#11 Y4kuz4

Y4kuz4
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:52 PM

Posted 15 January 2009 - 05:39 PM

I was run, the combofix, but in complete level 50 the program freeze, and combofix deleted many malicinous file, but i don't get the log, about the karpesky online scanner i can't run it, because i don't have internet conection, i am using my phone, not as modem.

#12 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:09:52 PM

Posted 15 January 2009 - 07:18 PM

Ok, perform the other instructions please :thumbsup:

Thanks
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#13 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:09:52 PM

Posted 21 January 2009 - 05:40 AM

Hello,

are you still there?
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#14 harrythook

harrythook


  • Security Colleague
  • 4,152 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philadelphia
  • Local time:03:52 PM

Posted 23 January 2009 - 05:43 AM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.
All others please read The Preparation Guide before starting your topic.

Veni Vidi Vici
THE FIGHT AGAINST MALWARE

Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users