Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

pop ups and probably worse


  • This topic is locked This topic is locked
18 replies to this topic

#1 swisss

swisss

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:18 AM

Posted 26 January 2009 - 11:58 PM

I just finished a download that had some pretty nasty side effects. I am getting a pop up saying "It is recommended to update you antispyware protection to prevent data loss. Please install the most up-to-date antispyware for you" then an ok button. This isn't the only one, there are about 2 or 3 that seem random, none of which seem encouraging at all. Please help.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:48:46 PM, on 1/26/2009
Platform: Windows XP SP3, v.5657 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20935)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\RTHDCPL.EXE
C:\DOCUME~1\ALEOCA~1\LOCALS~1\Temp\winlognn.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\DOCUME~1\ALEOCA~1\LOCALS~1\Temp\csrssc.exe
C:\WINDOWS\system32\Updater.exe
C:\Documents and Settings\Aleo Capincheo\Application Data\cogad\cogad.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Styler\Styler.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cmd.exe
C:\Portal\hl2.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Microsoft copyright - {32c620d6-cc10-4e6a-9715-bacacd5b0e61} - sxmg4.dll (file missing)
O2 - BHO: C:\WINDOWS\system32\hgdfeeeh4fdg.dll - {C5BF49A2-94F3-42BD-F434-3604812C8955} - C:\WINDOWS\system32\hgdfeeeh4fdg.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [jsf8uiw3jnjgffght] C:\DOCUME~1\ALEOCA~1\LOCALS~1\Temp\winlognn.exe
O4 - HKLM\..\Run: [Azaju] rundll32.exe "C:\WINDOWS\Acociqeniwar.dll",e
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [Windows Update] "C:\WINDOWS\system32\Updater.exe"
O4 - HKCU\..\Run: [jsf8uiw3jnjgffght] C:\DOCUME~1\ALEOCA~1\LOCALS~1\Temp\winlognn.exe
O4 - HKCU\..\Run: [tezrtsjhfr84iusjfo84f] C:\DOCUME~1\ALEOCA~1\LOCALS~1\Temp\csrssc.exe
O4 - HKLM\..\Policies\Explorer\Run: [Lsass Service] C:\Documents and Settings\Aleo Capincheo\Application Data\Microsoft\Windows\lsass.exe
O4 - HKUS\S-1-5-18\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [LClock] C:\Program Files\LClock\LClock.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe" (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: Styler.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O21 - SSODL: WebProxy - {A744F16C-B2D5-4138-81A2-085CDFCDE83A} - sxmg4.dll (file missing)
O22 - SharedTaskScheduler: jgzfkj9w38rksndfi7r4 - {C5BF49A2-94F3-42BD-F434-3604812C8955} - C:\WINDOWS\system32\hgdfeeeh4fdg.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Program Files\LSI SoftModem\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe

--
End of file - 8358 bytes

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:18 PM

Posted 27 January 2009 - 04:01 AM

Hi,

Your system is severly infected. Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.
Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.
So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.

In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start. Reason I am telling this is because when a system is so terribly infected and we try to clean this up manually, the damage that is already present may interfere with our removal attempts.

Actually, this doesn't suprise me at all.

I notice that you never scanned with an Antivirus previously before starting this thread - because you don't even have an Antivirus installed!
This is somewhat suicidal in today's digital world.
That's why I want you to install one first!!

* Please install Avira Antivirus: http://www.free-av.com/
This is a free Antivirus.

Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThislog.
Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirusscan is not present which should be able to deal with most and prevent further reinfection.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 swisss

swisss
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:18 AM

Posted 28 January 2009 - 10:41 PM

Well, after much backing up of files, I did the scan and let it delete all of the things it could. Seems to be running a little better but ya. heres the Avira report and Hijackthis logfile.



Avira AntiVir Personal
Report file date: Wednesday, January 28, 2009 18:08

Scanning for 1038808 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 3, v.5657) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: COMPY

Version information:
BUILD.DAT : 8.2.0.337 16934 Bytes 11/18/2008 13:05:00
AVSCAN.EXE : 8.1.4.10 315649 Bytes 11/18/2008 15:21:26
AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 14:56:40
LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 19:44:19
LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 14:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 18:30:36
ANTIVIR1.VDF : 7.1.0.56 411136 Bytes 11/9/2008 23:57:13
ANTIVIR2.VDF : 7.1.0.89 221184 Bytes 11/16/2008 23:16:47
ANTIVIR3.VDF : 7.1.0.97 45056 Bytes 11/17/2008 23:38:59
Engineversion : 8.2.0.31
AEVDF.DLL : 8.1.0.6 102772 Bytes 10/14/2008 17:05:56
AESCRIPT.DLL : 8.1.1.15 332156 Bytes 11/11/2008 21:00:07
AESCN.DLL : 8.1.1.5 123251 Bytes 11/7/2008 22:06:41
AERDL.DLL : 8.1.1.3 438645 Bytes 11/4/2008 20:58:38
AEPACK.DLL : 8.1.3.4 393591 Bytes 11/11/2008 16:41:39
AEOFFICE.DLL : 8.1.0.30 196986 Bytes 11/7/2008 22:06:41
AEHEUR.DLL : 8.1.0.71 1487222 Bytes 11/7/2008 22:06:41
AEHELP.DLL : 8.1.1.3 119157 Bytes 11/7/2008 22:06:41
AEGEN.DLL : 8.1.1.0 319859 Bytes 11/7/2008 22:06:41
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/14/2008 17:05:56
AECORE.DLL : 8.1.4.1 172405 Bytes 11/7/2008 22:06:41
AEBB.DLL : 8.1.0.3 53618 Bytes 10/14/2008 17:05:56
AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 15:40:05
AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 16:28:01
AVREP.DLL : 8.0.0.2 98344 Bytes 7/31/2008 19:02:15
AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 18:26:40
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 15:29:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 19:27:49
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/23/2008 00:28:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 19:49:40
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 19:05:10
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 20:48:07
RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 20:34:37

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:, J:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Wednesday, January 28, 2009 18:08

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'csrssc.exe' - '1' Module(s) have been scanned
Module is infected -> 'C:\DOCUME~1\ALEOCA~1\LOCALS~1\Temp\csrssc.exe'
Scan process 'winamp.exe' - '1' Module(s) have been scanned
Scan process 'hpqgalry.exe' - '1' Module(s) have been scanned
Scan process 'NMIndexStoreSvr.exe' - '1' Module(s) have been scanned
Scan process 'NMIndexingService.exe' - '1' Module(s) have been scanned
Scan process 'Styler.exe' - '1' Module(s) have been scanned
Scan process 'hpqtra08.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'NMBgMonitor.exe' - '1' Module(s) have been scanned
Scan process 'Updater.exe' - '1' Module(s) have been scanned
Scan process 'RocketDock.exe' - '1' Module(s) have been scanned
Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned
Scan process 'msnmsgr.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'CCC.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
C:\DOCUME~1\ALEOCA~1\LOCALS~1\Temp\winlognn.exe
[DETECTION] Is the TR/Downloader.Gen Trojan
Scan process 'winlognn.exe' - '1' Module(s) have been scanned
Module is infected -> 'C:\DOCUME~1\ALEOCA~1\LOCALS~1\Temp\winlognn.exe'
Scan process 'RTHDCPL.EXE' - '1' Module(s) have been scanned
Scan process 'hpcmpmgr.exe' - '1' Module(s) have been scanned
Scan process 'hpwuSchd2.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'winampa.exe' - '1' Module(s) have been scanned
Scan process 'MOM.exe' - '1' Module(s) have been scanned
Scan process 'GrooveMonitor.exe' - '1' Module(s) have been scanned
Scan process 'UnlockerAssistant.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'MediaServer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'agrsmsvc.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
Process 'csrssc.exe' has been terminated
Process 'winlognn.exe' has been terminated
C:\DOCUME~1\ALEOCA~1\LOCALS~1\Temp\csrssc.exe
[DETECTION] Contains HEUR/Malware suspicious code
[NOTE] The detection was classified as suspicious.
[NOTE] The file was moved to '49f2f3fe.qua'!
C:\DOCUME~1\ALEOCA~1\LOCALS~1\Temp\winlognn.exe
[DETECTION] Is the TR/Downloader.Gen Trojan
[NOTE] The file was moved to '49eef3f4.qua'!

53 processes with 51 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
[WARNING] System error [21]: The device is not ready.
Master boot sector HD2
[INFO] No virus was found!
[WARNING] System error [21]: The device is not ready.
Master boot sector HD3
[INFO] No virus was found!
[WARNING] System error [21]: The device is not ready.
Master boot sector HD4
[INFO] No virus was found!
[WARNING] System error [21]: The device is not ready.
Master boot sector HD5
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'J:\'
[INFO] No virus was found!

Starting to scan the registry.

The registry was scanned ( '70' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\byptemd.exe
[DETECTION] Is the TR/Tiny.705 Trojan
[NOTE] The file was moved to '49f0f40f.qua'!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\txxsv.exe
[DETECTION] Is the TR/Tiny.705 Trojan
[NOTE] The file was moved to '49f8f40e.qua'!
C:\Documents and Settings\Aleo Capincheo\Local Settings\Temp\50828.exe
[DETECTION] Contains HEUR/Crypted suspicious code
[NOTE] The file was moved to '49b8f3f8.qua'!
C:\Documents and Settings\Aleo Capincheo\Local Settings\Temp\tmp10.tmp
[DETECTION] Is the TR/Patched.CK.6 Trojan
[NOTE] The file was moved to '49f0f436.qua'!
C:\Documents and Settings\Aleo Capincheo\Local Settings\Temp\tmp5.tmp
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '48f7128f.qua'!
C:\Documents and Settings\Aleo Capincheo\Local Settings\Temp\tmp5AB.tmp
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '49f0f428.qua'!
C:\Documents and Settings\Aleo Capincheo\Local Settings\Temp\tmp5AC.tmp
[DETECTION] Is the TR/Patched.CK.6 Trojan
[NOTE] The file was moved to '49f0f437.qua'!
C:\Documents and Settings\Aleo Capincheo\Local Settings\Temp\tmp6.tmp
[DETECTION] Is the TR/Patched.CK.6 Trojan
[NOTE] The file was moved to '48f71280.qua'!
C:\Documents and Settings\Aleo Capincheo\Local Settings\Temp\tmpF.tmp
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '49f0f439.qua'!
C:\Documents and Settings\Aleo Capincheo\Local Settings\Temporary Internet Files\Content.IE5\9MI883SV\cd[1].htm
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Documents and Settings\Aleo Capincheo\Local Settings\Temporary Internet Files\Content.IE5\9MI883SV\cd[1].htm
[DETECTION] Contains HEUR/Malware suspicious code
[NOTE] The file was moved to '49dbf471.qua'!
C:\Documents and Settings\Aleo Capincheo\Local Settings\Temporary Internet Files\Content.IE5\I7GBC2TD\cd[1].htm
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Documents and Settings\Aleo Capincheo\Local Settings\Temporary Internet Files\Content.IE5\I7GBC2TD\cd[1].htm
[DETECTION] Contains HEUR/Malware suspicious code
[NOTE] The file was moved to '49dbf472.qua'!
C:\Documents and Settings\Aleo Capincheo\Local Settings\Temporary Internet Files\Content.IE5\K4U7GRLZ\cd[1].htm
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Documents and Settings\Aleo Capincheo\Local Settings\Temporary Internet Files\Content.IE5\K4U7GRLZ\cd[1].htm
[DETECTION] Contains HEUR/Malware suspicious code
[NOTE] The file was moved to '49dbf474.qua'!
C:\Program Files\Internet Explorer\setupapi.dll
[DETECTION] Is the TR/Agent.abas Trojan
[NOTE] The file was moved to '49f50145.qua'!
C:\WINDOWS\system32\hgdfeeeh4fdg.dll
[DETECTION] Is the TR/Downloader.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26003
[WARNING] The file could not be deleted!
[NOTE] Attempting to perform action using the ARK lib.
[NOTE] The file was moved to '4b65bf58.qua'!
C:\WINDOWS\system32\sxmg4.dll
[DETECTION] Is the TR/BHO.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26003
[WARNING] The file could not be deleted!
[NOTE] Attempting to perform action using the ARK lib.
[NOTE] The file was moved to '4b6ebf01.qua'!
C:\WINDOWS\system32\drivers\8b306f4d.sys
[WARNING] The file could not be opened!
C:\WINDOWS\Temp\CE09F540.exe
[DETECTION] Is the TR/Drop.Small.cbq Trojan
[NOTE] The file was moved to '49b1034c.qua'!
Begin scan in 'J:\' <WD Passport>
J:\Avast! Pro & Home Edition 4.8 Keygen!!.zip
[0] Archive type: ZIP
--> Avast Professional and Home Edition 4.8.1201 Keygen/AvastKeygen.exe
[DETECTION] Contains a recognition pattern of the (harmful) BDS/Agent.688128.2 back-door program
[NOTE] The file was moved to '49e20388.qua'!


End of the scan: Wednesday, January 28, 2009 20:31
Used time: 2:23:30 Hour(s)

The scan has been done completely.

21898 Scanning directories
1070244 Files were scanned
15 viruses and/or unwanted programs were found
6 Files were classified as suspicious:
0 files were deleted
0 files were repaired
19 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
1070221 Files not concerned
7086 Archives were scanned
8 Warnings
19 Notes




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:37:14 PM, on 1/28/2009
Platform: Windows XP SP3, v.5657 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20935)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\WINDOWS\system32\Updater.exe
C:\DOCUME~1\ALEOCA~1\LOCALS~1\Temp\csrssc.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Styler\Styler.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\TEMP\rdl9.tmp
C:\WINDOWS\system32\svschost.exe
C:\WINDOWS\system32\svńshost.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 91.207.117.244 browser-security.microsoft.com
O2 - BHO: Microsoft copyright - {32c620d6-cc10-4e6a-9715-bacacd5b0e61} - sxmg4.dll (file missing)
O2 - BHO: C:\WINDOWS\system32\hgdfeeeh4fdg.dll - {c5bf49a2-94f3-42bd-f434-3604812c8955} - C:\WINDOWS\system32\hgdfeeeh4fdg.dll (file missing)
O2 - BHO: BHO - {c9c42510-9b21-41c1-9dcd-8382a2d07c61} - C:\WINDOWS\system32\iehelper.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [jsf8uiw3jnjgffght] C:\DOCUME~1\ALEOCA~1\LOCALS~1\Temp\winlognn.exe
O4 - HKLM\..\Run: [Azaju] rundll32.exe "C:\WINDOWS\Acociqeniwar.dll",e
O4 - HKLM\..\Run: [Wgucopituci] rundll32.exe "C:\WINDOWS\itexinodusexuyo.dll",e
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [Windows Update] "C:\WINDOWS\system32\Updater.exe"
O4 - HKCU\..\Run: [jsf8uiw3jnjgffght] C:\DOCUME~1\ALEOCA~1\LOCALS~1\Temp\winlognn.exe
O4 - HKCU\..\Run: [tezrtsjhfr84iusjfo84f] C:\DOCUME~1\ALEOCA~1\LOCALS~1\Temp\csrssc.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [sysguard] C:\WINDOWS\sysguard.exe
O4 - HKCU\..\Run: [svschost.exe] C:\WINDOWS\system32\svschost.exe -check
O4 - HKLM\..\Policies\Explorer\Run: [Lsass Service] C:\Documents and Settings\Aleo Capincheo\Application Data\Microsoft\Windows\lsass.exe
O4 - HKUS\.DEFAULT\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe" (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [LClock] C:\Program Files\LClock\LClock.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: Styler.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E74A934A-0581-40A9-8AE3-2358F66B8A3D}: NameServer = 85.255.116.157,85.255.112.166
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.157,85.255.112.166
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.157,85.255.112.166
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.157,85.255.112.166
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O21 - SSODL: WebProxy - {A744F16C-B2D5-4138-81A2-085CDFCDE83A} - sxmg4.dll (file missing)
O22 - SharedTaskScheduler: jgzfkj9w38rksndfi7r4 - {C5BF49A2-94F3-42BD-F434-3604812C8955} - C:\WINDOWS\system32\hgdfeeeh4fdg.dll (file missing)
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Program Files\LSI SoftModem\agrsmsvc.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (antivirscheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (antivirservice) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService (nbservice) - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService (nmindexingservice) - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe

--
End of file - 10045 bytes

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:18 PM

Posted 29 January 2009 - 03:42 AM

Hi,

We're not finished yet. There's still a LOT we have to delete.
And imho, I have a bad feeling here, but we'll see afterwards...

Anyway.. * Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 swisss

swisss
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:18 AM

Posted 29 January 2009 - 07:26 AM

Here's the Anti-Malware log along with the Hijackthis log.



Malwarebytes' Anti-Malware 1.33
Database version: 1704
Windows 5.1.2600 Service Pack 3, v.5657

1/29/2009 6:15:26 AM
mbam-log-2009-01-29 (06-15-26).txt

Scan type: Quick Scan
Objects scanned: 58079
Time elapsed: 4 minute(s), 21 second(s)

Memory Processes Infected: 3
Memory Modules Infected: 3
Registry Keys Infected: 13
Registry Values Infected: 9
Registry Data Items Infected: 8
Folders Infected: 3
Files Infected: 51

Memory Processes Infected:
C:\WINDOWS\system32\svschost.exe (Trojan.Injector) -> Unloaded process successfully.
C:\WINDOWS\system32\svńshost.exe (Trojan.Injector) -> Unloaded process successfully.
C:\Documents and Settings\Aleo Capincheo\Local Settings\Temp\csrssc.exe (Trojan.Clicker) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\Acociqeniwar.dll (Trojan.Hiloti) -> Delete on reboot.
C:\WINDOWS\system32\iehelper.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Program Files\Mozilla Firefox\components\iamfamous.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c9c42510-9b21-41c1-9dcd-8382a2d07c61} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c9c42510-9b21-41c1-9dcd-8382a2d07c61} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c9c42510-9b21-41c1-9dcd-8382a2d07c61} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{32c620d6-cc10-4e6a-9715-bacacd5b0e61} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a744f16c-b2d5-4138-81a2-085cdfcde83a} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c5bf49a2-94f3-42bd-f434-3604812c8955} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{32c620d6-cc10-4e6a-9715-bacacd5b0e61} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5bf49a2-94f3-42bd-f434-3604812c8955} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{a744f16c-b2d5-4138-81a2-085cdfcde83a} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{32c620d6-cc10-4e6a-9715-bacacd5b0e61} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c5bf49a2-94f3-42bd-f434-3604812c8955} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\aquaplay (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysguard (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\azaju (Trojan.Hiloti) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svschost.exe (Trojan.Injector) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tezrtsjhfr84iusjfo84f (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{c5bf49a2-94f3-42bd-f434-3604812c8955} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\webproxy (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wgucopituci (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Lsass Service (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.157,85.255.112.166 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e74a934a-0581-40a9-8ae3-2358f66b8a3d}\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.157,85.255.112.166 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.157,85.255.112.166 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{e74a934a-0581-40a9-8ae3-2358f66b8a3d}\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.157,85.255.112.166 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.157,85.255.112.166 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{e74a934a-0581-40a9-8ae3-2358f66b8a3d}\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.157,85.255.112.166 -> Quarantined and deleted successfully.

Folders Infected:
C:\resycled (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Documents and Settings\Aleo Capincheo\Application Data\cogad (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft Common (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\iehelper.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\sysguard.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
C:\WINDOWS\Acociqeniwar.dll (Trojan.Hiloti) -> Delete on reboot.
C:\WINDOWS\system32\svschost.exe (Trojan.Injector) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\svńshost.exe (Trojan.Injector) -> Quarantined and deleted successfully.
C:\Documents and Settings\Aleo Capincheo\Local Settings\Temp\csrssc.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gaopdxxjhtputv.dll (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\diwgjqc.exe (Trojan.Crypt) -> Quarantined and deleted successfully.
C:\Documents and Settings\Aleo Capincheo\Local Settings\Temp\93610.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Aleo Capincheo\Local Settings\Temp\tmp12.tmp (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\Temp\rdl9.tmp (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\rdl5B0.tmp (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\rdl5B4.tmp (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\rdl8.tmp (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\autorun.inf (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\resycled\ntldr.com (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Documents and Settings\Aleo Capincheo\Application Data\cogad\cogad.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft Common\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\itexinodusexuyo.dll (Trojan.Agent) -> Delete on reboot.
C:\Program Files\Mozilla Firefox\components\iamfamous.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\homepage.html (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\promo1.html (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\promo2.html (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\promo3.html (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\promo4.html (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\promo5.html (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\promo6.html (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Updater.exe (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\system32\pharma.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\other.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\finance.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\adult.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lt.res (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sft.res (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\aol.com-error.html (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\gmail.com-error.html (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\google.com-error.html (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\live.com-error.html (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\search.yahoo.com-error.html (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\index.html (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tempo-19.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tempo-19B.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tempo-8F9.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tempo-AAF.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tempo-AFD.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tempo-D0F.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tempo-EED.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tempo-F4B.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\gaopdxairxdoei.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\gaopdxserv.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\gaopdxumexxgno.sys (Trojan.Agent) -> Quarantined and deleted successfully.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:24:46 AM, on 1/29/2009
Platform: Windows XP SP3, v.5657 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20935)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Styler\Styler.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 91.207.117.244 browser-security.microsoft.com
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [jsf8uiw3jnjgffght] C:\DOCUME~1\ALEOCA~1\LOCALS~1\Temp\winlognn.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [jsf8uiw3jnjgffght] C:\DOCUME~1\ALEOCA~1\LOCALS~1\Temp\winlognn.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-18\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [LClock] C:\Program Files\LClock\LClock.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe" (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: Styler.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: (no name) - cmdmapping - (no file) (HKCU)
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Program Files\LSI SoftModem\agrsmsvc.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (antivirscheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (antivirservice) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService (nbservice) - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService (nmindexingservice) - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe

--
End of file - 8607 bytes

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:18 PM

Posted 29 January 2009 - 07:30 AM

Hi,

We are still not finished yet....

* Download: HostsXpert
Unzip hoster to an own folder, eg C:\HostsXpert
Start HostsExpert.exe, click 'Restore MS Hosts file' and click OK.

Then, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 swisss

swisss
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:18 AM

Posted 29 January 2009 - 06:34 PM

I want to say I think it's awesome that your helping me out with all of this, even if it might be beyond saving. I'm pretty sure i did all the ComboFix stuff correctly. Anyways, here's the log for that.


ComboFix 09-01-21.04 - Aleo Capincheo 2009-01-29 17:21:39.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.554 [GMT -6:00]
Running from: c:\documents and settings\Aleo Capincheo\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Outdated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Aleo Capincheo\Local Settings\Temporary Internet Files\fbk.sts
C:\FirePassword.exe
c:\windows\system32\hpvaut32.dll
c:\windows\system32\hpvcp70.dll
c:\windows\system32\hpvcr70.dll
c:\windows\system32\pthreadGC2.dll
c:\windows\system32\sn.txt

.
((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-29 )))))))))))))))))))))))))))))))
.

2009-01-29 17:10 . 2009-01-29 17:11 <DIR> d-------- C:\HostsXpert
2009-01-29 06:06 . 2009-01-29 06:06 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-29 06:06 . 2009-01-29 06:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-29 06:06 . 2009-01-29 06:06 <DIR> d-------- c:\documents and settings\Aleo Capincheo\Application Data\Malwarebytes
2009-01-29 06:06 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-29 06:06 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-28 18:06 . 2009-01-28 18:06 <DIR> d-------- c:\program files\Avira
2009-01-28 18:06 . 2009-01-28 18:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2009-01-27 21:40 . 2009-01-27 21:54 49 --a------ c:\windows\NeroDigital.ini
2009-01-27 17:42 . 2009-01-27 17:42 298,242 --a------ c:\windows\Promo1-map.png
2009-01-27 17:42 . 2009-01-27 17:42 289,840 --a------ c:\windows\Promo2-Petri.png
2009-01-27 17:42 . 2009-01-27 17:42 133,254 --a------ c:\windows\Promo3-Is_it_safe.png
2009-01-27 17:19 . 2009-01-27 17:20 <DIR> d-------- c:\documents and settings\Aleo Capincheo\Application Data\Ahead
2009-01-27 17:18 . 2009-01-27 17:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\Ahead
2009-01-27 17:16 . 2009-01-27 17:16 <DIR> d-------- c:\program files\Nero
2009-01-27 17:16 . 2009-01-27 17:18 <DIR> d-------- c:\program files\Common Files\Ahead
2009-01-27 17:16 . 2009-01-27 17:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Nero
2009-01-26 21:59 . 2009-01-29 17:24 93,420 --a------ c:\windows\system32\drivers\8b306f4d.sys
2009-01-26 21:58 . 2009-01-26 21:58 108,336 --a------ c:\windows\system32\mswinsck.ocx
2009-01-26 21:58 . 2009-01-26 21:58 2 --a------ C:\818466285
2009-01-24 18:04 . 2009-01-24 18:04 <DIR> d-------- c:\windows\system32\Lang
2009-01-21 19:05 . 2009-01-21 19:05 <DIR> d-------- c:\program files\LSI SoftModem
2009-01-21 19:04 . 2009-01-21 19:04 <DIR> d-------- c:\windows\system32\RTCOM
2009-01-21 03:01 . 2009-01-21 03:01 <DIR> d-------- c:\program files\MSXML 4.0
2009-01-20 13:27 . 2009-01-20 13:27 <DIR> d-------- c:\windows\Sun
2009-01-20 13:25 . 2009-01-20 13:24 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-20 13:25 . 2009-01-20 13:24 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-20 13:24 . 2009-01-20 13:24 <DIR> d-------- c:\program files\Java
2009-01-20 11:49 . 2009-01-20 11:49 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-01-20 11:49 . 2009-01-20 11:49 <DIR> d-------- c:\program files\Common Files\Adobe
2009-01-20 11:47 . 2009-01-20 11:47 <DIR> d-------- c:\program files\NOS
2009-01-20 11:47 . 2009-01-21 03:09 <DIR> d-------- c:\program files\Google
2009-01-20 11:47 . 2009-01-16 18:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS
2009-01-16 18:13 . 2009-01-16 18:13 <DIR> d-------- c:\program files\Common Files\HP
2009-01-16 18:12 . 2009-01-16 18:12 <DIR> d-------- c:\program files\Hewlett-Packard
2009-01-16 18:12 . 2009-01-16 18:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2009-01-16 18:12 . 2004-05-11 10:53 82,432 -ra------ c:\windows\system32\MSXML4r.dll
2009-01-16 18:12 . 2004-05-11 10:53 44,544 -ra------ c:\windows\system32\MSXML4a.dll
2009-01-16 18:11 . 2009-01-16 18:11 <DIR> d-------- c:\program files\Common Files\Hewlett-Packard
2009-01-16 18:10 . 2009-01-16 18:10 <DIR> d-------- c:\windows\system32\URTTEMP
2009-01-16 18:05 . 1998-10-29 16:45 306,688 --a------ c:\windows\IsUninst.exe
2009-01-16 18:05 . 2004-03-18 16:53 278,584 --a------ c:\windows\system32\HPZidr12.dll
2009-01-16 18:05 . 2004-03-18 16:56 204,800 --a------ c:\windows\system32\HPZipr12.dll
2009-01-16 18:05 . 2004-03-18 16:39 94,208 --a------ c:\windows\system32\HPZipt12.dll
2009-01-16 18:05 . 2004-03-18 16:55 65,536 --a------ c:\windows\system32\HPZipm12.exe
2009-01-16 18:05 . 2004-03-18 16:38 61,440 --a------ c:\windows\system32\HPZinw12.exe
2009-01-16 18:05 . 2004-03-18 16:39 57,344 --a------ c:\windows\system32\HPZisn12.dll
2009-01-16 18:05 . 2008-04-13 23:15 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2009-01-16 18:03 . 2009-01-16 18:24 104,253 --a------ c:\windows\hpoins04.dat
2009-01-16 18:03 . 2004-06-21 04:40 17,176 --------- c:\windows\hpomdl04.dat
2009-01-16 00:34 . 2008-02-05 00:00 <DIR> d-------- C:\Portal
2009-01-16 00:10 . 2008-02-05 00:00 <DIR> d-------- c:\program files\Portal
2009-01-06 03:08 . 2009-01-06 03:08 <DIR> d-------- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-01-04 03:31 . 2009-01-04 03:31 <DIR> d-------- c:\program files\ACD Systems
2009-01-04 03:31 . 2009-01-04 03:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\ACD Systems
2009-01-04 02:10 . 2009-01-04 02:10 <DIR> d-------- c:\documents and settings\Aleo Capincheo\Application Data\Media Player Classic
2009-01-03 21:16 . 2009-01-03 21:16 <DIR> d-------- c:\program files\Microsoft Silverlight
2009-01-03 17:36 . 2007-11-29 12:52 499,712 --a------ c:\windows\system32\msvcp71.dll
2009-01-03 17:36 . 2007-12-24 13:47 7,680 --a------ c:\windows\system32\ff_vfw.dll
2009-01-03 17:36 . 2007-12-03 16:34 6,144 --a------ c:\windows\system32\ff_acm.acm
2009-01-03 17:36 . 2007-11-29 12:52 547 --a------ c:\windows\system32\ff_vfw.dll.manifest
2009-01-03 17:34 . 2009-01-03 17:36 <DIR> d-------- c:\program files\TVersity Codec Pack
2009-01-03 17:32 . 2009-01-03 17:32 <DIR> d-------- c:\program files\TVersity
2009-01-03 14:21 . 2009-01-03 14:21 38 --a------ c:\windows\avisplitter.INI
2009-01-01 22:34 . 2009-01-01 22:34 <DIR> d-------- c:\program files\iTunes
2009-01-01 22:34 . 2009-01-01 22:34 <DIR> d-------- c:\program files\iPod
2009-01-01 22:34 . 2009-01-01 22:34 <DIR> d-------- c:\program files\Bonjour
2009-01-01 22:34 . 2009-01-01 22:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-01 22:34 . 2009-01-02 01:57 <DIR> d-------- c:\documents and settings\Aleo Capincheo\Application Data\Apple Computer
2009-01-01 22:34 . 2008-04-17 13:12 107,368 --a------ c:\windows\system32\GEARAspi.dll
2009-01-01 22:34 . 2008-04-17 13:12 15,464 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys
2009-01-01 22:33 . 2009-01-01 22:33 <DIR> d-------- c:\program files\QuickTime
2009-01-01 22:33 . 2009-01-01 22:34 <DIR> d-------- c:\program files\Common Files\Apple
2009-01-01 22:33 . 2009-01-01 22:33 <DIR> d-------- c:\program files\Apple Software Update
2009-01-01 22:33 . 2009-01-02 01:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2009-01-01 22:33 . 2009-01-01 22:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2009-01-01 22:33 . 2008-11-07 14:23 32,000 --a------ c:\windows\system32\drivers\usbaapl.sys
2009-01-01 22:08 . 2009-01-01 22:34 <DIR> d----c--- c:\windows\system32\DRVSTORE
2009-01-01 22:08 . 2009-01-01 22:08 <DIR> d-------- c:\program files\MSN Messenger
2009-01-01 22:08 . 2009-01-03 12:43 <DIR> d-------- c:\documents and settings\Aleo Capincheo\Contacts
2008-12-31 15:16 . 2008-12-31 15:19 <DIR> d-------- c:\program files\AutoCAD 2008
2008-12-31 15:16 . 2009-01-02 17:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\Autodesk
2008-12-31 15:16 . 2009-01-02 17:23 <DIR> d-------- c:\documents and settings\Aleo Capincheo\Application Data\Autodesk
2008-12-31 15:15 . 2008-12-31 15:19 <DIR> d-------- c:\program files\Common Files\Autodesk Shared
2008-12-31 15:15 . 2008-12-31 15:15 <DIR> d-------- c:\program files\Autodesk
2008-12-30 14:04 . 2008-12-13 00:26 3,594,752 --------- c:\windows\system32\dllcache\mshtml.dll
2008-12-30 14:04 . 2008-08-14 04:11 2,189,184 --------- c:\windows\system32\dllcache\ntoskrnl.exe
2008-12-30 14:04 . 2008-08-14 04:09 2,145,280 --------- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-12-30 14:04 . 2008-08-14 03:33 2,066,048 --------- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-12-30 14:04 . 2008-08-14 03:33 2,023,936 --------- c:\windows\system32\dllcache\ntkrpamp.exe
2008-12-30 14:04 . 2008-09-15 06:12 1,846,400 --------- c:\windows\system32\dllcache\win32k.sys
2008-12-30 14:04 . 2008-09-04 11:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll
2008-12-30 14:04 . 2008-04-11 13:04 691,712 --------- c:\windows\system32\dllcache\inetcomm.dll
2008-12-30 14:04 . 2008-10-24 05:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys
2008-12-30 14:04 . 2008-10-15 10:34 337,408 --------- c:\windows\system32\dllcache\netapi32.dll
2008-12-30 14:04 . 2008-05-01 08:33 331,776 --------- c:\windows\system32\dllcache\msadce.dll
2008-12-30 14:04 . 2008-10-03 04:02 247,326 --------- c:\windows\system32\dllcache\strmdll.dll
2008-12-30 14:04 . 2008-05-08 08:02 203,136 --------- c:\windows\system32\dllcache\rmcast.sys
2008-12-30 14:02 . 2009-01-21 03:02 <DIR> d--h----- c:\windows\$hf_mig$
2008-12-30 14:02 . 2008-12-30 14:02 <DIR> d-------- c:\program files\Microsoft WSE
2008-12-30 14:02 . 2009-01-21 03:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-30 14:01 . 2008-12-30 14:01 <DIR> d-------- c:\windows\system32\XPSViewer
2008-12-30 14:01 . 2008-12-30 14:01 <DIR> d-------- c:\program files\Reference Assemblies
2008-12-30 14:01 . 2008-12-30 14:01 <DIR> d-------- c:\program files\MSXML 6.0
2008-12-30 14:01 . 2008-12-22 17:38 <DIR> d-------- c:\program files\MSBuild
2008-12-30 14:01 . 2007-03-23 04:07 1,683,280 --------- c:\windows\system32\XpsSvcs.dll
2008-12-30 14:01 . 2007-03-23 04:07 1,683,280 --------- c:\windows\system32\dllcache\XpsSvcs.dll
2008-12-30 14:01 . 2007-03-22 18:25 677,376 --------- c:\windows\system32\dllcache\PrintFilterPipelineSvc.exe
2008-12-30 14:01 . 2007-03-23 04:07 583,504 --------- c:\windows\system32\XPSSHHDR.dll
2008-12-30 14:01 . 2007-03-23 04:07 583,504 --------- c:\windows\system32\dllcache\XPSSHHDR.dll
2008-12-30 14:01 . 2007-03-22 18:25 124,928 --------- c:\windows\system32\prntvpt.dll
2008-12-30 14:01 . 2007-03-22 18:24 28,160 --------- c:\windows\system32\dllcache\FilterPipelinePrintProc.dll
2008-12-30 14:01 . 2006-06-29 11:07 14,048 --------- c:\windows\system32\spmsg2.dll
2008-12-30 14:00 . 2009-01-27 06:35 <DIR> d-------- c:\documents and settings\Aleo Capincheo\Application Data\uTorrent
2008-12-30 14:00 . 2008-12-30 14:00 <DIR> d-------- c:\documents and settings\Aleo Capincheo\Application Data\Styler
2008-12-30 14:00 . 2008-12-30 11:11 <DIR> d-------- c:\documents and settings\Aleo Capincheo\Application Data\Desktopicon
2008-12-30 14:00 . 2008-12-30 11:11 <DIR> d-------- c:\documents and settings\Aleo Capincheo\7zS254C.tmp
2008-12-30 14:00 . 2008-12-30 11:11 <DIR> d-------- c:\documents and settings\Aleo Capincheo\7zS2548.tmp
2008-12-30 14:00 . 2008-12-30 11:10 <DIR> d-------- c:\documents and settings\Aleo Capincheo\7zS2546.tmp
2008-12-30 14:00 . 2008-12-30 11:10 <DIR> d-------- c:\documents and settings\Aleo Capincheo\7zS253B.tmp
2008-12-30 14:00 . 2008-12-30 11:10 <DIR> d-------- c:\documents and settings\Aleo Capincheo\7zS2538.tmp
2008-12-30 14:00 . 2008-12-30 11:09 <DIR> d-------- c:\documents and settings\Aleo Capincheo\7zS252A.tmp
2008-12-30 14:00 . 2008-12-30 11:09 <DIR> d-------- c:\documents and settings\Aleo Capincheo\7zS2525.tmp
2008-12-30 14:00 . 2008-12-30 11:08 <DIR> d-------- c:\documents and settings\Aleo Capincheo\7zS24A7.tmp
2008-12-30 14:00 . 2008-12-30 11:10 <DIR> d-------- c:\documents and settings\Aleo Capincheo\_ir_sf7_temp_0

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-29 12:23 --------- d-----w c:\program files\Hunt Virus Utilities
2009-01-29 12:16 --------- d-----w c:\documents and settings\Aleo Capincheo\Application Data\mIRC
2009-01-29 12:10 --------- d-----w c:\program files\mIRC
2009-01-17 00:15 --------- d-----w c:\program files\HP
2009-01-04 09:31 --------- d-----w c:\program files\Common Files\ACD Systems
2008-12-31 21:16 --------- d-----w c:\program files\Common Files\InstallShield
2008-12-30 20:00 --------- d-----w c:\program files\VistaExperience.org
2008-12-30 20:00 --------- d-----w c:\program files\Styler
2008-12-30 17:11 --------- d-----w c:\program files\K-Lite Codec Pack
2008-12-30 17:10 --------- d-----w c:\program files\Windows Sidebar
2008-12-30 17:10 --------- d-----w c:\program files\Sysinternals
2008-12-30 17:10 --------- d-----w c:\program files\IZArc
2008-12-30 17:10 --------- d-----w c:\program files\HashTab Shell Extension
2008-12-30 17:10 --------- d-----w c:\program files\Common Files\Stardock
2008-12-30 17:10 --------- d-----w c:\program files\Alky for Applications
2008-12-30 17:04 --------- d-----w c:\program files\CCleaner
2008-12-30 17:02 --------- d-----w c:\program files\uTorrent
2008-12-30 16:57 --------- d-----w c:\program files\System
2008-12-30 16:57 --------- d-----w c:\program files\Stanimir Stoyanov
2008-12-30 16:57 --------- d-----w c:\program files\Desktop
2008-12-30 16:57 --------- d-----w c:\program files\7-Zip
2008-12-30 16:56 --------- d-----w c:\program files\Windows Media Connect 2
2008-12-27 05:51 --------- d-----w c:\program files\Unlocker
2008-12-26 19:23 --------- d-----w c:\program files\metamorphose
2008-12-26 19:23 --------- d-----w c:\documents and settings\Aleo Capincheo\Application Data\.metamorphose
2008-12-24 22:45 --------- d-----w c:\documents and settings\Aleo Capincheo\Application Data\Winamp
2008-12-24 03:23 --------- d-----w c:\documents and settings\Aleo Capincheo\Application Data\ACD Systems
2008-12-24 03:07 --------- d-----w c:\program files\PowerCmd
2008-12-23 12:10 --------- d-----w c:\program files\Winamp
2008-12-23 02:05 --------- d-----w c:\documents and settings\All Users\Application Data\ATI
2008-12-23 02:05 --------- d-----w c:\documents and settings\Aleo Capincheo\Application Data\ATI
2008-12-23 02:03 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-23 02:03 --------- d-----w c:\program files\ATI Technologies
2008-12-23 01:56 --------- d-----w c:\documents and settings\All Users\Application Data\DriverScanner
2008-12-23 01:56 --------- d-----w c:\documents and settings\Aleo Capincheo\Application Data\Uniblue
2008-12-23 01:37 --------- d-----w c:\documents and settings\Aleo Capincheo\Application Data\WinBatch
2008-12-23 00:59 --------- d-----w c:\documents and settings\All Users\Application Data\PC Drivers Headquarters
2008-12-22 23:39 --------- d-----w c:\program files\Microsoft Works
2008-12-22 23:38 --------- d-----w c:\program files\Microsoft.NET
2008-12-22 23:36 --------- d-----w c:\program files\Microsoft Visual Studio 8
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys
2008-12-01 22:13 3,452,928 ----a-w c:\windows\system32\drivers\ati2mtag.sys
2008-12-01 20:52 425,984 ----a-w c:\windows\system32\ATIDEMGX.dll
2008-12-01 20:51 318,464 ----a-w c:\windows\system32\ati2dvag.dll
2008-12-01 20:46 11,304,960 ----a-w c:\windows\system32\atioglxx.dll
2008-12-01 20:41 188,416 ----a-w c:\windows\system32\atipdlxx.dll
2008-12-01 20:40 43,520 ----a-w c:\windows\system32\ati2edxx.dll
2008-12-01 20:40 26,112 ----a-w c:\windows\system32\Ati2mdxx.exe
2008-12-01 20:40 147,456 ----a-w c:\windows\system32\Oemdspif.dll
2008-12-01 20:40 143,360 ----a-w c:\windows\system32\ati2evxx.dll
2008-12-01 20:38 598,016 ----a-w c:\windows\system32\ati2evxx.exe
2008-12-01 20:37 53,248 ----a-w c:\windows\system32\ATIDDC.DLL
2008-12-01 20:35 593,920 ------w c:\windows\system32\ati2sgag.exe
2008-12-01 20:27 4,120,384 ----a-w c:\windows\system32\ati3duag.dll
2008-12-01 20:19 307,200 ----a-w c:\windows\system32\atiiiexx.dll
2008-12-01 20:11 2,495,360 ----a-w c:\windows\system32\ativvaxx.dll
2008-12-01 19:57 48,640 ----a-w c:\windows\system32\amdpcom32.dll
2008-12-01 19:53 45,056 ----a-w c:\windows\system32\amdcalrt.dll
2008-12-01 19:53 45,056 ----a-w c:\windows\system32\amdcalcl.dll
2008-12-01 19:53 401,408 ----a-w c:\windows\system32\atikvmag.dll
2008-12-01 19:52 86,016 ----a-w c:\windows\system32\atiadlxx.dll
2008-12-01 19:52 17,408 ----a-w c:\windows\system32\atitvo32.dll
2008-12-01 19:51 53,248 ----a-w c:\windows\system32\drivers\ati2erec.dll
2008-12-01 19:50 3,252,224 ----a-w c:\windows\system32\Amdcaldd.dll
2008-12-01 19:50 286,720 ----a-w c:\windows\system32\atiok3x2.dll
2008-12-01 19:45 577,536 ----a-w c:\windows\system32\ati2cqag.dll
2008-04-14 12:00 54,896 --sh--r c:\windows\system32\javaupd.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-21 39408]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-01 15872]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-04-04 344064]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-20 136600]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"RTHDCPL"="RTHDCPL.EXE" [2007-10-25 c:\windows\RTHDCPL.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"LClock"="c:\program files\LClock\LClock.exe" [2004-09-19 65536]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
"nltide_3"="advpack.dll" [2008-10-16 c:\windows\system32\advpack.dll]

c:\documents and settings\Aleo Capincheo\Start Menu\Programs\Startup\
Styler.lnk - c:\documents and settings\Aleo Capincheo\Application Data\Microsoft\Installer\{E9ECF354-2422-4FDB-9ABF-D8ADAC0EF941}\_585b207a.exe [2008-12-30 15086]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-28 241664]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-05-28 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2008-05-12 10:49 210168 c:\program files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll
"msacm.avis"= ff_acm.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=

S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2009-01-20 33752]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - srservice

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
\shell\autorun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\ntldr.com j:
\shell\open\command - j:\resycled\ntldr.com j:

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{D58F39FF-953E-4F45-898F-59F243B9A523}]
RUNDLL32 advpack.dll,LaunchINFSection Sidebar.inf,Register
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Aleo Capincheo\Application Data\Mozilla\Firefox\Profiles\u19mw4nq.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-29 17:24:01
Windows 5.1.2600 Service Pack 3, v.5657 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\8b306f4d]
"ImagePath"="\SystemRoot\System32\drivers\8b306f4d.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(704)
c:\windows\system32\Ati2evxx.dll
c:\program files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll
.
Completion time: 2009-01-29 17:26:08
ComboFix-quarantined-files.txt 2009-01-29 23:25:57

Pre-Run: 126,327,783,424 bytes free
Post-Run: 126,997,110,784 bytes free

303 --- E O F --- 2009-01-22 01:46:58

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:18 PM

Posted 30 January 2009 - 02:23 AM

Hi,

I actually have a bad feeling here since I see a lot of legitimate folders (content) being modified within the same period of time. This may reveal the presence of a File infector. If that's the case, then I suggest a format and reinstall. This because a File infector infects legitimate files and they may not be deleted, but disinfected instead. In that case, there isn't much we can do about this. It's up to the scanners to disinfect them. But since infecting+disinfecting files may cause the file to be corrupted, that's why a format and reinstall is actually the fastest and especially the safest solution.

Anyway, we'll find out later if you're indeed dealing with a file infector. Please perform the following steps first...

* Download next removal tool to your desktop:
http://www.techsupportforum.com/sectools/s...Disinfector.exe
If you have any flashdrives being used previously, since this is a flashdrive infection, insert your flashdrive as well, because above tool will disinfect it as well.
Then doubleclick the Flash_Disinfector.exe to run the tool.
Your desktop and icons will disappear afterwards. This is normal.
When the tool has finished, reboot your computer.
Then,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\818466285
c:\windows\system32\drivers\8b306f4d.sys
Driver::
8b306f4d
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 swisss

swisss
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:18 AM

Posted 30 January 2009 - 03:23 PM

There we go, another log from Combofix.


ComboFix 09-01-21.04 - Aleo Capincheo 2009-01-30 14:11:48.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.576 [GMT -6:00]
Running from: c:\documents and settings\Aleo Capincheo\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Aleo Capincheo\Desktop\CFScript.txt
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
C:\818466285
c:\windows\system32\drivers\8b306f4d.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\818466285
c:\windows\system32\drivers\8b306f4d.sys
c:\windows\system32\hpvaut32.dll
c:\windows\system32\hpvcp70.dll
c:\windows\system32\hpvcr70.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_8b306f4d


((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-30 )))))))))))))))))))))))))))))))
.

2009-01-30 14:18 . 2004-05-11 10:53 487,424 -ra------ c:\windows\system32\hpvcp70.dll
2009-01-30 14:18 . 2004-05-11 10:53 344,064 -ra------ c:\windows\system32\hpvcr70.dll
2009-01-29 17:51 . 2009-01-29 17:51 <DIR> d-------- c:\windows\system32\xircom
2009-01-29 17:51 . 2009-01-29 17:51 <DIR> d-------- c:\program files\microsoft frontpage
2009-01-29 17:10 . 2009-01-29 17:11 <DIR> d-------- C:\HostsXpert
2009-01-29 06:06 . 2009-01-29 06:06 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-29 06:06 . 2009-01-29 06:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-29 06:06 . 2009-01-29 06:06 <DIR> d-------- c:\documents and settings\Aleo Capincheo\Application Data\Malwarebytes
2009-01-29 06:06 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-29 06:06 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-28 18:06 . 2009-01-28 18:06 <DIR> d-------- c:\program files\Avira
2009-01-28 18:06 . 2009-01-28 18:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2009-01-27 21:40 . 2009-01-27 21:54 49 --a------ c:\windows\NeroDigital.ini
2009-01-27 17:42 . 2009-01-27 17:42 298,242 --a------ c:\windows\Promo1-map.png
2009-01-27 17:42 . 2009-01-27 17:42 289,840 --a------ c:\windows\Promo2-Petri.png
2009-01-27 17:42 . 2009-01-27 17:42 133,254 --a------ c:\windows\Promo3-Is_it_safe.png
2009-01-27 17:19 . 2009-01-27 17:20 <DIR> d-------- c:\documents and settings\Aleo Capincheo\Application Data\Ahead
2009-01-27 17:18 . 2009-01-27 17:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\Ahead
2009-01-27 17:16 . 2009-01-27 17:16 <DIR> d-------- c:\program files\Nero
2009-01-27 17:16 . 2009-01-27 17:18 <DIR> d-------- c:\program files\Common Files\Ahead
2009-01-27 17:16 . 2009-01-27 17:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Nero
2009-01-26 21:58 . 2009-01-26 21:58 108,336 --a------ c:\windows\system32\mswinsck.ocx
2009-01-24 18:04 . 2009-01-24 18:04 <DIR> d-------- c:\windows\system32\Lang
2009-01-21 19:05 . 2009-01-21 19:05 <DIR> d-------- c:\program files\LSI SoftModem
2009-01-21 19:04 . 2009-01-21 19:04 <DIR> d-------- c:\windows\system32\RTCOM
2009-01-21 03:01 . 2009-01-21 03:01 <DIR> d-------- c:\program files\MSXML 4.0
2009-01-20 13:27 . 2009-01-20 13:27 <DIR> d-------- c:\windows\Sun
2009-01-20 13:25 . 2009-01-20 13:24 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-20 13:25 . 2009-01-20 13:24 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-20 13:24 . 2009-01-20 13:24 <DIR> d-------- c:\program files\Java
2009-01-20 11:49 . 2009-01-20 11:49 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-01-20 11:49 . 2009-01-20 11:49 <DIR> d-------- c:\program files\Common Files\Adobe
2009-01-20 11:47 . 2009-01-20 11:47 <DIR> d-------- c:\program files\NOS
2009-01-20 11:47 . 2009-01-30 14:06 <DIR> d-------- c:\program files\Google
2009-01-20 11:47 . 2009-01-16 18:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS
2009-01-16 18:13 . 2009-01-16 18:13 <DIR> d-------- c:\program files\Common Files\HP
2009-01-16 18:12 . 2009-01-16 18:12 <DIR> d-------- c:\program files\Hewlett-Packard
2009-01-16 18:12 . 2009-01-16 18:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2009-01-16 18:12 . 2004-05-11 10:53 82,432 -ra------ c:\windows\system32\MSXML4r.dll
2009-01-16 18:12 . 2004-05-11 10:53 44,544 -ra------ c:\windows\system32\MSXML4a.dll
2009-01-16 18:11 . 2009-01-16 18:11 <DIR> d-------- c:\program files\Common Files\Hewlett-Packard
2009-01-16 18:10 . 2009-01-16 18:10 <DIR> d-------- c:\windows\system32\URTTEMP
2009-01-16 18:05 . 1998-10-29 16:45 306,688 --a------ c:\windows\IsUninst.exe
2009-01-16 18:05 . 2004-03-18 16:53 278,584 --a------ c:\windows\system32\HPZidr12.dll
2009-01-16 18:05 . 2004-03-18 16:56 204,800 --a------ c:\windows\system32\HPZipr12.dll
2009-01-16 18:05 . 2004-03-18 16:39 94,208 --a------ c:\windows\system32\HPZipt12.dll
2009-01-16 18:05 . 2004-03-18 16:55 65,536 --a------ c:\windows\system32\HPZipm12.exe
2009-01-16 18:05 . 2004-03-18 16:38 61,440 --a------ c:\windows\system32\HPZinw12.exe
2009-01-16 18:05 . 2004-03-18 16:39 57,344 --a------ c:\windows\system32\HPZisn12.dll
2009-01-16 18:05 . 2008-04-13 23:15 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2009-01-16 18:03 . 2009-01-16 18:24 104,253 --a------ c:\windows\hpoins04.dat
2009-01-16 18:03 . 2004-06-21 04:40 17,176 --------- c:\windows\hpomdl04.dat
2009-01-16 00:34 . 2008-02-05 00:00 <DIR> d-------- C:\Portal
2009-01-16 00:10 . 2008-02-05 00:00 <DIR> d-------- c:\program files\Portal
2009-01-06 03:08 . 2009-01-06 03:08 <DIR> d-------- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-01-04 03:31 . 2009-01-04 03:31 <DIR> d-------- c:\program files\ACD Systems
2009-01-04 03:31 . 2009-01-04 03:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\ACD Systems
2009-01-04 02:10 . 2009-01-04 02:10 <DIR> d-------- c:\documents and settings\Aleo Capincheo\Application Data\Media Player Classic
2009-01-03 21:16 . 2009-01-03 21:16 <DIR> d-------- c:\program files\Microsoft Silverlight
2009-01-03 17:36 . 2007-11-29 12:52 499,712 --a------ c:\windows\system32\msvcp71.dll
2009-01-03 17:36 . 2007-12-24 13:47 7,680 --a------ c:\windows\system32\ff_vfw.dll
2009-01-03 17:36 . 2007-12-03 16:34 6,144 --a------ c:\windows\system32\ff_acm.acm
2009-01-03 17:36 . 2007-11-29 12:52 547 --a------ c:\windows\system32\ff_vfw.dll.manifest
2009-01-03 17:34 . 2009-01-03 17:36 <DIR> d-------- c:\program files\TVersity Codec Pack
2009-01-03 17:32 . 2009-01-03 17:32 <DIR> d-------- c:\program files\TVersity
2009-01-03 14:21 . 2009-01-03 14:21 38 --a------ c:\windows\avisplitter.INI
2009-01-01 22:34 . 2009-01-01 22:34 <DIR> d-------- c:\program files\iTunes
2009-01-01 22:34 . 2009-01-01 22:34 <DIR> d-------- c:\program files\iPod
2009-01-01 22:34 . 2009-01-01 22:34 <DIR> d-------- c:\program files\Bonjour
2009-01-01 22:34 . 2009-01-01 22:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-01 22:34 . 2009-01-02 01:57 <DIR> d-------- c:\documents and settings\Aleo Capincheo\Application Data\Apple Computer
2009-01-01 22:34 . 2008-04-17 13:12 107,368 --a------ c:\windows\system32\GEARAspi.dll
2009-01-01 22:34 . 2008-04-17 13:12 15,464 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys
2009-01-01 22:33 . 2009-01-01 22:33 <DIR> d-------- c:\program files\QuickTime
2009-01-01 22:33 . 2009-01-01 22:34 <DIR> d-------- c:\program files\Common Files\Apple
2009-01-01 22:33 . 2009-01-01 22:33 <DIR> d-------- c:\program files\Apple Software Update
2009-01-01 22:33 . 2009-01-02 01:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2009-01-01 22:33 . 2009-01-01 22:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2009-01-01 22:33 . 2008-11-07 14:23 32,000 --a------ c:\windows\system32\drivers\usbaapl.sys
2009-01-01 22:08 . 2009-01-01 22:34 <DIR> d----c--- c:\windows\system32\DRVSTORE
2009-01-01 22:08 . 2009-01-01 22:08 <DIR> d-------- c:\program files\MSN Messenger
2009-01-01 22:08 . 2009-01-03 12:43 <DIR> d-------- c:\documents and settings\Aleo Capincheo\Contacts
2008-12-31 15:16 . 2008-12-31 15:19 <DIR> d-------- c:\program files\AutoCAD 2008
2008-12-31 15:16 . 2009-01-02 17:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\Autodesk
2008-12-31 15:16 . 2009-01-02 17:23 <DIR> d-------- c:\documents and settings\Aleo Capincheo\Application Data\Autodesk
2008-12-31 15:15 . 2008-12-31 15:19 <DIR> d-------- c:\program files\Common Files\Autodesk Shared
2008-12-31 15:15 . 2008-12-31 15:15 <DIR> d-------- c:\program files\Autodesk
2008-12-30 14:04 . 2008-12-13 00:26 3,594,752 --------- c:\windows\system32\dllcache\mshtml.dll
2008-12-30 14:04 . 2008-08-14 04:11 2,189,184 --------- c:\windows\system32\dllcache\ntoskrnl.exe
2008-12-30 14:04 . 2008-08-14 04:09 2,145,280 --------- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-12-30 14:04 . 2008-08-14 03:33 2,066,048 --------- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-12-30 14:04 . 2008-08-14 03:33 2,023,936 --------- c:\windows\system32\dllcache\ntkrpamp.exe
2008-12-30 14:04 . 2008-09-15 06:12 1,846,400 --------- c:\windows\system32\dllcache\win32k.sys
2008-12-30 14:04 . 2008-09-04 11:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll
2008-12-30 14:04 . 2008-04-11 13:04 691,712 --------- c:\windows\system32\dllcache\inetcomm.dll
2008-12-30 14:04 . 2008-10-24 05:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys
2008-12-30 14:04 . 2008-10-15 10:34 337,408 --------- c:\windows\system32\dllcache\netapi32.dll
2008-12-30 14:04 . 2008-05-01 08:33 331,776 --------- c:\windows\system32\dllcache\msadce.dll
2008-12-30 14:04 . 2008-10-03 04:02 247,326 --------- c:\windows\system32\dllcache\strmdll.dll
2008-12-30 14:04 . 2008-05-08 08:02 203,136 --------- c:\windows\system32\dllcache\rmcast.sys
2008-12-30 14:02 . 2009-01-21 03:02 <DIR> d--h----- c:\windows\$hf_mig$
2008-12-30 14:02 . 2008-12-30 14:02 <DIR> d-------- c:\program files\Microsoft WSE
2008-12-30 14:02 . 2009-01-21 03:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-30 14:01 . 2008-12-30 14:01 <DIR> d-------- c:\windows\system32\XPSViewer
2008-12-30 14:01 . 2008-12-30 14:01 <DIR> d-------- c:\program files\Reference Assemblies
2008-12-30 14:01 . 2008-12-30 14:01 <DIR> d-------- c:\program files\MSXML 6.0
2008-12-30 14:01 . 2008-12-22 17:38 <DIR> d-------- c:\program files\MSBuild
2008-12-30 14:01 . 2007-03-23 04:07 1,683,280 --------- c:\windows\system32\XpsSvcs.dll
2008-12-30 14:01 . 2007-03-23 04:07 1,683,280 --------- c:\windows\system32\dllcache\XpsSvcs.dll
2008-12-30 14:01 . 2007-03-22 18:25 677,376 --------- c:\windows\system32\dllcache\PrintFilterPipelineSvc.exe
2008-12-30 14:01 . 2007-03-23 04:07 583,504 --------- c:\windows\system32\XPSSHHDR.dll
2008-12-30 14:01 . 2007-03-23 04:07 583,504 --------- c:\windows\system32\dllcache\XPSSHHDR.dll
2008-12-30 14:01 . 2007-03-22 18:25 124,928 --------- c:\windows\system32\prntvpt.dll
2008-12-30 14:01 . 2007-03-22 18:24 28,160 --------- c:\windows\system32\dllcache\FilterPipelinePrintProc.dll
2008-12-30 14:01 . 2006-06-29 11:07 14,048 --------- c:\windows\system32\spmsg2.dll
2008-12-30 14:00 . 2009-01-27 06:35 <DIR> d-------- c:\documents and settings\Aleo Capincheo\Application Data\uTorrent
2008-12-30 14:00 . 2008-12-30 14:00 <DIR> d-------- c:\documents and settings\Aleo Capincheo\Application Data\Styler
2008-12-30 14:00 . 2008-12-30 11:11 <DIR> d-------- c:\documents and settings\Aleo Capincheo\Application Data\Desktopicon
2008-12-30 14:00 . 2008-12-30 11:11 <DIR> d-------- c:\documents and settings\Aleo Capincheo\7zS254C.tmp
2008-12-30 14:00 . 2008-12-30 11:11 <DIR> d-------- c:\documents and settings\Aleo Capincheo\7zS2548.tmp
2008-12-30 14:00 . 2008-12-30 11:10 <DIR> d-------- c:\documents and settings\Aleo Capincheo\7zS2546.tmp
2008-12-30 14:00 . 2008-12-30 11:10 <DIR> d-------- c:\documents and settings\Aleo Capincheo\7zS253B.tmp
2008-12-30 14:00 . 2008-12-30 11:10 <DIR> d-------- c:\documents and settings\Aleo Capincheo\7zS2538.tmp
2008-12-30 14:00 . 2008-12-30 11:09 <DIR> d-------- c:\documents and settings\Aleo Capincheo\7zS252A.tmp
2008-12-30 14:00 . 2008-12-30 11:09 <DIR> d-------- c:\documents and settings\Aleo Capincheo\7zS2525.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-30 01:48 --------- d-----w c:\program files\mIRC
2009-01-29 12:23 --------- d-----w c:\program files\Hunt Virus Utilities
2009-01-17 00:15 --------- d-----w c:\program files\HP
2009-01-04 09:31 --------- d-----w c:\program files\Common Files\ACD Systems
2008-12-31 21:16 --------- d-----w c:\program files\Common Files\InstallShield
2008-12-30 20:00 --------- d-----w c:\program files\VistaExperience.org
2008-12-30 20:00 --------- d-----w c:\program files\Styler
2008-12-30 17:11 --------- d-----w c:\program files\K-Lite Codec Pack
2008-12-30 17:10 --------- d-----w c:\program files\Windows Sidebar
2008-12-30 17:10 --------- d-----w c:\program files\Sysinternals
2008-12-30 17:10 --------- d-----w c:\program files\IZArc
2008-12-30 17:10 --------- d-----w c:\program files\HashTab Shell Extension
2008-12-30 17:10 --------- d-----w c:\program files\Common Files\Stardock
2008-12-30 17:10 --------- d-----w c:\program files\Alky for Applications
2008-12-30 17:04 --------- d-----w c:\program files\CCleaner
2008-12-30 17:02 --------- d-----w c:\program files\uTorrent
2008-12-30 16:57 --------- d-----w c:\program files\System
2008-12-30 16:57 --------- d-----w c:\program files\Stanimir Stoyanov
2008-12-30 16:57 --------- d-----w c:\program files\Desktop
2008-12-30 16:57 --------- d-----w c:\program files\7-Zip
2008-12-30 16:56 --------- d-----w c:\program files\Windows Media Connect 2
2008-12-27 05:51 --------- d-----w c:\program files\Unlocker
2008-12-26 19:23 --------- d-----w c:\program files\metamorphose
2008-12-24 03:07 --------- d-----w c:\program files\PowerCmd
2008-12-23 12:10 --------- d-----w c:\program files\Winamp
2008-12-23 02:05 --------- d-----w c:\documents and settings\All Users\Application Data\ATI
2008-12-23 02:03 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-23 02:03 --------- d-----w c:\program files\ATI Technologies
2008-12-23 01:56 --------- d-----w c:\documents and settings\All Users\Application Data\DriverScanner
2008-12-23 00:59 --------- d-----w c:\documents and settings\All Users\Application Data\PC Drivers Headquarters
2008-12-22 23:39 --------- d-----w c:\program files\Microsoft Works
2008-12-22 23:38 --------- d-----w c:\program files\Microsoft.NET
2008-12-22 23:36 --------- d-----w c:\program files\Microsoft Visual Studio 8
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys
2008-12-01 22:13 3,452,928 ----a-w c:\windows\system32\drivers\ati2mtag.sys
2008-12-01 20:52 425,984 ----a-w c:\windows\system32\ATIDEMGX.dll
2008-12-01 20:51 318,464 ----a-w c:\windows\system32\ati2dvag.dll
2008-12-01 20:46 11,304,960 ----a-w c:\windows\system32\atioglxx.dll
2008-12-01 20:41 188,416 ----a-w c:\windows\system32\atipdlxx.dll
2008-12-01 20:40 43,520 ----a-w c:\windows\system32\ati2edxx.dll
2008-12-01 20:40 26,112 ----a-w c:\windows\system32\Ati2mdxx.exe
2008-12-01 20:40 147,456 ----a-w c:\windows\system32\Oemdspif.dll
2008-12-01 20:40 143,360 ----a-w c:\windows\system32\ati2evxx.dll
2008-12-01 20:38 598,016 ----a-w c:\windows\system32\ati2evxx.exe
2008-12-01 20:37 53,248 ----a-w c:\windows\system32\ATIDDC.DLL
2008-12-01 20:35 593,920 ------w c:\windows\system32\ati2sgag.exe
2008-12-01 20:27 4,120,384 ----a-w c:\windows\system32\ati3duag.dll
2008-12-01 20:19 307,200 ----a-w c:\windows\system32\atiiiexx.dll
2008-12-01 20:11 2,495,360 ----a-w c:\windows\system32\ativvaxx.dll
2008-12-01 19:57 48,640 ----a-w c:\windows\system32\amdpcom32.dll
2008-12-01 19:53 45,056 ----a-w c:\windows\system32\amdcalrt.dll
2008-12-01 19:53 45,056 ----a-w c:\windows\system32\amdcalcl.dll
2008-12-01 19:53 401,408 ----a-w c:\windows\system32\atikvmag.dll
2008-12-01 19:52 86,016 ----a-w c:\windows\system32\atiadlxx.dll
2008-12-01 19:52 17,408 ----a-w c:\windows\system32\atitvo32.dll
2008-12-01 19:51 53,248 ----a-w c:\windows\system32\drivers\ati2erec.dll
2008-12-01 19:50 3,252,224 ----a-w c:\windows\system32\Amdcaldd.dll
2008-12-01 19:50 286,720 ----a-w c:\windows\system32\atiok3x2.dll
2008-12-01 19:45 577,536 ----a-w c:\windows\system32\ati2cqag.dll
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 12:36 286,720 ------w c:\windows\system32\dllcache\gdi32.dll
2008-10-21 18:51 118,784 ----a-w c:\windows\system32\atibrtmon.exe
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 20:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 20:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 12:46 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 12:46 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 06:34 633,632 ------w c:\windows\system32\dllcache\iexplore.exe
2008-10-15 06:33 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-04-14 12:00 54,896 --sh--r c:\windows\system32\javaupd.exe
.

((((((((((((((((((((((((((((( snapshot@2009-01-29_17.24.32.70 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 02:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
- 2009-01-22 01:06:41 71,250 ----a-w c:\windows\system32\perfc009.dat
+ 2009-01-29 23:55:54 71,250 ----a-w c:\windows\system32\perfc009.dat
- 2009-01-22 01:06:41 441,184 ----a-w c:\windows\system32\perfh009.dat
+ 2009-01-29 23:55:54 441,184 ----a-w c:\windows\system32\perfh009.dat
+ 2009-01-30 20:17:48 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_688.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-01 15872]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-04-04 344064]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-20 136600]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"RTHDCPL"="RTHDCPL.EXE" [2007-10-25 c:\windows\RTHDCPL.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"LClock"="c:\program files\LClock\LClock.exe" [2004-09-19 65536]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
"nltide_3"="advpack.dll" [2008-10-16 c:\windows\system32\advpack.dll]

c:\documents and settings\Aleo Capincheo\Start Menu\Programs\Startup\
Styler.lnk - c:\documents and settings\Aleo Capincheo\Application Data\Microsoft\Installer\{E9ECF354-2422-4FDB-9ABF-D8ADAC0EF941}\_585b207a.exe [2008-12-30 15086]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-28 241664]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-05-28 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2008-05-12 10:49 210168 c:\program files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll
"msacm.avis"= ff_acm.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2009-01-20 33752]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{D58F39FF-953E-4F45-898F-59F243B9A523}]
RUNDLL32 advpack.dll,LaunchINFSection Sidebar.inf,Register
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Aleo Capincheo\Application Data\Mozilla\Firefox\Profiles\u19mw4nq.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-30 14:17:56
Windows 5.1.2600 Service Pack 3, v.5657 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(700)
c:\windows\system32\Ati2evxx.dll
c:\program files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\LSI SoftModem\agrsmsvc.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\Styler\Styler.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\windows\system32\wscntfy.exe
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
.
**************************************************************************
.
Completion time: 2009-01-30 14:21:09 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-30 20:21:06
ComboFix2.txt 2009-01-29 23:26:09

Pre-Run: 126,990,745,600 bytes free
Post-Run: 126,886,612,992 bytes free

343 --- E O F --- 2009-01-22 01:46:58

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:18 PM

Posted 31 January 2009 - 05:35 AM

Hi,

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Then, Please run this online scan to help look for remnants.

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 swisss

swisss
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:18 AM

Posted 01 February 2009 - 11:43 AM

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, February 1, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3, v.5657 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, January 31, 2009 15:48:35
Records in database: 1732766
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
K:\
L:\

Scan statistics:
Files scanned: 213575
Threat name: 4
Infected objects: 6
Suspicious objects: 0
Duration of the scan: 07:56:33


File name / Threat name / Threats count
C:\Documents and Settings\Aleo Capincheo\7zS254C.tmp\Pwr-cmd.exe Infected: not-a-virus:RiskTool.Win32.HideWindows 1
C:\Documents and Settings\Default User\7zS254C.tmp\Pwr-cmd.exe Infected: not-a-virus:RiskTool.Win32.HideWindows 1
C:\WINDOWS\system32\config\systemprofile\7zS254C.tmp\Pwr-cmd.exe Infected: not-a-virus:RiskTool.Win32.HideWindows 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\CNW3XWLY\1552[1].exe Infected: not-a-virus:FraudTool.Win32.WinSpywareProtect.dw 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\QCRNQ7JQ\soft[2].exe Infected: Worm.Win32.AutoRun.yvq 1
C:\WINDOWS\system32\javaupd.exe Infected: Worm.Win32.AutoRun.evh 1

The selected area was scanned.

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:18 PM

Posted 01 February 2009 - 04:21 PM

Hi,

Navigate to and delete the following file:

C:\WINDOWS\system32\javaupd.exe

Then, Download CCleaner
1. During the install uncheck to install the Yahoo Toolbar
2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"
3. Then select the items you wish to clean up.

In the Windows Tab:
• Clean all entries in the "Internet Explorer" section except Cookies.
• Clean all the entries in the "Windows Explorer" section.
• Clean all entries in the "System" section.
• Clean all entries in the "Advanced" section.
• Clean any others that you choose.


In the Applications Tab:
• Clean all except cookies in the Firefox/Mozilla section if you use it.
• Clean all in the Opera section if you use it.
• Clean Sun Java in the Internet Section.
• Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 swisss

swisss
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:18 AM

Posted 01 February 2009 - 05:30 PM

Well the pop ups have gone away and I can navigate around easier. Before it wouldn't even recognize that I had my external hard drive plugged in. Things are running a bit slow but I think that's because a lot of files were deleted as of late. I guess it can't be helped though.

#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:18 PM

Posted 01 February 2009 - 05:31 PM

Hi,

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 swisss

swisss
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:18 AM

Posted 01 February 2009 - 05:33 PM

One more thing I forgot to mention, I couldn't find that file in system32. Probably no biggie, but ya.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users