Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help with infected computer


  • Please log in to reply
15 replies to this topic

#1 Kingolame

Kingolame

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 20 March 2009 - 10:03 AM

This started a few days ago, when i hear sounds of blocked popups ocasionally, which lagged up my computer. AVG oso displayed many files which are"infected". I tried deleting them once, and the com was forced to restart. Then i tried running avg scan in safe mode, which identified alot of files and sent them to the virus vault. However, the virus(Or whatever it is.I'm not very good with computers, hence I'm not sure, or rather totally unclear of what's happenint to my computer) still exist. After this, i went to try ComboFix, Spybot S&D but the virus still didn't dissapear.I'v also did a scan with Malwarebytes but did not remove any of the files incase i accidentally delete something important and damage my computer. I've also did a scan with HijackThis.Please help me to get rid of this problem.
According to avg, i think my com has these infection:Trojan horse Agent_r.IL.dropper,Trojan horse PSW.Generic7.LA.dropper,Win32/Heur,Trojan horse PSW.OnlineGames.BQRE,Trojan horse PSW.Generic7.IH,Trojan horse KillAV.UD,Trojan horse Pakes.CVS,Virus found Dropper.Rozena,Trojan horse Agent2.V,Trojan horse PSW.Ldpinch.11.BQ and other similar ones. Sometimes they oso mentioned things like "Runtime packed upack".Thanks.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,725 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:52 AM

Posted 20 March 2009 - 04:10 PM

Hello and welcome. Let's see if we can get an MBAM log.

Next run MBAM:
Please download Malwarebytes Anti-Malware (v1.34) and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Kingolame

Kingolame
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 21 March 2009 - 12:25 AM

Here's the mbam log requested.Please help me see if my computer is good to go.Thanks.

Malwarebytes' Anti-Malware 1.34
Database version: 1876
Windows 5.1.2600 Service Pack 2

3/21/2009 1:14:36 PM
mbam-log-2009-03-21 (13-14-36).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 201001
Time elapsed: 3 hour(s), 39 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 4
Registry Keys Infected: 14
Registry Values Infected: 7
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\Fonts\63C8062F.fon (Spyware.OnlineGames) -> Delete on reboot.
C:\WINDOWS\Fonts\D7019B3B.fon (Spyware.OnlineGames) -> Delete on reboot.
C:\WINDOWS\Fonts\3EFEAF36.fon (Spyware.OnlineGames) -> Delete on reboot.
C:\Program Files\Internet Explorer\DxPlroBt.Rxf (Trojan.PWS) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{63c8062f-ba71-44a1-8322-1c9a84783778} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d7019b3b-abf8-4d55-ab50-95a110373d54} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\b54321.ieencryptapp (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\xy2.gzxy2atl (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\xy2.gzxy2atl.1 (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3efeaf36-b081-4454-9de0-9023f21b2263} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c3919446-af54-44ae-9cfb-cef0ab35a3c1} (Trojan.PWS) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c3919446-af54-44ae-9cfb-cef0ab35a3c1} (Trojan.PWS) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c3919446-af54-44ae-9cfb-cef0ab35a3c1} (Trojan.PWS) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c60bc4df-4cab-4f66-abed-d3fcce7910ad} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{08cbfe20-8dc8-4195-b8e2-dd66f860469d} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{695c5a80-18a5-4cd2-a911-4dbebe92f18d} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{08cbfe20-8dc8-4195-b8e2-dd66f860469d} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{08cbfe20-8dc8-4195-b8e2-dd66f860469d} (Spyware.OnlineGames) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{63c8062f-ba71-44a1-8322-1c9a84783778} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{d7019b3b-abf8-4d55-ab50-95a110373d54} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{c60bc4df-4cab-4f66-abed-d3fcce7910ad} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{3efeaf36-b081-4454-9de0-9023f21b2263} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{08cbfe20-8dc8-4195-b8e2-dd66f860469d} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{c3919446-af54-44ae-9cfb-cef0ab35a3c1} (Trojan.PWS) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{695c5a80-18a5-4cd2-a911-4dbebe92f18d} (Spyware.OnlineGames) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Fonts\63C8062F.fon (Spyware.OnlineGames) -> Delete on reboot.
C:\WINDOWS\Fonts\D7019B3B.fon (Spyware.OnlineGames) -> Delete on reboot.
C:\WINDOWS\Fonts\3EFEAF36.fon (Spyware.OnlineGames) -> Delete on reboot.
C:\Program Files\Internet Explorer\DxPlroBt.Rxf (Trojan.PWS) -> Delete on reboot.
C:\Documents and Settings\Compaq_Owner\Application Data\Desktopicon\eBayShortcuts.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FB0B7E35-1791-4838-8FCB-12BD2312AC3E}\RP33\A0017957.dll (Trojan.Kilkav) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FB0B7E35-1791-4838-8FCB-12BD2312AC3E}\RP35\A0018766.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FB0B7E35-1791-4838-8FCB-12BD2312AC3E}\RP36\A0018857.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FB0B7E35-1791-4838-8FCB-12BD2312AC3E}\RP36\A0018858.sys (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FB0B7E35-1791-4838-8FCB-12BD2312AC3E}\RP36\A0018859.dll (Trojan.Kilkav) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FB0B7E35-1791-4838-8FCB-12BD2312AC3E}\RP36\A0018862.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FB0B7E35-1791-4838-8FCB-12BD2312AC3E}\RP37\A0021183.fon (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FB0B7E35-1791-4838-8FCB-12BD2312AC3E}\RP37\A0021185.fon (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\JingzTo.Toz (Spyware.OnlineGames) -> Quarantined and deleted successfully.

Edited by Kingolame, 21 March 2009 - 12:30 AM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,725 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:52 AM

Posted 21 March 2009 - 08:28 AM

Hello, this was good.. we will do ATF and SAS next. This looks likeit will be cleaned soon.
From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Next Rerun MBAM like this..

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Kingolame

Kingolame
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 22 March 2009 - 11:38 AM

Here's the SUPER Scan Log...It took 10hours to scan...The longest scan i ever did in my life...Hope it's worth the time thought...=P

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/22/2009 at 11:10 PM

Application Version : 4.25.1014

Core Rules Database Version : 3808
Trace Rules Database Version: 1763

Scan type : Complete Scan
Total Scan Time : 09:52:52

Memory items scanned : 225
Memory threats detected : 3
Registry items scanned : 4710
Registry threats detected : 41
File items scanned : 105954
File threats detected : 9

Trojan.FakeAlert-IE
C:\PROGRAM FILES\INTERNET EXPLORER\SED7MAZL.RZ2
C:\PROGRAM FILES\INTERNET EXPLORER\SED7MAZL.RZ2
C:\PROGRAM FILES\INTERNET EXPLORER\SEDTMAZL.RZ2
C:\PROGRAM FILES\INTERNET EXPLORER\SEDTMAZL.RZ2
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{75C08B8E-F638-4588-8D07-4728D19F0DC5}
HKCR\CLSID\{75C08B8E-F638-4588-8D07-4728D19F0DC5}
HKCR\CLSID\{75C08B8E-F638-4588-8D07-4728D19F0DC5}
HKCR\CLSID\{75C08B8E-F638-4588-8D07-4728D19F0DC5}\InProcServer32
HKCR\CLSID\{75C08B8E-F638-4588-8D07-4728D19F0DC5}\InProcServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{799C64B8-114B-408D-976B-E5689D7107E4}
HKCR\CLSID\{799C64B8-114B-408D-976B-E5689D7107E4}
HKCR\CLSID\{799C64B8-114B-408D-976B-E5689D7107E4}
HKCR\CLSID\{799C64B8-114B-408D-976B-E5689D7107E4}\InProcServer32
HKCR\CLSID\{799C64B8-114B-408D-976B-E5689D7107E4}\InProcServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{799C64B8-114B-408D-976B-E5689D7107E4}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{75C08B8E-F638-4588-8D07-4728D19F0DC5}
HKU\S-1-5-21-457476294-1157231738-2694578786-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{75C08B8E-F638-4588-8D07-4728D19F0DC5}
HKU\S-1-5-21-457476294-1157231738-2694578786-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{799C64B8-114B-408D-976B-E5689D7107E4}

Trojan.Agent/Gen
C:\PROGRAM FILES\INTERNET EXPLORER\DXPL9OBT.QXF
C:\PROGRAM FILES\INTERNET EXPLORER\DXPL9OBT.QXF
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4A3D990F-1F3F-4D16-9923-58295BCAC2C5}
HKCR\CLSID\{4A3D990F-1F3F-4D16-9923-58295BCAC2C5}
HKCR\CLSID\{4A3D990F-1F3F-4D16-9923-58295BCAC2C5}
HKCR\CLSID\{4A3D990F-1F3F-4D16-9923-58295BCAC2C5}\InProcServer32
HKCR\CLSID\{4A3D990F-1F3F-4D16-9923-58295BCAC2C5}\InProcServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{4A3D990F-1F3F-4D16-9923-58295BCAC2C5}
HKU\S-1-5-21-457476294-1157231738-2694578786-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4A3D990F-1F3F-4D16-9923-58295BCAC2C5}

Trojan.Sino-PWS/Gen
HKLM\Software\Classes\CLSID\{1E322963-355E-422F-BE2E-8C4667E31D10}
HKCR\CLSID\{1E322963-355E-422F-BE2E-8C4667E31D10}
HKCR\CLSID\{1E322963-355E-422F-BE2E-8C4667E31D10}\InprocServer32
HKCR\CLSID\{1E322963-355E-422F-BE2E-8C4667E31D10}\InprocServer32#ThreadingModel
C:\WINDOWS\FONTS\NTKRM2ESSN.FON
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{1E322963-355E-422F-BE2E-8C4667E31D10}
HKCR\CLSID\{1E322963-355E-422F-BE2E-8C4667E31D10}

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{3E52FA6E-D83E-4811-8FB5-1D54C0687227}
HKCR\CLSID\{3E52FA6E-D83E-4811-8FB5-1D54C0687227}
HKCR\CLSID\{3E52FA6E-D83E-4811-8FB5-1D54C0687227}\InprocServer32
HKCR\CLSID\{3E52FA6E-D83E-4811-8FB5-1D54C0687227}\InprocServer32#ThreadingModel
C:\WINDOWS\FONTS\DPMKWRU3M.FON
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{3E52FA6E-D83E-4811-8FB5-1D54C0687227}
HKCR\CLSID\{3E52FA6E-D83E-4811-8FB5-1D54C0687227}

Trojan.Agent/Gen-FON
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{47018D3A-8682-4D30-AC5E-F74B84189AB3}
HKCR\CLSID\{47018D3A-8682-4D30-AC5E-F74B84189AB3}
HKCR\CLSID\{47018D3A-8682-4D30-AC5E-F74B84189AB3}\InprocServer32
HKCR\CLSID\{47018D3A-8682-4D30-AC5E-F74B84189AB3}\InprocServer32#ThreadingModel
C:\WINDOWS\FONTS\CRRP2MDP.FON
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{FC8F4603-4AB2-4A0D-B17F-886CC8AAAFD2}
HKCR\CLSID\{FC8F4603-4AB2-4A0D-B17F-886CC8AAAFD2}
HKCR\CLSID\{FC8F4603-4AB2-4A0D-B17F-886CC8AAAFD2}\InprocServer32
HKCR\CLSID\{FC8F4603-4AB2-4A0D-B17F-886CC8AAAFD2}\InprocServer32#ThreadingModel
C:\WINDOWS\FONTS\CESPVP8FQD.FON
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\56BC86C7.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\F65BDEC7.DLL.VIR

#6 Kingolame

Kingolame
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 22 March 2009 - 11:39 AM

Now here's the MBAM Log...Only 1 detection...I guess there's still some work to be done till my computer is totally clean huh?

Malwarebytes' Anti-Malware 1.34
Database version: 1884
Windows 5.1.2600 Service Pack 2

3/22/2009 11:58:57 PM
mbam-log-2009-03-22 (23-58-57).txt

Scan type: Quick Scan
Objects scanned: 69779
Time elapsed: 7 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\GanDiao (Spyware.OnlineGames) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,725 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:52 AM

Posted 22 March 2009 - 12:19 PM

Ok we are starting to look real good here. Are there any issues popping up still?
Do you still have the ComboFix log?

I want you to run part 1 of S!Ri's SmitfraudFix
Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

Edited by boopme, 22 March 2009 - 12:22 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 Kingolame

Kingolame
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 23 March 2009 - 05:28 AM

This's the Combofix log with the scan which is done long ago

ComboFix 09-03-18.01 - Compaq_Owner 2009-03-20 11:01:37.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.447.120 [GMT 8:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\56BC86C7.dll
c:\windows\system32\A1A6BC2E.cfg
c:\windows\system32\ali236c63d.dll
c:\windows\system32\ali5fab93.dll
c:\windows\system32\ali9c7e.dll
c:\windows\system32\ali9f3d.dll
c:\windows\system32\alic4f5.dll
c:\windows\system32\alic832.dll
c:\windows\system32\alid188.dll
c:\windows\system32\alieffd.dll
c:\windows\system32\alif184.dll
c:\windows\system32\E4814792.cfg
c:\windows\system32\F65BDEC7.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ZG
-------\Service_aliimz


((((((((((((((((((((((((( Files Created from 2009-02-20 to 2009-03-20 )))))))))))))))))))))))))))))))
.

2009-03-20 02:09 . 2009-03-20 02:09 <DIR> d-------- c:\program files\Common Files\DivX Shared
2009-03-20 02:02 . 2009-03-20 02:02 <DIR> d-------- c:\program files\Windows Live SkyDrive
2009-03-20 02:02 . 2009-03-20 02:02 <DIR> d-------- c:\program files\Microsoft
2009-03-20 01:53 . 2009-03-20 01:53 <DIR> d-------- c:\program files\Common Files\Oberon Media
2009-03-19 19:02 . 2009-03-19 19:03 664 --a------ c:\windows\system32\d3d9caps.dat
2009-03-19 18:58 . 2009-03-19 18:58 552 --a------ c:\windows\system32\d3d8caps.dat
2009-03-19 17:35 . 2009-03-19 17:35 325,640 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-03-19 17:35 . 2009-03-19 17:35 107,912 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-03-19 11:10 . 2009-03-19 11:10 14,423 --ahs---- c:\windows\system32\C60BC4DF.dll
2009-03-19 11:06 . 2009-03-19 11:06 13,901 --ahs---- c:\windows\system32\C7029C5D.dll
2009-03-19 10:02 . 2006-01-09 15:01 86,016 --a------ c:\windows\system32\gigagetbho_v10.dll
2009-03-16 15:02 . 2009-03-19 22:41 <DIR> d-------- c:\documents and settings\Compaq_Owner\.gimp-2.6
2009-03-16 15:01 . 2009-03-20 02:12 <DIR> d-------- c:\documents and settings\Compaq_Owner\.gegl-0.0
2009-03-15 21:52 . 2009-03-16 09:54 1,920 --a------ c:\windows\system32\drivers\GanDiao.sys
2009-03-15 21:52 . 2009-03-13 17:14 1,536 --a------ c:\windows\system32\kk.exe
2009-03-15 21:51 . 2009-03-15 21:51 300 --ahs---- c:\windows\system32\1957817A.cfg
2009-03-15 21:45 . 2009-03-15 21:45 244 --ahs---- c:\windows\system32\CC80F0B4.cfg
2009-03-15 21:44 . 2009-03-15 21:44 219,227 --ahs---- c:\windows\system32\695C5A80.dll
2009-03-15 21:43 . 2009-03-15 21:43 219,296 --ahs---- c:\windows\system32\76B9BA7A.dll
2009-03-15 21:43 . 2009-03-15 21:43 15,974 --ahs---- c:\windows\system32\201476D0.dll
2009-03-15 21:43 . 2009-03-15 21:43 316 --ahs---- c:\windows\system32\76B9BA7A.cfg
2009-03-15 21:40 . 2009-03-15 21:40 15,500 --ahs---- c:\windows\system32\FA9B58AA.dll
2009-03-15 21:40 . 2009-03-15 21:40 276 --ahs---- c:\windows\system32\FA9B58AA.cfg
2009-03-15 21:39 . 2009-03-16 09:49 1,763 --a------ c:\windows\system32\asdfasdf
2009-03-15 21:28 . 2009-03-15 21:28 <DIR> d-------- c:\program files\Sony Ericsson
2009-03-13 23:42 . 2009-03-19 22:51 <DIR> d-------- c:\program files\FLV Player
2009-03-12 23:05 . 2009-03-12 23:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\WinZip
2009-03-12 22:47 . 2009-03-19 22:54 <DIR> d-------- c:\program files\Windows Live Safety Center
2009-03-12 20:48 . 2006-11-29 13:06 3,426,072 --a------ c:\windows\system32\d3dx9_32.dll
2009-03-12 20:42 . 2009-03-12 20:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-12 20:39 . 2009-03-20 01:57 <DIR> d-------- c:\program files\Bonjour
2009-03-10 21:51 . 2009-03-20 10:49 <DIR> d-------- c:\documents and settings\Compaq_Owner\Tracing
2009-03-10 21:36 . 2009-03-10 21:36 <DIR> d-------- c:\program files\Common Files\Windows Live
2009-03-10 00:25 . 2009-03-12 20:47 1,374 --a------ c:\windows\imsins.BAK
2009-03-09 17:15 . 2009-03-19 22:25 <DIR> d-------- C:\$AVG8.VAULT$
2009-03-09 16:58 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui
2009-03-08 22:49 . 2009-03-08 22:49 <DIR> d-------- C:\temp
2009-03-07 23:21 . 2009-03-20 10:29 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-03-07 23:21 . 2009-03-07 23:21 <DIR> d-------- c:\program files\AVG
2009-03-07 23:21 . 2009-03-20 01:54 <DIR> d-------- c:\documents and settings\Compaq_Owner\Application Data\AVGTOOLBAR
2009-03-07 23:21 . 2009-03-20 02:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-03-07 23:21 . 2009-03-19 17:35 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-03-07 22:18 . 2009-03-07 22:18 56 --ah----- c:\windows\system32\ezsidmv.dat
2009-03-07 22:03 . 2008-04-17 12:12 107,368 --a------ c:\windows\system32\GEARAspi.dll
2009-03-07 22:03 . 2009-01-15 12:19 23,848 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-07 21:58 . 2009-03-20 01:56 <DIR> d----c--- c:\windows\system32\DRVSTORE
2009-03-07 21:58 . 2009-03-07 21:58 <DIR> d-------- c:\program files\Apple Software Update
2009-03-07 21:05 . 2009-03-20 01:54 <DIR> d-------- c:\documents and settings\Compaq_Owner\Application Data\Orbit
2009-03-07 21:04 . 2004-08-04 20:00 221,184 --a------ c:\windows\system32\wmpns.dll
2009-03-07 21:04 . 2009-03-07 21:04 1,885 -rahs---- c:\windows\system32\drivers\103C_HP_CPC_EP272AA-AB4 SR1730AP SE610_YC_0Pres_QTHT601_E61SEheRED2_48_IAsterope_SHewleet-Packard_V1.0_B3.05_T051202_WXH2_L409_M448_J160_7Intel_8Pentium 4_93.06_#060122_N10EC8139_Z_G10025A61_OHP DVD Writer 740b.MRK
2009-03-07 21:03 . 2004-10-26 06:17 90,112 --a------ c:\windows\system32\ps2.EXE
2009-03-07 21:01 . 2006-01-05 04:41 <DIR> d-------- c:\documents and settings\Compaq_Owner\WINDOWS
2009-03-07 21:01 . 2009-03-07 21:05 <DIR> d-------- c:\documents and settings\Compaq_Owner\Application Data\Symantec
2009-03-07 21:01 . 2009-03-19 18:20 <DIR> d-------- c:\documents and settings\Compaq_Owner
2009-03-07 20:59 . 2006-01-05 04:41 <DIR> d-------- c:\windows\system32\config\systemprofile\WINDOWS
2009-03-07 20:01 . 2009-03-07 20:01 <DIR> d-------- c:\program files\CCleaner
2009-03-07 18:33 . 2009-03-07 18:33 <DIR> d-------- c:\program files\Windows Defender
2009-03-06 22:29 . 2006-01-05 13:13 <DIR> d-------- c:\documents and settings\Administrator\WINDOWS
2009-03-06 22:29 . 2006-01-05 13:13 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Symantec
2009-03-06 22:29 . 2009-03-06 22:29 <DIR> d-------- c:\documents and settings\Administrator
2009-03-06 14:45 . 2009-03-07 20:23 54,156 --ah----- c:\windows\QTFont.qfn
2009-03-06 14:45 . 2009-03-06 14:45 1,409 --a------ c:\windows\QTFont.for
2009-03-04 21:19 . 2009-03-07 21:12 <DIR> dr-hs---- C:\RESTORE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-19 18:13 --------- d-----w c:\program files\Common Files\Apple
2009-03-19 18:12 --------- d-----w c:\program files\Garena
2009-03-19 18:11 --------- d-----w c:\program files\GIMP-2.0
2009-03-19 18:09 --------- d-----w c:\program files\DivX
2009-03-19 17:54 --------- d-----w c:\program files\Microsoft Silverlight
2009-03-19 17:54 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-19 17:54 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-03-19 17:53 --------- d-----w c:\program files\Hp
2009-03-19 17:53 --------- d-----w c:\program files\Hewlett-Packard
2009-03-19 17:52 --------- d-----w c:\program files\FrostWire
2009-03-19 17:09 --------- d-----w c:\program files\Windows Live
2009-03-19 17:09 --------- d-----w c:\program files\Mobius
2009-03-19 16:50 --------- d-----w c:\program files\Oberon Media
2009-03-19 16:50 --------- d-----w c:\documents and settings\Compaq_Owner\Application Data\uTorrent
2009-03-19 15:12 --------- d-----w c:\program files\iTunes
2009-03-19 14:51 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-03-19 14:41 --------- d-----w c:\documents and settings\Compaq_Owner\Application Data\gtk-2.0
2009-03-19 14:34 --------- d-----w c:\program files\Orbitdownloader
2009-03-19 08:51 --------- d-----w c:\program files\Warcraft III
2009-03-19 03:11 150 --sha-w c:\windows\Fonts\eCgMhGRkPUcdutd0.ttf
2009-03-19 03:10 202 --sha-w c:\windows\Fonts\yGMHUAj5Npydj8FZ.ttf
2009-03-19 03:10 170 --sha-w c:\windows\Fonts\fk3DJtJRG7Bvcj24.ttf
2009-03-19 03:10 152 --sha-w c:\windows\Fonts\YYBKEpbf.ttf
2009-03-19 03:10 142 --sha-w c:\windows\Fonts\9meS3cnF.ttf
2009-03-19 03:09 156 --sha-w c:\windows\Fonts\EEUJgNKN6xmNqKr6.ttf
2009-03-19 03:08 186 --sha-w c:\windows\Fonts\pDuuqr4BgFn65AeW.ttf
2009-03-19 03:08 174 --sha-w c:\windows\Fonts\yKY54UdeQT3pEaq2.ttf
2009-03-19 03:08 166 --sha-w c:\windows\Fonts\KXBqRpa2mrNPeXKb.ttf
2009-03-19 03:08 154 --sha-w c:\windows\Fonts\S8a8cnEuaydPJGg8.ttf
2009-03-19 03:07 348 --sha-w c:\windows\Fonts\PACNkAWTwg4Cyb3e.ttf
2009-03-19 03:07 178 --sha-w c:\windows\Fonts\JNwybEjgUVaxBU5d.ttf
2009-03-19 03:06 332 --sha-w c:\windows\Fonts\ubZJmeB3bJjsGEbf.ttf
2009-03-19 03:06 320 --sha-w c:\windows\Fonts\dsdwAXRRUntk7EwY.ttf
2009-03-19 03:06 150 --sha-w c:\windows\Fonts\bkPTHN63C5bRVgXP.ttf
2009-03-19 03:05 396 --sha-w c:\windows\Fonts\YywxhF7TSnkktrJw.ttf
2009-03-19 03:05 178 --sha-w c:\windows\Fonts\ukbdZgAKGr9KFysb.ttf
2009-03-18 15:26 --------- d-----w c:\program files\iPod
2009-03-17 15:01 --------- d-----w c:\documents and settings\Compaq_Owner\Application Data\Skype
2009-03-17 12:50 --------- d-----w c:\documents and settings\Compaq_Owner\Application Data\skypePM
2009-03-16 01:51 42 ----a-w c:\windows\Fonts\gzxy201.dat
2009-03-15 13:43 200 --sha-w c:\windows\Fonts\9meS3cnFuuhyTu6M.ttf
2009-03-12 13:49 --------- d-----w c:\program files\MSECache
2009-03-11 10:22 --------- d-----w c:\program files\PC-Doctor 5 for Windows
2009-03-07 14:15 --------- d-----w c:\program files\Common Files\Skype
2009-03-07 14:15 --------- d-----r c:\program files\Skype
2009-03-07 14:00 --------- d-----w c:\program files\QuickTime
2009-03-07 14:00 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2009-03-07 12:10 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-07 10:34 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-06 13:06 --------- d-----w c:\documents and settings\Compaq_Owner\Application Data\Hamachi
2009-03-01 08:44 --------- d-----w c:\documents and settings\Compaq_Owner\Application Data\MegauploadToolbar
2009-02-28 05:17 --------- d-----w c:\program files\Red Alert 2 Yuri's Revenge
2009-02-25 13:18 21,912 ----a-w c:\documents and settings\Compaq_Owner\Application Data\wklnhst.dat
2009-02-18 14:02 --------- d-----w c:\program files\Total Video Converter
2009-02-17 14:16 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2009-02-14 04:50 --------- d-----w c:\documents and settings\Compaq_Owner\Application Data\U3
2009-02-11 11:41 --------- d-----w c:\program files\ABC 3GP Converter
2009-02-11 11:41 --------- d-----w c:\documents and settings\All Users\Application Data\VOWSoft
2009-02-06 11:03 307,576 ----a-w c:\windows\WLXPGSS.SCR
2009-02-02 09:12 --------- d-----w c:\program files\Counter-Strike 1.6
2009-02-01 14:38 --------- d-----w c:\program files\Hamachi
2009-01-23 15:36 --------- d-----w c:\program files\PHP
2008-08-28 13:04 24 ----a-w c:\documents and settings\Compaq_Owner\jagex_runescape_preferences.dat
2008-06-14 12:44 68,736 ----a-w c:\documents and settings\Compaq_Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-05-14 12:41 4 -c--a-w c:\documents and settings\Compaq_Owner\version.dat
2008-04-17 07:17 4,771,840 ----a-w c:\documents and settings\Compaq_Owner\soul.exe
2008-02-27 10:54 356,352 ----a-w c:\documents and settings\Compaq_Owner\GameData.dll
2008-01-21 13:43 36,864 ----a-w c:\documents and settings\Compaq_Owner\TqPackage.dll
2008-01-16 15:22 114,688 ----a-w c:\documents and settings\Compaq_Owner\RoleView.dll
2007-02-28 09:05 508 -c--a-w c:\documents and settings\Compaq_Owner\server.dat
2007-02-04 08:53 73,728 ----a-w c:\documents and settings\Compaq_Owner\Assist.dll
2006-12-07 10:31 151,552 ----a-w c:\documents and settings\Compaq_Owner\Chat.dll
2004-07-07 04:35 1,832 ----a-w c:\documents and settings\Compaq_Owner\1000undo.bat
2004-07-07 04:35 1,800 ----a-w c:\documents and settings\Compaq_Owner\v1000fix.bat
2004-07-07 04:31 2,015 ----a-w c:\documents and settings\Compaq_Owner\Enable.bat
2004-07-07 04:30 2,017 ----a-w c:\documents and settings\Compaq_Owner\Disable.bat
2007-02-21 21:51 66,672 -c--a-w c:\program files\mozilla firefox\components\jar50.dll
2007-02-21 21:51 54,376 -c--a-w c:\program files\mozilla firefox\components\jsd3250.dll
2007-02-21 21:51 34,952 -c--a-w c:\program files\mozilla firefox\components\myspell.dll
2007-02-21 21:51 46,720 -c--a-w c:\program files\mozilla firefox\components\spellchk.dll
2007-02-21 21:51 172,144 -c--a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-03-07_21.19.12.84 )))))))))))))))))))))))))))))))))))))))))
.
- 2004-08-04 04:00:00 2,804,224 -c----w c:\windows\$MSI31Uninstall_KB893803v2$\msi.dll
+ 2004-08-04 12:00:00 2,804,224 -c----w c:\windows\$MSI31Uninstall_KB893803v2$\msi.dll
- 2004-08-04 04:00:00 77,312 -c----w c:\windows\$MSI31Uninstall_KB893803v2$\msiexec.exe
+ 2004-08-04 12:00:00 77,312 -c----w c:\windows\$MSI31Uninstall_KB893803v2$\msiexec.exe
- 2004-08-04 04:00:00 331,264 -c----w c:\windows\$MSI31Uninstall_KB893803v2$\msihnd.dll
+ 2004-08-04 12:00:00 331,264 -c----w c:\windows\$MSI31Uninstall_KB893803v2$\msihnd.dll
- 2004-08-04 04:00:00 884,736 -c----w c:\windows\$MSI31Uninstall_KB893803v2$\msimsg.dll
+ 2004-08-04 12:00:00 884,736 -c----w c:\windows\$MSI31Uninstall_KB893803v2$\msimsg.dll
- 2004-08-04 04:00:00 44,032 -c----w c:\windows\$MSI31Uninstall_KB893803v2$\msisip.dll
+ 2004-08-04 12:00:00 44,032 -c----w c:\windows\$MSI31Uninstall_KB893803v2$\msisip.dll
+ 2007-11-30 12:39:22 231,288 -c----w c:\windows\$NtUninstallKB954708$\spuninst\spuninst.exe
+ 2007-11-30 12:39:22 382,840 -c----w c:\windows\$NtUninstallKB954708$\spuninst\updspapi.dll
+ 2006-10-24 04:30:06 716,288 -c----w c:\windows\$NtUninstallKB954708$\windowscodecs.dll
+ 2006-10-24 04:29:50 352,256 -c----w c:\windows\$NtUninstallKB954708$\windowscodecsext.dll
+ 2009-02-02 10:07:40 1,914,440 ----a-w c:\windows\Downloaded Program Files\CONFLICT.2\FP_AX_CAB_INSTALLER.exe
+ 2009-02-02 10:07:40 1,914,440 ----a-w c:\windows\Downloaded Program Files\CONFLICT.3\FP_AX_CAB_INSTALLER.exe
+ 2005-10-20 12:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
- 2004-08-04 04:00:00 12,288 -c--a-w c:\windows\I386\winntupg\APMUPGRD.DLL
+ 2004-08-04 11:00:00 12,288 -c--a-w c:\windows\I386\winntupg\APMUPGRD.DLL
- 2004-08-04 04:00:00 6,656 -c--a-w c:\windows\I386\winntupg\BOSCOMP.DLL
+ 2004-08-04 11:00:00 6,656 -c--a-w c:\windows\I386\winntupg\BOSCOMP.DLL
- 2004-08-04 04:00:00 58,128 -c--a-w c:\windows\I386\winntupg\CFGMGR32.DLL
+ 2004-08-04 11:00:00 58,128 -c--a-w c:\windows\I386\winntupg\CFGMGR32.DLL
- 2004-08-04 04:00:00 40,960 -c--a-w c:\windows\I386\winntupg\CLUSCOMP.DLL
+ 2004-08-04 11:00:00 40,960 -c--a-w c:\windows\I386\winntupg\CLUSCOMP.DLL
- 2004-08-04 04:00:00 5,120 -c--a-w c:\windows\I386\winntupg\FSFILTER.DLL
+ 2004-08-04 11:00:00 5,120 -c--a-w c:\windows\I386\winntupg\FSFILTER.DLL
- 2004-08-04 04:00:00 6,656 -c--a-w c:\windows\I386\winntupg\FTCOMP.DLL
+ 2004-08-04 11:00:00 6,656 -c--a-w c:\windows\I386\winntupg\FTCOMP.DLL
- 2004-08-04 04:00:00 5,632 -c--a-w c:\windows\I386\winntupg\INPUPGRD.DLL
+ 2004-08-04 11:00:00 5,632 -c--a-w c:\windows\I386\winntupg\INPUPGRD.DLL
- 2004-08-04 04:00:00 5,632 -c--a-w c:\windows\I386\winntupg\MS\MODEMSHR\MDMSHRUP.DLL
+ 2004-08-04 11:00:00 5,632 -c--a-w c:\windows\I386\winntupg\MS\MODEMSHR\MDMSHRUP.DLL
- 2004-08-04 04:00:00 30,748 -c--a-w c:\windows\I386\winntupg\MS\SNA\IBMMGUG.DLL
+ 2004-08-04 11:00:00 30,748 -c--a-w c:\windows\I386\winntupg\MS\SNA\IBMMGUG.DLL
- 2004-08-04 04:00:00 38,941 -c--a-w c:\windows\I386\winntupg\MS\SNA\NTSNAUPG.DLL
+ 2004-08-04 11:00:00 38,941 -c--a-w c:\windows\I386\winntupg\MS\SNA\NTSNAUPG.DLL
- 2004-08-04 04:00:00 28,701 -c--a-w c:\windows\I386\winntupg\MS\SNA\SNADLCUG.DLL
+ 2004-08-04 11:00:00 28,701 -c--a-w c:\windows\I386\winntupg\MS\SNA\SNADLCUG.DLL
- 2004-08-04 04:00:00 5,632 -c--a-w c:\windows\I386\winntupg\MSMQCOMP.DLL
+ 2004-08-04 11:00:00 5,632 -c--a-w c:\windows\I386\winntupg\MSMQCOMP.DLL
- 2004-08-04 04:00:00 121,344 -c--a-w c:\windows\I386\winntupg\NETUPGRD.DLL
+ 2004-08-04 11:00:00 121,344 -c--a-w c:\windows\I386\winntupg\NETUPGRD.DLL
- 2004-08-04 04:00:00 11,264 -c--a-w c:\windows\I386\winntupg\NTDSUPG.DLL
+ 2004-08-04 11:00:00 11,264 -c--a-w c:\windows\I386\winntupg\NTDSUPG.DLL
- 2004-08-04 04:00:00 6,144 -c--a-w c:\windows\I386\winntupg\NV4PREP.DLL
+ 2004-08-04 11:00:00 6,144 -c--a-w c:\windows\I386\winntupg\NV4PREP.DLL
- 2004-08-04 04:00:00 9,756 -c--a-w c:\windows\I386\winntupg\OEM\DIGI\ASYNC\DGUPGRD.DLL
+ 2004-08-04 11:00:00 9,756 -c--a-w c:\windows\I386\winntupg\OEM\DIGI\ASYNC\DGUPGRD.DLL
- 2004-08-04 04:00:00 72,732 -c--a-w c:\windows\I386\winntupg\OEM\DIGI\ISDN\BRI\DIGIUPG.DLL
+ 2004-08-04 11:00:00 72,732 -c--a-w c:\windows\I386\winntupg\OEM\DIGI\ISDN\BRI\DIGIUPG.DLL
- 2004-08-04 04:00:00 28,701 -c--a-w c:\windows\I386\winntupg\OEM\DIGI\ISDN\PRI\DIGPRIUP.DLL
+ 2004-08-04 11:00:00 28,701 -c--a-w c:\windows\I386\winntupg\OEM\DIGI\ISDN\PRI\DIGPRIUP.DLL
- 2004-08-04 04:00:00 11,292 -c--a-w c:\windows\I386\winntupg\OEM\DIGI\REALPORT\DGRPUPG.DLL
+ 2004-08-04 11:00:00 11,292 -c--a-w c:\windows\I386\winntupg\OEM\DIGI\REALPORT\DGRPUPG.DLL
- 2004-08-04 04:00:00 114,717 -c--a-w c:\windows\I386\winntupg\OEM\EQN\EQNUPGRD.DLL
+ 2004-08-04 11:00:00 114,717 -c--a-w c:\windows\I386\winntupg\OEM\EQN\EQNUPGRD.DLL
- 2004-08-04 04:00:00 31,744 -c--a-w c:\windows\I386\winntupg\OEM\SPX\MPS\SPXUPGRD.DLL
+ 2004-08-04 11:00:00 31,744 -c--a-w c:\windows\I386\winntupg\OEM\SPX\MPS\SPXUPGRD.DLL
- 2004-08-04 04:00:00 33,792 -c--a-w c:\windows\I386\winntupg\OEM\TIGERJET\TJUPG.DLL
+ 2004-08-04 11:00:00 33,792 -c--a-w c:\windows\I386\winntupg\OEM\TIGERJET\TJUPG.DLL
- 2004-08-04 04:00:00 323,344 -c--a-w c:\windows\I386\winntupg\SETUPAPI.DLL
+ 2004-08-04 11:00:00 323,344 -c--a-w c:\windows\I386\winntupg\SETUPAPI.DLL
- 2004-08-04 04:00:00 4,608 -c--a-w c:\windows\I386\winntupg\TSCOMP.DLL
+ 2004-08-04 11:00:00 4,608 -c--a-w c:\windows\I386\winntupg\TSCOMP.DLL
- 2004-08-04 04:00:00 11,776 -c--a-w c:\windows\I386\winntupg\VIDUPGRD.DLL
+ 2004-08-04 11:00:00 11,776 -c--a-w c:\windows\I386\winntupg\VIDUPGRD.DLL
+ 2009-03-12 12:39:58 86,016 ----a-r c:\windows\Installer\{07287123-B8AC-41CE-8346-3D777245C35B}\PrntWzrdIco.exe
+ 2009-03-12 12:46:25 80,395 ----a-r c:\windows\Installer\{0AAA9C97-74D4-47CE-B089-0B147EF3553C}\MsblIco.Exe
+ 2009-03-07 14:15:50 364,726 ----a-r c:\windows\Installer\{24D753CA-6AE9-4E30-8F5F-EFC93E08BF3D}\SkypeIcon.exe
+ 2009-03-12 12:49:15 132,096 ----a-r c:\windows\Installer\{3C52E7DA-C431-4239-B66B-1BF703D5B194}\WLXPhotoGalleryIcon.exe
- 2007-04-01 06:46:59 65,536 -c--a-r c:\windows\Installer\{43DCF766-6838-4F9A-8C91-D92DA586DFA8}\_C68C351F090F4EF39AFB6B7B54014C9E.exe
+ 2009-03-14 05:51:11 65,536 ----a-r c:\windows\Installer\{43DCF766-6838-4F9A-8C91-D92DA586DFA8}\_C68C351F090F4EF39AFB6B7B54014C9E.exe
+ 2009-03-12 12:46:52 58,945 ----a-r c:\windows\Installer\{63C1109E-D977-49ED-BCE3-D00D0BF187D6}\wlmail.exe
+ 2009-03-07 13:58:34 27,136 ----a-r c:\windows\Installer\{6956856F-B6B3-4BE0-BA0B-8F495BE32033}\AppleSoftwareUpdateIco.exe
- 2008-11-13 04:47:07 38,240 ----a-r c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
+ 2009-03-12 13:59:53 38,240 ----a-r c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
+ 2009-03-12 14:37:39 49,936 ----a-r c:\windows\Installer\{95120000-00AF-0409-0000-0000000FF1CE}\ppvwicon.exe
+ 2009-03-18 15:27:17 102,400 ----a-r c:\windows\Installer\{C26B06A9-27BB-45B0-9873-9C623EC2BA38}\iTunesIco.exe
+ 2009-03-12 15:07:09 632,320 ----a-r c:\windows\Installer\{CD95F661-A5C4-44F5-A6AA-ECDD91C240B7}\IconCD95F66110.exe
+ 2009-03-12 15:07:09 29,184 ----a-r c:\windows\Installer\{CD95F661-A5C4-44F5-A6AA-ECDD91C240B7}\IconCD95F6617.exe
+ 2009-03-12 12:45:35 62,304 ----a-r c:\windows\Installer\{F6BD194C-4190-4D73-B1B1-C48C99921BFE}\IconWlc.exe
+ 2009-01-27 01:34:18 684,032 ----a-w c:\windows\system32\DivX.dll
+ 2009-01-27 01:34:18 823,296 ----a-w c:\windows\system32\divx_xx07.dll
+ 2009-01-27 01:34:18 815,104 ----a-w c:\windows\system32\divx_xx0a.dll
+ 2009-01-27 01:34:18 823,296 ----a-w c:\windows\system32\divx_xx0c.dll
+ 2009-01-27 01:34:18 802,816 ----a-w c:\windows\system32\divx_xx11.dll
- 2004-08-04 12:00:00 2,804,224 ----a-w c:\windows\system32\dllcache\msi.dll
+ 2005-05-04 06:45:32 2,890,240 ----a-w c:\windows\system32\dllcache\msi.dll
- 2004-08-04 12:00:00 77,312 ----a-w c:\windows\system32\dllcache\msiexec.exe
+ 2005-05-04 06:45:36 78,848 ----a-w c:\windows\system32\dllcache\msiexec.exe
- 2004-08-04 12:00:00 331,264 ----a-w c:\windows\system32\dllcache\msihnd.dll
+ 2005-05-04 06:45:36 271,360 ----a-w c:\windows\system32\dllcache\msihnd.dll
- 2004-08-04 12:00:00 884,736 ----a-w c:\windows\system32\dllcache\msimsg.dll
+ 2005-05-04 06:45:36 884,736 ----a-w c:\windows\system32\dllcache\msimsg.dll
- 2004-08-04 12:00:00 44,032 ----a-w c:\windows\system32\dllcache\msisip.dll
+ 2005-05-04 06:45:36 15,360 ----a-w c:\windows\system32\dllcache\msisip.dll
+ 2008-12-12 03:18:16 87,336 ----a-w c:\windows\system32\dns-sd.exe
+ 2008-12-12 03:11:46 61,440 ----a-w c:\windows\system32\dnssd.dll
+ 2009-01-27 01:34:20 90,112 ----a-w c:\windows\system32\dpl100.dll
+ 2009-03-19 09:35:11 27,656 ----a-w c:\windows\system32\drivers\avgmfx86.sys
+ 2008-04-17 04:12:54 107,368 -c--a-w c:\windows\system32\DRVSTORE\GEARAspiWD_4F4AA3475F1B13A1E8212B6D40B351211BC358CE\x86\GEARAspi.dll
+ 2009-01-15 04:19:36 23,848 -c--a-w c:\windows\system32\DRVSTORE\GEARAspiWD_4F4AA3475F1B13A1E8212B6D40B351211BC358CE\x86\GEARAspiWDM.sys
+ 2008-04-17 05:12:54 107,368 -c--a-w c:\windows\system32\DRVSTORE\GEARAspiWD_D213663B6381F01E45A131159A9DEFE018321CB3\x86\GEARAspi.dll
+ 2008-04-17 05:12:54 15,464 -c--a-w c:\windows\system32\DRVSTORE\GEARAspiWD_D213663B6381F01E45A131159A9DEFE018321CB3\x86\GEARAspiWDM.sys
+ 2009-03-05 15:59:00 36,864 -c--a-w c:\windows\system32\DRVSTORE\usbaapl_AF109929C2381E41FEF454F3FEDAA257A9E85F92\usbaapl.sys
+ 2009-03-05 15:59:00 1,900,544 -c--a-w c:\windows\system32\DRVSTORE\usbaapl_AF109929C2381E41FEF454F3FEDAA257A9E85F92\usbaaplrc.dll
+ 2005-07-26 11:39:45 243,200 ----a-w c:\windows\system32\es(2).dll
- 2009-03-07 13:01:34 230,392 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2009-03-12 16:00:22 252,680 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2004-08-03 16:56:44 207,360 ----a-w c:\windows\system32\inked.dll
+ 2009-02-06 04:35:56 1,486,208 ----a-w c:\windows\system32\LegitCheckControl.DLL
+ 2009-02-03 02:07:18 240,544 ----a-r c:\windows\system32\Macromed\Flash\FlashUtil10b.exe
+ 2009-03-11 13:19:57 89,102 ----a-w c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
+ 2005-06-29 08:46:00 74,240 ----a-w c:\windows\system32\mscms(2).dll
- 2004-08-04 12:00:00 2,804,224 ----a-w c:\windows\system32\msi.dll
+ 2005-05-04 06:45:32 2,890,240 ----a-w c:\windows\system32\msi.dll
- 2004-08-04 12:00:00 77,312 ----a-w c:\windows\system32\msiexec.exe
+ 2005-05-04 06:45:36 78,848 ----a-w c:\windows\system32\msiexec.exe
- 2004-08-04 12:00:00 331,264 ----a-w c:\windows\system32\msihnd.dll
+ 2005-05-04 06:45:36 271,360 ----a-w c:\windows\system32\msihnd.dll
- 2004-08-04 12:00:00 884,736 ----a-w c:\windows\system32\msimsg.dll
+ 2005-05-04 06:45:36 884,736 ----a-w c:\windows\system32\msimsg.dll
- 2004-08-04 12:00:00 44,032 ----a-w c:\windows\system32\msisip.dll
+ 2005-05-04 06:45:36 15,360 ----a-w c:\windows\system32\msisip.dll
+ 2004-08-04 12:00:00 1,236,480 ----a-w c:\windows\system32\msxml3(2).dll
+ 2004-08-04 12:00:00 332,288 ----a-w c:\windows\system32\netapi32(3).dll
+ 2006-10-24 04:30:20 412,160 ------w c:\windows\system32\photometadatahandler.dll
+ 2009-03-19 18:18:47 17,467,696 ----a-w c:\windows\system32\Restore\rstrlog.dat
+ 2005-09-03 06:52:06 473,600 ----a-w c:\windows\system32\shlwapi(3).dll
+ 2009-02-06 10:52:40 49,504 ----a-w c:\windows\system32\sirenacm.dll
- 2005-02-25 10:35:05 14,048 ----a-w c:\windows\system32\spmsg.dll
+ 2007-11-30 12:39:22 17,272 ------w c:\windows\system32\spmsg.dll
- 2004-11-18 09:42:52 22,752 ----a-w c:\windows\system32\spupdsvc.exe
+ 2006-10-16 08:10:58 23,856 ----a-w c:\windows\system32\spupdsvc.exe
+ 2005-09-03 06:52:06 608,768 ----a-w c:\windows\system32\urlmon(3).dll
+ 2008-07-11 08:55:41 712,704 ------w c:\windows\system32\windowscodecs.dll
+ 2008-07-11 08:55:41 347,648 ------w c:\windows\system32\windowscodecsext.dll
+ 2005-09-03 06:52:06 658,432 ----a-w c:\windows\system32\wininet(3).dll
+ 2004-08-03 16:56:58 293,376 ----a-w c:\windows\system32\wisptis.exe
+ 2006-10-24 04:30:00 276,992 ------w c:\windows\system32\WMPhoto.dll
+ 2006-10-26 05:40:34 95,744 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_6e805841\ATL80.dll
+ 2006-12-01 14:56:00 96,256 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\ATL80.dll
+ 2005-09-22 14:48:08 479,232 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcm80.dll
+ 2005-09-22 14:48:08 548,864 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcp80.dll
+ 2005-09-22 14:48:06 626,688 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcr80.dll
+ 2006-12-01 14:54:32 479,232 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll
+ 2006-12-01 14:54:34 548,864 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll
+ 2006-12-01 14:54:32 626,688 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll
+ 2006-10-26 05:40:36 1,093,632 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_dec6ddd2\mfc80.dll
+ 2006-10-26 05:40:36 1,079,808 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_dec6ddd2\mfc80u.dll
+ 2006-10-26 05:40:36 69,632 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_dec6ddd2\mfcm80.dll
+ 2006-10-26 05:40:36 57,344 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_dec6ddd2\mfcm80u.dll
+ 2006-12-01 16:25:52 1,101,824 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80.dll
+ 2006-12-01 16:25:56 1,093,120 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80u.dll
+ 2006-12-01 16:25:58 69,632 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80.dll
+ 2006-12-01 16:26:00 57,856 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80u.dll
+ 2006-10-26 05:40:36 40,960 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80CHS.dll
+ 2006-10-26 05:40:36 45,056 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80CHT.dll
+ 2006-10-26 05:40:36 65,536 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80DEU.dll
+ 2006-10-26 05:40:36 57,344 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80ENU.dll
+ 2006-10-26 05:40:36 61,440 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80ESP.dll
+ 2006-10-26 05:40:36 61,440 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80FRA.dll
+ 2006-10-26 05:40:36 61,440 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80ITA.dll
+ 2006-10-26 05:40:36 49,152 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80JPN.dll
+ 2006-10-26 05:40:36 49,152 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80KOR.dll
+ 2006-12-01 16:08:00 40,960 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHS.dll
+ 2006-12-01 16:08:00 45,056 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHT.dll
+ 2006-12-01 16:08:00 65,536 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80DEU.dll
+ 2006-12-01 16:08:00 57,344 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ENU.dll
+ 2006-12-01 16:08:00 61,440 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ESP.dll
+ 2006-12-01 16:08:00 61,440 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80FRA.dll
+ 2006-12-01 16:08:00 61,440 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ITA.dll
+ 2006-12-01 16:08:00 49,152 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80JPN.dll
+ 2006-12-01 16:08:00 49,152 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80KOR.dll
+ 2006-12-01 16:46:44 65,536 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6c18549a\vcomp.dll
+ 2007-11-06 12:23:58 224,768 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvcm90.dll
+ 2007-11-06 17:19:34 568,832 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvcp90.dll
+ 2007-11-06 17:19:34 655,872 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvcr90.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{08CBFE20-8DC8-4195-B8E2-DD66F860469D}]
2009-03-16 09:54 70779 --ahs---- c:\program files\Internet Explorer\PowerJa.ask

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4A3D990F-1F3F-4D16-9923-58295BCAC2C5}]
2009-03-20 11:00 29820 --ahs---- c:\program files\Internet Explorer\DxPl9oBt.Qxf

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{75C08B8E-F638-4588-8D07-4728D19F0DC5}]
2009-03-20 11:00 31889 --ahs---- c:\program files\Internet Explorer\Sed7Mazl.Rz2

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{799C64B8-114B-408D-976B-E5689D7107E4}]
2009-03-19 12:56 31377 --ahs---- c:\program files\Internet Explorer\SedtMazl.Rz2

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C3919446-AF54-44AE-9CFB-CEF0AB35A3C1}]
2009-03-19 12:56 29820 --ahs---- c:\program files\Internet Explorer\DxPlroBt.Rxf

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-22 1605740]
"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-02-17 49152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-01-05 180269]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 342312]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-03-19 1932568]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{695C5A80-18A5-4CD2-A911-4DBEBE92F18D}"= "c:\windows\system32\695C5A80.dll" [2009-03-15 219227]
"{08CBFE20-8DC8-4195-B8E2-DD66F860469D}"= "c:\program files\Internet Explorer\PowerJa.ask" [2009-03-16 70779]
"{799C64B8-114B-408D-976B-E5689D7107E4}"= "c:\program files\Internet Explorer\SedtMazl.Rz2" [2009-03-19 31377]
"{C3919446-AF54-44AE-9CFB-CEF0AB35A3C1}"= "c:\program files\Internet Explorer\DxPlroBt.Rxf" [2009-03-19 29820]
"{3E52FA6E-D83E-4811-8FB5-1D54C0687227}"= "c:\windows\fonts\dPmKwRu3m.fon" [2009-03-19 15451]
"{47018D3A-8682-4D30-AC5E-F74B84189AB3}"= "c:\windows\fonts\crrp2mDP.fon" [2009-03-19 13926]
"{C7029C5D-96D1-4FA4-A441-822BFB230785}"= "c:\windows\system32\C7029C5D.dll" [2009-03-19 13901]
"{FC8F4603-4AB2-4A0D-B17F-886CC8AAAFD2}"= "c:\windows\fonts\CESPVP8FQd.fon" [2009-03-19 219739]
"{3EFEAF36-B081-4454-9DE0-9023F21B2263}"= "c:\windows\fonts\3EFEAF36.fon" [2009-03-19 13390]
"{C60BC4DF-4CAB-4F66-ABED-D3FCCE7910AD}"= "c:\windows\system32\C60BC4DF.dll" [2009-03-19 14423]
"{63C8062F-BA71-44A1-8322-1C9A84783778}"= "c:\windows\Fonts\63C8062F.fon" [2009-03-19 15945]
"{D7019B3B-ABF8-4D55-AB50-95A110373D54}"= "c:\windows\Fonts\D7019B3B.fon" [2009-03-19 13902]
"{1E322963-355E-422F-BE2E-8C4667E31D10}"= "c:\windows\fonts\NtkRM2essN.fon" [2009-03-19 15437]
"{4A3D990F-1F3F-4D16-9923-58295BCAC2C5}"= "c:\program files\Internet Explorer\DxPl9oBt.Qxf" [2009-03-20 29820]
"{75C08B8E-F638-4588-8D07-4728D19F0DC5}"= "c:\program files\Internet Explorer\Sed7Mazl.Rz2" [2009-03-20 31889]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-03-19 17:35 10520 c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Orbit.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Orbit.lnk
backup=c:\windows\pss\Orbit.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2009-02-04 12:27 23975720 c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Garena\\Garena.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Giganology\\Gigaget\\Gigaget.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-03-19 325640]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-03-19 107912]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-03-19 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-03-19 298264]
S2 WinSSCOM;COM+ Windows System;c:\windows\winsscoo.exe --> c:\windows\winsscoo.exe [?]
S3 GanDiao;GanDiao;c:\windows\system32\drivers\GanDiao.sys [2009-03-15 1920]
S3 MyProt;Network Monitor Protocol Driver;c:\windows\system32\DRIVERS\winyyy.sys --> c:\windows\system32\DRIVERS\winyyy.sys [?]
S3 zx;zx;\??\c:\docume~1\COMPAQ~1\LOCALS~1\Temp\~5a6840.tmp --> c:\docume~1\COMPAQ~1\LOCALS~1\Temp\~5a6840.tmp [?]
.
Contents of the 'Scheduled Tasks' folder

2009-03-20 c:\windows\Tasks\ABDDD638918A4DA8.job
- c:\docume~1\compaq~1\applic~1\greyfo~1\signwebup.exe []

2009-03-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-03-19 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2009-03-07 c:\windows\Tasks\Easy Internet Sign-up.job
- c:\program files\Hewlett-Packard\SDP\HPSdpApp.exe [2005-09-08 19:23]

2009-03-07 c:\windows\Tasks\HPCeeSchedule.job
- c:\program files\Hewlett-Packard\SDP\Ceement\HPCEE.exe [2005-09-08 19:22]

2009-03-07 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-PCDrProfiler - (no file)
ShellExecuteHooks-{FA9B58AA-6759-4C02-B37F-572FC2F1A231} - FA9B58AA.dll
ShellExecuteHooks-{76B9BA7A-81D0-4979-8598-8471F2AB5186} - 76B9BA7A.dll
ShellExecuteHooks-{CC80F0B4-04D7-44D0-8DB9-9109B5B72141} - CC80F0B4.dll
ShellExecuteHooks-{7E94C114-C874-4112-9922-054D8E5546E2} - c:\windows\fonts\kbascxyg.dll
ShellExecuteHooks-{1957817A-94B2-4CAC-B113-A331809B5730} - 1957817A.dll
ShellExecuteHooks-{DDFDCED2-075A-4910-986E-B2BDA2B0E916} - c:\windows\system32\rBWN2dra.dll
ShellExecuteHooks-{77E6DA01-5342-4467-AF91-C3C318CCBBB4} - c:\windows\system32\nnemdagh.dll
ShellExecuteHooks-{C59D8922-4CEB-4D03-89F3-3B4EBE6A28BA} - c:\windows\system32\clpdopii.dll
ShellExecuteHooks-{96F38AF0-D876-4155-9CDE-0A112BB24FCA} - c:\windows\system32\pmfjoafg.dll
ShellExecuteHooks-{DFB72EBC-9ECB-42C8-97F2-638E021F18B7} - c:\windows\system32\dfbniebc.dll
ShellExecuteHooks-{505B0CB8-1B74-426A-9FE7-3D20707F1EC6} - c:\windows\system32\lglbgcbo.dll
ShellExecuteHooks-{995406B9-DE64-4A4C-AB51-B3011DD39CAB} - c:\windows\system32\pplkgmbp.dll
ShellExecuteHooks-{38C7F682-AFEC-423A-88F6-A307D5608882} - c:\windows\system32\jocnfmoi.dll
ShellExecuteHooks-{AE8813B0-61B3-4F6D-8F9A-7AF223E2C46E} - c:\windows\system32\SKj9pRhxKPy.dll
ShellExecuteHooks-{E4D2F0FD-48EB-4B68-AC76-D3EE0B2F7A31} - c:\windows\system32\ekdifgfd.dll
ShellExecuteHooks-{704C3595-DB85-40F6-A601-8D6F346907BD} - c:\windows\system32\704C3595.dll
ShellExecuteHooks-{E21BC4F6-3919-42C0-96CA-F705CC5B95B4} - c:\windows\system32\eihbckfm.dll
ShellExecuteHooks-{B202DBAD-2C07-425A-B7E0-C500BAE311DF} - c:\windows\system32\bigidbad.dll
SSODL-c:\windows\fonts\gkgzpenm.dll-{7E94C114-C874-4112-9922-054D8E5546E2} - c:\windows\fonts\kbascxyg.dll
SSODL-c:\windows\fonts\kbascxyg.dll-{7E94C114-C874-4112-9922-054D8E5546E2} - c:\windows\fonts\kbascxyg.dll
SSODL-77E6DA01-{77E6DA01-5342-4467-AF91-C3C318CCBBB4} - c:\windows\system32\nnemdagh.dll
SSODL-C59D8922-{C59D8922-4CEB-4D03-89F3-3B4EBE6A28BA} - c:\windows\system32\clpdopii.dll
SSODL-96F38AF0-{96F38AF0-D876-4155-9CDE-0A112BB24FCA} - c:\windows\system32\pmfjoafg.dll
SSODL-DFB72EBC-{DFB72EBC-9ECB-42C8-97F2-638E021F18B7} - c:\windows\system32\dfbniebc.dll
SSODL-505B0CB8-{505B0CB8-1B74-426A-9FE7-3D20707F1EC6} - c:\windows\system32\lglbgcbo.dll
SSODL-995406B9-{995406B9-DE64-4A4C-AB51-B3011DD39CAB} - c:\windows\system32\pplkgmbp.dll
SSODL-38C7F682-{38C7F682-AFEC-423A-88F6-A307D5608882} - c:\windows\system32\jocnfmoi.dll
SSODL-E4D2F0FD-{E4D2F0FD-48EB-4B68-AC76-D3EE0B2F7A31} - c:\windows\system32\ekdifgfd.dll
SSODL-E21BC4F6-{E21BC4F6-3919-42C0-96CA-F705CC5B95B4} - c:\windows\system32\eihbckfm.dll
SSODL-B202DBAD-{B202DBAD-2C07-425A-B7E0-C500BAE311DF} - c:\windows\system32\bigidbad.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://sg.yahoo.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_SG&c=Q106&bd=presario&pf=desktop
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://sg.rd.yahoo.com/customize/ycomp/defaults/su/*http://sg.yahoo.com
IE: &Download All by Gigaget - c:\program files\Giganology\Gigaget\getallurl.htm
IE: &Download by Gigaget - c:\program files\Giganology\Gigaget\geturl.htm
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-20 11:12:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\zx]
"ImagePath"="\??\c:\docume~1\COMPAQ~1\LOCALS~1\Temp\~5a6840.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(708)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\wdfmgr.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-03-20 11:18:58 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-20 03:18:54

Pre-Run: 27,391,459,328 bytes free
Post-Run: 28,418,715,648 bytes free

539

#9 Kingolame

Kingolame
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 23 March 2009 - 05:31 AM

And here's the SmitfraudFix log.It seems like there's isn't any problem with my computer so far. Hopefully this log will look fine too.

SmitFraudFix v2.405

Scan done at 18:23:46.92, Mon 03/23/2009
Run from C:\Documents and Settings\Compaq_Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AVG\AVG8\aAvgApi.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Java\jre1.5.0_05\bin\jucheck.exe
C:\Program Files\Giganology\Gigaget\Gigaget.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\cmd.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\Documents and Settings\Compaq_Owner


C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp


C:\Documents and Settings\Compaq_Owner\Application Data


Start Menu


C:\DOCUME~1\COMPAQ~1\FAVORI~1


Desktop


C:\Program Files

C:\Program Files\Google\googletoolbar1.dll FOUND !

Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


RK



DNS

Description: Realtek RTL8139/810x Family Fast Ethernet NIC - Packet Scheduler Miniport
DNS Server Search Order: 15.243.128.51
DNS Server Search Order: 15.243.160.51

Description: Realtek RTL8139/810x Family Fast Ethernet NIC - Packet Scheduler Miniport
DNS Server Search Order: 202.156.1.58
DNS Server Search Order: 202.156.1.78
DNS Server Search Order: 218.186.1.38

HKLM\SYSTEM\CCS\Services\Tcpip\..\{7273E436-DB66-4460-B05A-9B270F6C0824}: DhcpNameServer=15.243.128.51 15.243.160.51
HKLM\SYSTEM\CCS\Services\Tcpip\..\{7DFF6BF1-22E2-44C5-95D6-F1F2FBB83113}: DhcpNameServer=202.156.1.58 202.156.1.78 218.186.1.38
HKLM\SYSTEM\CS1\Services\Tcpip\..\{7273E436-DB66-4460-B05A-9B270F6C0824}: DhcpNameServer=15.243.128.51 15.243.160.51
HKLM\SYSTEM\CS1\Services\Tcpip\..\{7DFF6BF1-22E2-44C5-95D6-F1F2FBB83113}: DhcpNameServer=202.156.1.58 202.156.1.78 218.186.1.38
HKLM\SYSTEM\CS3\Services\Tcpip\..\{7273E436-DB66-4460-B05A-9B270F6C0824}: DhcpNameServer=15.243.128.51 15.243.160.51
HKLM\SYSTEM\CS3\Services\Tcpip\..\{7DFF6BF1-22E2-44C5-95D6-F1F2FBB83113}: DhcpNameServer=202.156.1.58 202.156.1.78 218.186.1.38
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=202.156.1.58 202.156.1.78 218.186.1.38
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=202.156.1.58 202.156.1.78 218.186.1.38
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=202.156.1.58 202.156.1.78 218.186.1.38


Scanning for wininet.dll infection


End

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,725 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:52 AM

Posted 23 March 2009 - 09:52 AM

Ok we have 2 things to do. After which if alls good we can mop up.
Run part 2 ,Cleaning of S!Ri's SmitfraudFix
You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt
~~~~~~`

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 12.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u12-windows-i586-p.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 Kingolame

Kingolame
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 24 March 2009 - 06:07 AM

Done!Hope everything is well by now...

SmitFraudFix v2.405

Scan done at 18:51:03.57, Tue 03/24/2009
Run from C:\Documents and Settings\Compaq_Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


hosts

127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
...

VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files

C:\Program Files\Google\googletoolbar1.dll Deleted

IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


RK


DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{7273E436-DB66-4460-B05A-9B270F6C0824}: DhcpNameServer=15.243.128.51 15.243.160.51
HKLM\SYSTEM\CCS\Services\Tcpip\..\{7DFF6BF1-22E2-44C5-95D6-F1F2FBB83113}: DhcpNameServer=202.156.1.58 202.156.1.78 218.186.1.38
HKLM\SYSTEM\CS1\Services\Tcpip\..\{7273E436-DB66-4460-B05A-9B270F6C0824}: DhcpNameServer=15.243.128.51 15.243.160.51
HKLM\SYSTEM\CS1\Services\Tcpip\..\{7DFF6BF1-22E2-44C5-95D6-F1F2FBB83113}: DhcpNameServer=202.156.1.58 202.156.1.78 218.186.1.38
HKLM\SYSTEM\CS3\Services\Tcpip\..\{7273E436-DB66-4460-B05A-9B270F6C0824}: DhcpNameServer=15.243.128.51 15.243.160.51
HKLM\SYSTEM\CS3\Services\Tcpip\..\{7DFF6BF1-22E2-44C5-95D6-F1F2FBB83113}: DhcpNameServer=202.156.1.58 202.156.1.78 218.186.1.38
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=202.156.1.58 202.156.1.78 218.186.1.38
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=202.156.1.58 202.156.1.78 218.186.1.38
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=202.156.1.58 202.156.1.78 218.186.1.38


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,725 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:52 AM

Posted 24 March 2009 - 12:18 PM

Ok looks good if there are no more symptoms on your end then...
Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 Kingolame

Kingolame
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 25 March 2009 - 05:18 AM

Seems like everything is good and going well...Thanks lots!!!

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,725 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:52 AM

Posted 25 March 2009 - 09:21 AM

You're most welcome, please take a moment to read quietman7's excellent prevention tips in post 17 here
Click>>Tips to protect yourself against malware and reduce the potential for re-infection:
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 Kingolame

Kingolame
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 01 April 2009 - 08:46 AM

All was good for my computer till recently(Not starting on today...problem already lasted for around 3 or 4 days), and sometimes, the computer will restart around 1 minute after startup. And after it restarts, it will hang after next startup.Then i'll have to off the main switch and rerun my computer. Most likely it will start working after 1 or 2 tries,and most of the time it will display a message saying that the computer has encountered a serious problem and ask if i want to send a error report. I'v used this computer for around 2 to 3 years. Could this problem be related to the age of the computer, or could it be a virus, or is there anything else possible wrong with my computer? Thanks.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users