Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please Help!


  • Please log in to reply
3 replies to this topic

#1 gautamr

gautamr

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:40 PM

Posted 26 June 2006 - 09:10 AM

hi guys,

please help me.. i've got some kind of malware on my pc... i have mcaffee anitvirus.. it keeps finding something called Downloader-EV but can't clean or delete it... i've done all the scans you guys have recommended.. that cleaned up a lot of virus/ trojan etc but there's still soemthing that hijacks my browser and keeps showing ads.. i'm posting a HijackThis log.. please help me with what i need to delete... i've been struggling with this for quite a while now.. please help...
thanks in advance

gautam



Logfile of HijackThis v1.99.1
Scan saved at 11:24:10 PM, on 6/25/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
D:\WINDOWS\system32\ZONELABS\vsmon.exe
D:\WINDOWS\system32\rundll32.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Network Associates\VirusScan\VsStat.exe
D:\Program Files\Network Associates\VirusScan\Vshwin32.exe
D:\WINDOWS\Mixer.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\Network Associates\VirusScan\Avconsol.exe
D:\Program Files\Network Associates\VirusScan\Webscanx.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\DOCUME~1\GAUTAM~1.XYZ\APPLIC~1\ECURIT~1\tracert.exe
D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
D:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\Setup Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://in.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://in.rd.yahoo.com/customize/ie/defaul...earch.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://in.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://in.rd.yahoo.com/customize/ie/defaul...earch.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [curb find bolt jugs] D:\Documents and Settings\All Users.WINDOWS\Application Data\MEDIA OWNS CURB FIND\Stupid Time.exe
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunServices: [Microsoft Windows System] jqiabpbu.exe
O4 - HKCU\..\Run: [srshost.exe] D:\WINDOWS\system32\srshost.exe
O4 - HKCU\..\Run: [EggsNew] D:\DOCUME~1\GAUTAM~1.XYZ\APPLIC~1\ROADVG~1\bintray.exe
O4 - HKCU\..\Run: [Atau] "D:\DOCUME~1\GAUTAM~1.XYZ\APPLIC~1\ECURIT~1\tracert.exe" -vt yax
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [Malware Sweeper] D:\Program Files\MalwareSweeper.com\Malware Sweeper\MalSwep.exe /STARTUP
O4 - HKCU\..\Run: [updateMgr] "D:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - Startup: Adobe Gamma.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///D:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {0F7A9297-7268-11D1-B81A-00A076C01B0A} - http://www.cartesianinc.com/Products/CPCVi...k/CpcViewAX.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
O17 - HKLM\System\CCS\Services\Tcpip\..\{D900BA0D-EA98-4526-A274-E9E1E72E37B9}: NameServer = 61.1.96.69,61.1.96.71
O20 - Winlogon Notify: SMDEn - D:\WINDOWS\system32\j8p00i7me8.dll
O21 - SSODL: xEAPEilFtDnDU - {19221E07-B388-B4AD-7952-AFBE562711D5} - D:\WINDOWS\System32\uxrn.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - D:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: McShield - Unknown owner - D:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZONELABS\vsmon.exe

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:10 PM

Posted 26 June 2006 - 09:46 AM

Hello,

Any reason why your windows isn't up to date? You don't have even ServicePack1 installed!
Remember that your system is extremely vulnerable without the necessary security patches/updates, so malware can get installed automatically while surfing without any problems.
Please visit http://www.microsoft.com/windowsxp/downloa...p1/network.mspx and update to Service Pack 1. Without this update, you're wide open to re-infection, and we're both just wasting our time.
When your system is clean afterwards, then update to SP2, because updating to SP2 CAN cause problems as long as you are infected.

Once updated to SP1, perform next steps..

* Go to start > controlpanel > software > add/remove programs and uninstall next programs if present:

Oin
Yazzle by Oin
Purityscan by Oin
Snowballwars by Oin
Cowabanga by OIN
or anything similar with Oin in it.


If OIN not listed, download and run this uninstaller.

Reboot when done! Really important!

-------------------------

* Open notepad and copy and paste next in it:

if exist %systemdrive%\lop.txt del %systemdrive%\lop.txt
cd\
cd %appdata%
dir /x >> %systemdrive%\lop.txt
cd %allusersprofile%\Application Data
dir /x >> %systemdrive%\lop.txt
dir %Windir%\tasks /a:h >> C:\lop.txt
start notepad %systemdrive%\lop.txt


Save this as lop.bat , choose to save it as *all files and place it on your desktop.
This is how the batch must look afterwards: Posted Image
Doubleclick lop.bat
A txtfile will open afterwards. This one is also located on your C:\ with the name lop.txt
I need that log later.

* Download Combofix to your desktop.
Doubleclick combo.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot, it should open a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog and the C:\lop.txt log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:10 PM

Posted 03 July 2006 - 02:46 AM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#4 gautamr

gautamr
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:40 PM

Posted 04 July 2006 - 11:14 AM

hi miekiemoes,

Thanks for the advice. I did what you suggested. It seems to taken care of most of it. I do still have some adware.
-----------------------------------------------------------------------------------------------------------------------------
here's the LOP log
---------------------
Volume in drive D is WIN XP
Volume Serial Number is DC5C-61A4

Directory of D:\WINDOWS\tasks

08/23/2001 05:30 PM 65 desktop.ini
06/29/2006 07:36 PM 6 SA.DAT
06/29/2006 07:00 PM 276 A6607217919FEAF3.job
3 File(s) 347 bytes
0 Dir(s) 1,035,694,080 bytes free
Volume in drive D is WIN XP
Volume Serial Number is DC5C-61A4

Directory of D:\WINDOWS\tasks

08/23/2001 05:30 PM 65 desktop.ini
07/04/2006 08:17 PM 6 SA.DAT
07/04/2006 08:00 PM 276 A6607217919FEAF3.job
3 File(s) 347 bytes
0 Dir(s) 862,240,768 bytes free

-----------------------------------------------------------------------------------------------------------------------------
the COMBOFIX log
-----------------------

Start Time= Tue 07/04/2006 20:22:09.89
Running from: D:\Documents and Settings\Gautam.XYZ-D8OIR705F1M\Desktop

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-07-02 16:15:20 50688 ( A.... ) "D:\WINDOWS\system32\wbhelp2.dll"
2006-07-02 16:15:18 ( .D... ) "D:\Program Files\DAP"
2006-06-25 20:50:28 ( .D... ) "D:\Documents and Settings\Gautam.XYZ-D8OIR705F1M\Application Data\Media Player Classic"
2006-06-25 20:48:58 ( .D... ) "D:\Program Files\K-Lite Codec Pack"
2006-06-24 21:18:56 ( .D... ) "D:\Program Files\PAS-Products"
2006-06-24 18:43:24 ( .D... ) "D:\Documents and Settings\Gautam.XYZ-D8OIR705F1M\Application Data\Mozilla"
2006-06-24 18:43:22 ( .D... ) "D:\Program Files\Mozilla Firefox"
2006-06-22 15:32:24 17528 ( A.... ) "D:\Documents and Settings\Gautam.XYZ-D8OIR705F1M\Application Data\GDIPFONTCACHEV1.DAT"
2006-06-21 21:16:10 ( .D... ) "D:\Program Files\Spybot - Search & Destroy"
2006-06-18 20:15:40 ( .D... ) "D:\Documents and Settings\Gautam.XYZ-D8OIR705F1M\Application Data\Lavasoft"
2006-06-18 20:15:24 ( .D... ) "D:\Program Files\Lavasoft"
2006-06-15 20:51:00 ( .D... ) "D:\Program Files\Time Zone Clock V2.0"
2006-06-06 21:48:34 625152 ( A.... ) "D:\WINDOWS\is-30V90.exe"
2006-06-02 22:41:54 ( .D... ) "D:\Program Files\Zone Labs"
2006-05-28 13:57:16 ( .D... ) "D:\Documents and Settings\Gautam.XYZ-D8OIR705F1M\Application Data\Google"
2006-05-28 13:57:12 ( .D... ) "D:\Program Files\Google"
2006-05-27 21:24:04 ( .D... ) "D:\Program Files\Common Files\Adobe Systems Shared"
2006-05-27 20:59:52 ( .D... ) "D:\Program Files\Download Plugin"
2006-05-27 00:57:36 ( .D... ) "D:\Program Files\Photoshop"
2006-05-26 10:53:40 ( .D... ) "D:\Documents and Settings\Gautam.XYZ-D8OIR705F1M\Application Data\Yahoo!"
2006-05-25 01:22:06 53248 ( A.... ) "D:\WINDOWS\bdoscandel.exe"
2006-05-07 13:56:24 ( .D... ) "D:\Program Files\MsnMusic"
2006-04-18 00:18:24 128560079 ( A.... ) "D:\Program Files\Postal 2 Demo.rar"


((((((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"C-Media Mixer"="Mixer.exe /startup"
"curb find bolt jugs"="D:\\Documents and Settings\\All Users.WINDOWS\\Application Data\\MEDIA OWNS CURB FIND\\Stupid Time.exe"
"TkBellExe"="\"D:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Zone Labs Client"="D:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe"
"QuickTime Task"="\"D:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"DownloadAccelerator"="\"D:\\Program Files\\DAP\\DAP.EXE\" /STARTUP"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"Microsoft Windows System"="jqiabpbu.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"srshost.exe"="D:\\WINDOWS\\system32\\srshost.exe"
"EggsNew"="D:\\DOCUME~1\\GAUTAM~1.XYZ\\APPLIC~1\\ROADVG~1\\bintray.exe"
"Yahoo! Pager"="\"D:\\Program Files\\Yahoo!\\Messenger\\ypager.exe\" -quiet"
"Malware Sweeper"="D:\\Program Files\\MalwareSweeper.com\\Malware Sweeper\\MalSwep.exe /STARTUP"
"updateMgr"="\"D:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_7 -reboot 1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="D:\\WINDOWS\\warnhp.html"
"SubscribedURL"=""
"FriendlyName"="Warning homepage"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,00,00,00,00,00,00,00,00,04,00,00,e2,02,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:02,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,02,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="D:\\Documents and Settings\\All Users.WINDOWS\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="D:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="D:\\PROGRA~1\\Adobe\\ACROBA~3.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Norton System Doctor.lnk]
"path"="D:\\Documents and Settings\\All Users.WINDOWS\\Start Menu\\Programs\\Startup\\Norton System Doctor.lnk"
"backup"="D:\\WINDOWS\\pss\\Norton System Doctor.lnkCommon Startup"
"location"="Common Startup"
"command"="D:\\PROGRA~1\\NORTON~1\\SYSDOC32.EXE /STARTUP"
"item"="Norton System Doctor"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlfaCleaner]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AlfaCleaner"
"hkey"="HKLM"
"command"="D:\\Program Files\\AlfaCleaner\\AlfaCleaner.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="BearShare"
"hkey"="HKLM"
"command"="\"D:\\Program Files\\BearShare\\BearShare.exe\" /pause"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Execute]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="expiry"
"hkey"="HKLM"
"command"="D:\\PROGRA~1\\MONEYM~1\\expiry.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Huminity]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="huminity"
"hkey"="HKLM"
"command"="\"D:\\Program Files\\Huminity\\huminity.exe\" -notifier"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaPipe P2P Loader]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mpp2pl"
"hkey"="HKLM"
"command"="\"D:\\Program Files\\p2pnetworks\\mpp2pl.exe\" /H"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Windows System]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jqiabpbu"
"hkey"="HKLM"
"command"="jqiabpbu.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"D:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="D:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Notification Utility]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="notify"
"hkey"="HKLM"
"command"="\"D:\\Program Files\\Notify\\notify.exe \" /silent"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\p2pnetworking]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="p2pnetworking"
"hkey"="HKLM"
"command"="p2pnetworking.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"D:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
"key"="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows"
"item"=" "
"hkey"="HKCU"
"command"=" "
"inimapping"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC_UserPrompt]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="UsrPrmpt"
"hkey"="HKLM"
"command"="D:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"D:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uninstall]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="uninstall"
"hkey"="HKLM"
"command"="D:\\Program Files\\GuitarFX v2.18\\uninstall.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="VTTimer"
"hkey"="HKLM"
"command"="VTTimer.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winampa"
"hkey"="HKLM"
"command"="D:\\Program Files\\Winamp\\winampa.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winupdate]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winupdate"
"hkey"="HKLM"
"command"="D:\\Program Files\\winupdate\\winupdate.exe /auto"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ypager"
"hkey"="HKCU"
"command"="\"D:\\Program Files\\Yahoo!\\Messenger\\ypager.exe\" -quiet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zango]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="zango"
"hkey"="HKLM"
"command"="\"d:\\program files\\zango\\zango.exe\""
"inimapping"="0"


Contents of the 'Scheduled Tasks' folder
D:\WINDOWS\tasks\A6607217919FEAF3.job

Completion time: Tue 07/04/2006 20:22:35.28
ComboFix ver 06.06.26 - This logfile is located at D:\ComboFix.txt




-----------------------------------------------------------------------------------------------------------------------------

the HIJACKTHIS log
-----------------------

Logfile of HijackThis v1.99.1
Scan saved at 8:24:08 PM, on 7/4/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Mixer.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
D:\WINDOWS\system32\ZONELABS\vsmon.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\DAP\DAP.EXE
D:\Program Files\Network Associates\VirusScan\VsStat.exe
D:\Program Files\Network Associates\VirusScan\Vshwin32.exe
D:\Program Files\Network Associates\VirusScan\Avconsol.exe
D:\Program Files\Network Associates\VirusScan\Webscanx.exe
D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
D:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
E:\Setup Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://in.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://in.rd.yahoo.com/customize/ie/defaul...earch.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://in.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://in.rd.yahoo.com/customize/ie/defaul...earch.yahoo.com
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [curb find bolt jugs] D:\Documents and Settings\All Users.WINDOWS\Application Data\MEDIA OWNS CURB FIND\Stupid Time.exe
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DownloadAccelerator] "D:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKLM\..\RunServices: [Microsoft Windows System] jqiabpbu.exe
O4 - HKCU\..\Run: [srshost.exe] D:\WINDOWS\system32\srshost.exe
O4 - HKCU\..\Run: [EggsNew] D:\DOCUME~1\GAUTAM~1.XYZ\APPLIC~1\ROADVG~1\bintray.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [Malware Sweeper] D:\Program Files\MalwareSweeper.com\Malware Sweeper\MalSwep.exe /STARTUP
O4 - HKCU\..\Run: [updateMgr] "D:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - Startup: Adobe Gamma.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Clean Traces - D:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - D:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download &all with DAP - D:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///D:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {0F7A9297-7268-11D1-B81A-00A076C01B0A} - http://www.cartesianinc.com/Products/CPCVi...k/CpcViewAX.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
O17 - HKLM\System\CCS\Services\Tcpip\..\{D900BA0D-EA98-4526-A274-E9E1E72E37B9}: NameServer = 61.1.96.69,61.1.96.71
O21 - SSODL: xEAPEilFtDnDU - {19221E07-B388-B4AD-7952-AFBE562711D5} - D:\WINDOWS\System32\uxrn.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - D:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: McShield - Unknown owner - D:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZONELABS\vsmon.exe




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users