Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde


  • Please log in to reply
26 replies to this topic

#1 FlipBoi

FlipBoi

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:06:16 AM

Posted 30 July 2006 - 10:12 PM

hey guys. first i got this virus called ishost and ismon, i used ewido, adaware se and spybot sd to remove it. after removing it i got winantivirus pro 2006 promting me to install and when i uninstalled it, i got this window from wiinantivirus pro 2006 that i got a virus. i did the same procedures to remove it. after everything looked clean i scanned again with ewido and i got this: C:\WINNT\system32\wvwur.dll -> Adware.Virtumonde. it seems to me that something revives wvwur.dll when ewido removes it. i turned off system restore and tried to run killvundo, i ran it as a task and when it relaunched it said that i was clean. i don't know what to do now. if you guys could help me it would be awesome. and thanks in advanced!! :thumbsup:

(Moderator edit: HJT log post moved to HJT Forum for team review and member help. jgweed)
Logfile of HijackThis v1.99.1
Scan saved at 6:40:47 PM, on 7/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5346.0005)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\atiptaxx.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\cleanmgr.exe
C:\Documents and Settings\Anthony Espiritu\Desktop\stng260.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Documents and Settings\Anthony Espiritu\Desktop\HijackThis.exe

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1146440821384
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1146440921348
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE


here is my ewido log

---------------------------------------------------------

+ Created on: 10:39:07 PM, 7/30/2006
+ Report-Checksum: 53479

+ Scan result:

:mozilla.10:C:\Documents and Settings\Anthony Espiritu\Application Data\Mozilla\Firefox\Profiles\4ca76rji.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
:mozilla.11:C:\Documents and Settings\Anthony Espiritu\Application Data\Mozilla\Firefox\Profiles\4ca76rji.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
:mozilla.12:C:\Documents and Settings\Anthony Espiritu\Application Data\Mozilla\Firefox\Profiles\4ca76rji.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Anthony Espiritu\Application Data\Mozilla\Firefox\Profiles\4ca76rji.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Anthony Espiritu\Application Data\Mozilla\Firefox\Profiles\4ca76rji.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Anthony Espiritu\Application Data\Mozilla\Firefox\Profiles\4ca76rji.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Anthony Espiritu\Application Data\Mozilla\Firefox\Profiles\4ca76rji.default\cookies.txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Anthony Espiritu\Application Data\Mozilla\Firefox\Profiles\4ca76rji.default\cookies.txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Anthony Espiritu\Application Data\Mozilla\Firefox\Profiles\4ca76rji.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Anthony Espiritu\Application Data\Mozilla\Firefox\Profiles\4ca76rji.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Anthony Espiritu\Application Data\Mozilla\Firefox\Profiles\4ca76rji.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.69:C:\Documents and Settings\Anthony Espiritu\Application Data\Mozilla\Firefox\Profiles\4ca76rji.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.79:C:\Documents and Settings\Anthony Espiritu\Application Data\Mozilla\Firefox\Profiles\4ca76rji.default\cookies.txt -> TrackingCookie.Valuead : Cleaned with backup
:mozilla.80:C:\Documents and Settings\Anthony Espiritu\Application Data\Mozilla\Firefox\Profiles\4ca76rji.default\cookies.txt -> TrackingCookie.Valuead : Cleaned with backup
:mozilla.81:C:\Documents and Settings\Anthony Espiritu\Application Data\Mozilla\Firefox\Profiles\4ca76rji.default\cookies.txt -> TrackingCookie.Valuead : Cleaned with backup
:mozilla.82:C:\Documents and Settings\Anthony Espiritu\Application Data\Mozilla\Firefox\Profiles\4ca76rji.default\cookies.txt -> TrackingCookie.Valuead : Cleaned with backup
:mozilla.89:C:\Documents and Settings\Anthony Espiritu\Application Data\Mozilla\Firefox\Profiles\4ca76rji.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.90:C:\Documents and Settings\Anthony Espiritu\Application Data\Mozilla\Firefox\Profiles\4ca76rji.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.92:C:\Documents and Settings\Anthony Espiritu\Application Data\Mozilla\Firefox\Profiles\4ca76rji.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.93:C:\Documents and Settings\Anthony Espiritu\Application Data\Mozilla\Firefox\Profiles\4ca76rji.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
C:\Documents and Settings\Anthony Espiritu\Cookies\anthony espiritu@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\WINNT\system32\wvwur.dll -> Adware.Virtumonde : Cleaned with backup


::Report End

Edited by jgweed, 31 July 2006 - 02:08 AM.


BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:16 AM

Posted 31 July 2006 - 10:50 AM

Hey FlipBoi, welcome to Bleeping Computer.

Although nothing is showing in your log I am pretty sure you are infected.

It is strange that there are no 02's or 020's in the log - a new infection is hiding these entries from a Hijackthis scan, so it means certain infections cannot be seen and are therefore hidden to the helper. Go to this folder where Hijackthis is kept and rename the hijackthis application to "analyse" by right clicking on the program and clicking "rename". Press enter, then open "analyse.exe" by double clicking and post a new Hijackthis log from the newly named application.

Thanks,
David

#3 FlipBoi

FlipBoi
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:06:16 AM

Posted 31 July 2006 - 11:43 AM

it worked!! i think that did the trick cuz i see the wvwur.dll

THANKS IN ADVANCED!!!!!

here it is:

Logfile of HijackThis v1.99.1
Scan saved at 9:40:25 AM, on 7/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5346.0005)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\atiptaxx.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Canon\MultiPASS4\MPDBMgr.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\HJT\analyse.exe

O2 - BHO: (no name) - {1B63D226-8EE8-470E-854A-2609CF53BE0E} - C:\WINNT\System32\wvwur.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1146440821384
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1146440921348
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O20 - Winlogon Notify: wvwur - C:\WINNT\System32\wvwur.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE

Edited by FlipBoi, 31 July 2006 - 11:45 AM.


#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:16 AM

Posted 31 July 2006 - 12:04 PM

No problem, let's move on :thumbsup:

Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
Put a check next to "Run VundoFix as a task".
You will receive a message saying vundofix will close and re-open in a minute or less - Click OK
When VundoFix re-opens, click "Scan for Vundo" button.
Once the scan is complete, right Click inside the listbox (white box) and click "add more files"
Copy and paste the 2 entries below into the top 2 boxe (no arrows):

--> C:\WINNT\System32\wvwur.dll
--> C:\WINDOWS\system32\ruwvw.*

Click "Add Files" and click "Close Window".
Click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo - this is normal.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

David

Edited by D-Trojanator, 31 July 2006 - 12:04 PM.


#5 FlipBoi

FlipBoi
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:06:16 AM

Posted 31 July 2006 - 12:11 PM

here you go

VundoFix V5.1.5

Running as SYSTEM
from C:\\VundoFix.exe

Checking Java version...

Sun Java not detected
Scan started at 10:05:03 AM 7/31/2006

Listing files found while scanning....

No infected files were found.


Beginning removal...

The process smss.exe was successfully stopped

The process winlogon.exe was successfully stopped

The process explorer.exe was successfully stopped

The process iexplore.exe was successfully stopped

The process rundll32.exe was successfully stopped

Attempting to delete C:\WINNT\System32\wvwur.dll
C:\WINNT\System32\wvwur.dll Has been deleted!

Performing Repairs to the registry.
Done!


Logfile of HijackThis v1.99.1
Scan saved at 10:09:08 AM, on 7/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5346.0005)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\atiptaxx.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\wuauclt.exe
C:\HJT\analyse.exe

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1146440821384
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1146440921348
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE

shud i run an ewido scan?

Edited by FlipBoi, 31 July 2006 - 12:18 PM.


#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:16 AM

Posted 31 July 2006 - 12:21 PM

No need for ewido at the moment.
I think we have killed the virtumonde infection, FlipBoi.

Malware like this normally never comes alone and there are probably infected files left on your computer.
Please visit Panda Online to carry out a virus scan.
Once you are on the Panda site click the Scan your PC button.
A new window will open...click the Check Now button.
Enter your personal details.
Click the big Scan Now button.
It will ask to install various content - please allow this.
It will start downloading the files it requires for the scan, which may take a while.
When download is complete, click on Local Disks to start the scan.
When the scan completes, click the See Report button.
Click Save Report and save the file to your desktop.
Post the contents of the report in your next reply, along with a new Hijackthis log.
Also let me know how the computer is running.
David

#7 FlipBoi

FlipBoi
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:06:16 AM

Posted 31 July 2006 - 12:28 PM

im not sure why i cant use panda software anymore, when it updates it says Not allowing the system's ActiveX control to be downloaded but before, panda software was working fine. ill try to remove it from my add/remove programs.

#8 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:16 AM

Posted 31 July 2006 - 12:31 PM

# Start Internet Explorer.
# From the Internet Explorer Tools menu, choose Internet Options.
# Click the Security tab, and then click the Internet icon.
# Click the Custom Level button and verify the settings as follows:

* Under Download signed ActiveX controls, select Enable.
* Under Download unsigned ActiveX controls, select Prompt.
* Under Initialize and script ActiveX controls not marked as safe, select Prompt.
* Under Run ActiveX controls and plug-ins, select Enable.
* Under Script ActiveX controls marked safe for scripting, select Enable.
* Select Medium (or a lower setting) from the Reset to drop-down list, click Reset, and then click Yes.

Now please retry.
David

#9 FlipBoi

FlipBoi
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:06:16 AM

Posted 31 July 2006 - 01:06 PM

sorry, the scan took awhile


Incident Status Location

Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Anthony Espiritu\Application Data\Mozilla\Firefox\Profiles\4ca76rji.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Anthony Espiritu\Application Data\Mozilla\Firefox\Profiles\4ca76rji.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Anthony Espiritu\Application Data\Mozilla\Firefox\Profiles\4ca76rji.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Anthony Espiritu\Application Data\Mozilla\Firefox\Profiles\4ca76rji.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Anthony Espiritu\Application Data\Mozilla\Firefox\Profiles\4ca76rji.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Anthony Espiritu\Application Data\Mozilla\Firefox\Profiles\4ca76rji.default\cookies.txt[.as-us.falkag.net/]
Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\Anthony Espiritu\Application Data\Mozilla\Firefox\Profiles\4ca76rji.default\cookies.txt[.cdfreaks.com/]
Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\Anthony Espiritu\Application Data\Mozilla\Firefox\Profiles\4ca76rji.default\cookies.txt[.club.cdfreaks.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Anthony Espiritu\Application Data\Mozilla\Firefox\Profiles\4ca76rji.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Anthony Espiritu\Application Data\Mozilla\Firefox\Profiles\4ca76rji.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\Anthony Espiritu\Application Data\Mozilla\Firefox\Profiles\4ca76rji.default\cookies.txt[www.myaffiliateprogram.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Anthony Espiritu\Cookies\anthony espiritu@atdmt[2].txt
Adware:adware/securityerror Not disinfected C:\Documents and Settings\Anthony Espiritu\Favorites\Antivirus Test Online.url
Spyware:Spyware/7r7t Not disinfected C:\Documents and Settings\Anthony Espiritu\My Documents\My Music\Playlist\Girls Gone Wild Dorm Room Fantasies.zip[Girls Gone Wild Dorm Room Fantasies.exe]
Adware:Adware/DollarRevenue Not disinfected C:\Program Files\Combined Community Codec Pack\Uninstall.exe[²ÜÇ\System.dll]
Spyware:Spyware/Virtumonde

#10 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:16 AM

Posted 31 July 2006 - 01:26 PM

I think some of the log was cut off there.
Please repost the log.
Also, Download Combofix to your desktop.
Doubleclick combo.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.

David

#11 FlipBoi

FlipBoi
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:06:16 AM

Posted 31 July 2006 - 01:35 PM

nope this is wat all it had in the log

Incident Status Location

Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Anthony Espiritu\Application Data\Mozilla\Firefox\Profiles\4ca76rji.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Anthony Espiritu\Application Data\Mozilla\Firefox\Profiles\4ca76rji.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Anthony Espiritu\Application Data\Mozilla\Firefox\Profiles\4ca76rji.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Anthony Espiritu\Application Data\Mozilla\Firefox\Profiles\4ca76rji.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Anthony Espiritu\Application Data\Mozilla\Firefox\Profiles\4ca76rji.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Anthony Espiritu\Application Data\Mozilla\Firefox\Profiles\4ca76rji.default\cookies.txt[.as-us.falkag.net/]
Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\Anthony Espiritu\Application Data\Mozilla\Firefox\Profiles\4ca76rji.default\cookies.txt[.cdfreaks.com/]
Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\Anthony Espiritu\Application Data\Mozilla\Firefox\Profiles\4ca76rji.default\cookies.txt[.club.cdfreaks.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Anthony Espiritu\Application Data\Mozilla\Firefox\Profiles\4ca76rji.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Anthony Espiritu\Application Data\Mozilla\Firefox\Profiles\4ca76rji.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\Anthony Espiritu\Application Data\Mozilla\Firefox\Profiles\4ca76rji.default\cookies.txt[www.myaffiliateprogram.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Anthony Espiritu\Cookies\anthony espiritu@atdmt[2].txt
Adware:adware/securityerror Not disinfected C:\Documents and Settings\Anthony Espiritu\Favorites\Antivirus Test Online.url
Spyware:Spyware/7r7t Not disinfected C:\Documents and Settings\Anthony Espiritu\My Documents\My Music\Playlist\Girls Gone Wild Dorm Room Fantasies.zip[Girls Gone Wild Dorm Room Fantasies.exe]
Adware:Adware/DollarRevenue Not disinfected C:\Program Files\Combined Community Codec Pack\Uninstall.exe[²ÜÇ\System.dll]
Spyware:Spyware/Virtumonde Not disinfected C:\Program Files\Common Files\{FCB9FDD4-037C-1033-0628-029907090001}\services.dll



Start Time= Mon 07/31/2006 11:30:29.58
Running from: C:\Documents and Settings\Anthony Espiritu\Desktop

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-07-30 14:37:04 ( .D... ) "C:\Program Files\DVD Decrypter"
2006-07-25 18:56:56 65556 ( A.... ) "C:\WINNT\system32\vdwsoqho.exe"
2006-07-25 16:09:54 65556 ( A.... ) "C:\WINNT\system32\hcxdhkyf.exe"
2006-07-25 13:16:10 65556 ( A.... ) "C:\WINNT\system32\sqkhudfm.exe"
2006-07-25 00:22:14 77312 ( A.... ) "C:\VundoFix.exe"
2006-07-24 20:32:20 65556 ( A.... ) "C:\WINNT\system32\damctjrv.exe"
2006-07-24 17:54:30 65556 ( A.... ) "C:\WINNT\system32\cfytvnfg.exe"
2006-07-23 17:48:50 4608 ( A.... ) "C:\WINNT\system32\w95inf32.dll"
2006-07-23 17:48:50 2272 ( A.... ) "C:\WINNT\system32\w95inf16.dll"
2006-07-20 23:05:26 ( .D... ) "C:\Program Files\Common Files\{FCB9FDD4-037C-1033-0628-029907090001}"
2006-07-17 18:14:26 407047 ( A.... ) "C:\WINNT\system32\mioengine.exe"
2006-07-14 14:59:54 ( .D... ) "C:\Documents and Settings\Anthony Espiritu\Application Data\ScanSoft"
2006-07-14 14:59:44 ( .D... ) "C:\Program Files\Common Files\ScanSoft Shared"
2006-07-14 14:59:32 ( .D... ) "C:\Program Files\ScanSoft"
2006-07-08 22:53:02 ( .D... ) "C:\Documents and Settings\Anthony Espiritu\Application Data\Sun"
2006-07-08 00:54:44 ( .D... ) "C:\Documents and Settings\Anthony Espiritu\Application Data\acccore"
2006-07-08 00:53:08 ( .D... ) "C:\Program Files\AOD"
2006-07-08 00:51:48 ( .D... ) "C:\Program Files\Common Files\Nullsoft"
2006-07-08 00:50:02 ( .D... ) "C:\Program Files\Common Files\aolshare"
2006-07-08 00:50:02 ( .D... ) "C:\Program Files\Common Files\AOL"
2006-07-08 00:49:22 ( .D... ) "C:\Program Files\AOL"
2006-07-07 15:41:58 ( .D... ) "C:\Documents and Settings\Anthony Espiritu\Application Data\Google"
2006-06-30 01:05:28 ( .D... ) "C:\Program Files\PeerGuardian2"
2006-06-28 15:43:04 ( .D... ) "C:\Documents and Settings\Anthony Espiritu\Application Data\SmartFTP"
2006-06-28 15:42:54 ( .D... ) "C:\Program Files\SmartFTP Client 2.0"
2006-06-28 15:42:38 ( .D... ) "C:\Program Files\SmartFTP Client 2.0 Setup Files"
2006-06-27 23:42:42 737280 ( A.... ) "C:\WINNT\iun6002.exe"
2006-06-19 21:41:28 ( .D... ) "C:\Program Files\AMX Mod X"
2006-06-18 06:54:08 36864 ( A.... ) "C:\WINNT\system32\frapsvid.dll"
2006-06-17 10:28:10 ( .D... ) "C:\Documents and Settings\Anthony Espiritu\Application Data\Media Player Classic"
2006-06-17 10:27:20 ( .D... ) "C:\Program Files\K-Lite Codec Pack"
2006-06-15 19:12:44 ( .D... ) "C:\Program Files\Common Files\Designer"
2006-06-13 21:25:48 ( .D... ) "C:\Program Files\Windows"
2006-06-09 17:27:04 ( .D... ) "C:\Program Files\Combined Community Codec Pack"
2006-06-09 15:54:10 ( .D... ) "C:\Documents and Settings\Anthony Espiritu\Application Data\Mozilla"
2006-06-09 15:54:08 ( .D... ) "C:\Program Files\Mozilla Firefox"
2006-06-05 19:49:36 ( .D... ) "C:\Program Files\Common Files\xing shared"
2006-06-05 19:49:10 176167 ( A.... ) "C:\WINNT\system32\rmoc3260.dll"
2006-06-05 19:48:58 6656 ( A.... ) "C:\WINNT\system32\pndx5016.dll"
2006-06-05 19:48:58 5632 ( A.... ) "C:\WINNT\system32\pndx5032.dll"
2006-06-05 19:48:54 278528 ( A.... ) "C:\WINNT\system32\pncrt.dll"
2006-06-05 19:48:48 ( .D... ) "C:\Program Files\Common Files\Real"
2006-06-05 19:48:36 ( .D... ) "C:\Program Files\Real"
2006-06-05 19:48:24 ( .D... ) "C:\Documents and Settings\Anthony Espiritu\Application Data\Real"
2006-05-31 19:03:36 808 ( A.... ) "C:\WINNT\tmpdata.reg"
2006-05-30 15:53:32 425020 ( A.... ) "C:\WINNT\system32\kilacln.exe"
2006-03-02 21:33:52 21952 ( A..H. ) "C:\Program Files\folder.htt"
2006-03-02 21:33:52 271 ( ..SH. ) "C:\Program Files\desktop.ini"


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-07-31 10:30 73,728 C:\WINNT\system32\asuninst.exe
2006-07-31 10:30 11,776 C:\WINNT\system32\ZPORT4AS.dll
2006-07-27 12:00 267,964,416 C:\hiberfil.sys
2006-07-25 18:56 65,556 C:\WINNT\system32\vdwsoqho.exe
2006-07-25 16:09 65,556 C:\WINNT\system32\hcxdhkyf.exe
2006-07-25 13:16 65,556 C:\WINNT\system32\sqkhudfm.exe
2006-07-24 20:32 65,556 C:\WINNT\system32\damctjrv.exe
2006-07-24 17:54 65,556 C:\WINNT\system32\cfytvnfg.exe
2006-07-24 14:31 77,312 C:\VundoFix.exe
2006-07-23 17:49 63,488 C:\WINNT\system32\unam4ie.exe
2006-07-23 17:49 38,160 C:\WINNT\system32\LMRTREND.dll
2006-07-23 17:49 182,032 C:\WINNT\system32\dxtmsft3.dll
2006-07-23 17:48 4,608 C:\WINNT\system32\w95inf32.dll
2006-07-23 17:48 2,272 C:\WINNT\system32\w95inf16.dll
2006-07-23 17:48 10,240 C:\WINNT\system32\vidx16.dll
2006-07-17 18:14 407,047 C:\WINNT\system32\mioengine.exe
2006-06-29 16:51 8,192 C:\WINNT\system32\tsbyuv.dll
2006-06-29 16:51 49,664 C:\WINNT\system32\vfwwdm32.dll
2006-06-29 16:51 45,568 C:\WINNT\system32\iyuv_32.dll
2006-06-29 16:46 61,440 C:\WINNT\system32\dsnphv71.dll
2006-06-29 16:46 32,528 C:\WINNT\AMCAP.EXE
2006-06-29 16:46 307,200 C:\WINNT\VIDCAP32.EXE
2006-06-29 16:42 49,152 C:\WINNT\system32\vsnphv71.dll
2006-06-29 16:42 28,672 C:\WINNT\vsnphv71.exe
2006-06-29 16:42 20,480 C:\WINNT\dsnphv71.exe
2006-06-29 16:42 120,879 C:\WINNT\usnphv71.exe
2006-06-27 23:42 737,280 C:\WINNT\iun6002.exe
2006-06-18 06:54 36,864 C:\WINNT\system32\frapsvid.dll
2006-06-17 10:27 856,064 C:\WINNT\system32\xvidcore.dll
2006-06-17 10:27 568,850 C:\WINNT\system32\x264vfw.dll
2006-06-17 10:27 5,120 C:\WINNT\system32\ff_vfw.dll
2006-06-17 10:27 286,720 C:\WINNT\system32\3ivxVfWCodec.dll
2006-06-17 10:27 217,088 C:\WINNT\system32\xvidvfw.dll
2006-06-17 10:27 157,696 C:\WINNT\system32\unrar.dll
2006-06-17 10:27 1,415,680 C:\WINNT\system32\WMV9VCM.dll
2006-06-17 10:27 1,024,000 C:\WINNT\system32\3ivx.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Synchronization Manager"="mobsync.exe /logon"
"AtiPTA"="atiptaxx.exe"
"NeroFilterCheck"="C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe"
"Omnipage"="C:\\Program Files\\ScanSoft\\OmniPageSE\\opware32.exe"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\lib\\NMBgMonitor.exe\""
"Aim6"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"{FCB9FDD4-037C-1033-0628-029907090001}"="\"C:\\Program Files\\Common Files\\{FCB9FDD4-037C-1033-0628-029907090001}\\Update.exe\" mc-110-12-0000272"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f0,01,00,00,1f,00,00,00,80,00,00,00,76,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=""
"tscuninstall"=""
"RunNarrator"="Narrator.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=""
"tscuninstall"=""
"RunNarrator"="Narrator.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="ewido shell guard"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINNT\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Anthony Espiritu^Start Menu^Programs^Startup^Adobe Gamma.lnk]
"path"="C:\\Documents and Settings\\Anthony Espiritu\\Start Menu\\Programs\\Startup\\Adobe Gamma.lnk"
"backup"="C:\\WINNT\\pss\\Adobe Gamma.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "
"item"="Adobe Gamma"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="avgcc"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\chikkav4]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ChikkaLauncher"
"hkey"="HKCU"
"command"="C:\\Program Files\\ChikkaV4\\\\ChikkaLauncher.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLSoftware"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\AOL\\1152345006\\ee\\AOLSoftware.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dumprep 0 -k"
"hkey"="HKLM"
"command"="%systemroot%\\system32\\dumprep 0 -k"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKCU"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0_03\\bin\\jusched.exe"
"inimapping"="0"

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system
DisableTaskMgr REG_DWORD 0 (0x0)
NoColorChoice REG_DWORD 0 (0x0)
NoSizeChoice REG_DWORD 0 (0x0)
NoDispScrSavPage REG_DWORD 0 (0x0)
NoDispCPL REG_DWORD 0 (0x0)
NoVisualStyleChoice REG_DWORD 0 (0x0)
NoDispSettingsPage REG_DWORD 0 (0x0)

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\semd32.sys
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\semd64.sys


Contents of the 'Scheduled Tasks' folder

Completion time: Mon 07/31/2006 11:30:53.64
ComboFix ver 06.07.15/28 - This logfile is located at C:\ComboFix.txt





Logfile of HijackThis v1.99.1
Scan saved at 11:33:06 AM, on 7/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5346.0005)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\atiptaxx.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-malware\oldewido.exe
C:\Program Files\Common Files\AOL\1152345006\ee\aolsoftware.exe
C:\HJT\analyse.exe

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1146440821384
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1146440921348
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE

Edited by FlipBoi, 31 July 2006 - 01:36 PM.


#12 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:16 AM

Posted 31 July 2006 - 04:20 PM

Hey there FlipBoi,

If you compare the first Panda log to the last Panda log you will see the last entry was cut off. I'm afraid to say that your system is not in very good shape and the combofix has detected the prescence of a rootkit on your system which needs to be dealt with as soon as possible. Due to the status of some of the files you have on your computer, I strongly recommend that you do the following immediately. Disconnect the infected computer from the internet until the computer can be cleaned. From a clean computer, change all your online passwords-- for email, for banks, eBay, forums etc.... Do not change passwords or do any transactions while using the infected computer because the attacker may get the new passwords and transaction information.

Download KillBox from the following link :
http://www.bleepingcomputer.com/files/killbox.php
Unzip the folder to your desktop.

Start Killbox.exe
Select the "Delete on Reboot" option.
Click on the "All Files" button (!important!),which will then flash green.
Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:

C:\WINNT\system32\vdwsoqho.exe
C:\WINNT\system32\hcxdhkyf.exe
C:\WINNT\system32\sqkhudfm.exe
C:\WINNT\system32\damctjrv.exe
C:\WINNT\system32\cfytvnfg.exe
C:\WINNT\iun6002.exe
C:\WINNT\system32\kilacln.exe


Open 'file' in the killboxmenu on top and choose Paste from clipboard
You must use the file File menu--pasting by right-clicking the mouse will only enter one file.
Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click "yes".
Click OK at any Pending File Rename Operations prompt, let me know if there appear.
If you don't get that message, reboot manually.
Your computer should reboot now.

I now want to check for a Haxdoor rootkit, with two scanners.

1) Download haxfix.exe
and save it to your desktop.
  • Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files\haxfix)
  • Checkmark "Create a desktop icon"
  • Click "Next"
  • When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed
  • Click "Finish"
A red "dos window" (dos box) will open with options:
1. Make logfile
2. Run auto fix
3. Run manual fix
E. Exit Haxfix
  • Select option 1. Make logfile by typing 1 and then pressing Enter
  • Haxfix will start scanning the computer. When it is finished a logfile will open: haxlog.txt > (c:\haxfix.txt)
  • Copy the contents of that logfile and paste it into this thread.
2) Download GMER from Here
Right Click the Zip and Select "Extract All"
Double Click gmer.exe to launch the program.
Click on the Rootkit Tab and then click Scan.
It takes a while to run, once complete, copy the results to notepad and save them somewhere safe.
Post those results in the next reply.

So in the next reply I want:
1) New Hijackthis log.
2) Haxdoor Log.
3) Gmer log.

Good luck and if you have any questions just ask of course.
David

#13 FlipBoi

FlipBoi
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:06:16 AM

Posted 31 July 2006 - 05:15 PM

awww man that doesnt sound too good

here ya go

Logfile of HijackThis v1.99.1
Scan saved at 3:12:43 PM, on 7/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5346.0005)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\atiptaxx.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINNT\System32\svchost.exe
C:\Documents and Settings\Anthony Espiritu\Desktop\gmer.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\HJT\analyse.exe

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1146440821384
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1146440921348
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
____________________________________________________________________________________________


HAXFIX logfile - by Marckie
______________
version 4.02
Mon 07/31/2006 14:51:19.57
running from: C:\Program Files\HaxFix

checking for haxdoor
--------------------
checking for a3d files....
a3d files not found

checking for matching notify keys....
no matching notify keys found

checking for matching services....
matching services found
ASPI32
semd32
semd64

checking for matching safeboot services....
matching safeboot services found
semd32.sys
semd64.sys


Checking for goldun
-------------------
checking for notify keys....
no notify keys found

checking for services....
no services found


Finished

____________________________________________________________________________________________

GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-07-31 15:12:00
Windows 5.1.2600


---- System - GMER 1.0.10 ----

SSDT \??\C:\Program Files\ewido anti-malware\guard.sys ZwOpenProcess
SSDT \??\C:\WINNT\System32\semd64.sys ZwQueryDirectoryFile
SSDT \??\C:\Program Files\ewido anti-malware\guard.sys ZwTerminateProcess

---- Devices - GMER 1.0.10 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [F9F4185A] avgtdi.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [F9F4185A] avgtdi.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN [F9F4185A] avgtdi.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN [F9F4185A] avgtdi.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SHUTDOWN [F9F4185A] avgtdi.sys

---- Files - GMER 1.0.10 ----

File C:\System Volume Information\tracking.log
File C:\WINNT\system32\klgcptini.dat
File C:\WINNT\system32\qz.dll
File C:\WINNT\system32\qz.sys
File C:\WINNT\system32\semd32.dll
File C:\WINNT\system32\stt82.ini

---- EOF - GMER 1.0.10 ----

Edited by FlipBoi, 31 July 2006 - 05:19 PM.


#14 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:16 AM

Posted 31 July 2006 - 05:17 PM

Hey FlipBoi

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.
  • Open this folder program files > haxfix and double click on fix.bat (or double click on fix.bat desktop icon)
  • Close all other open windows since this step requires a reboot
  • Select option 2. Run auto fix by typing 2 and then pressing Enter
If an infection is found, you'll get a message to close all other open windows.
  • Close all open windows except the red dos window from haxfix and then press Enter
  • The computer will reboot
  • After reboot a logfile will open > (c:\haxfix.txt)
  • Post the contents of that logfile along with a new HijackThis log.
Also rerun GMER and Combofix and post their logs.
David

#15 FlipBoi

FlipBoi
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:06:16 AM

Posted 31 July 2006 - 05:41 PM

HAXFIX logfile - by Marckie
--------------
version 4.02
Mon 07/31/2006 15:20:59.94

--- Auto Haxdoorfix ---

no infections found


--- Goldunfix ---


searching for notifykeys:
no notifykeys found

searching for services:
No services found
_____________________________________________________________


Logfile of HijackThis v1.99.1
Scan saved at 3:41:02 PM, on 7/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5346.0005)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\atiptaxx.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Documents and Settings\Anthony Espiritu\Desktop\gmer.exe
C:\HJT\analyse.exe

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1146440821384
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1146440921348
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE

______________________________________________________________________________
GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-07-31 15:40:26
Windows 5.1.2600


---- System - GMER 1.0.10 ----

SSDT \??\C:\Program Files\ewido anti-malware\guard.sys ZwOpenProcess
SSDT \??\C:\WINNT\System32\semd64.sys ZwQueryDirectoryFile
SSDT \??\C:\Program Files\ewido anti-malware\guard.sys ZwTerminateProcess

---- Devices - GMER 1.0.10 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [F9F4185A] avgtdi.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [F9F4185A] avgtdi.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN [F9F4185A] avgtdi.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN [F9F4185A] avgtdi.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SHUTDOWN [F9F4185A] avgtdi.sys

---- Files - GMER 1.0.10 ----

File C:\System Volume Information\tracking.log
File C:\WINNT\system32\klgcptini.dat
File C:\WINNT\system32\qz.dll
File C:\WINNT\system32\qz.sys
File C:\WINNT\system32\semd32.dll
File C:\WINNT\system32\stt82.ini

---- EOF - GMER 1.0.10 ----

_______________________________________________________________________________
Start Time= Mon 07/31/2006 15:21:53.35
Running from: C:\Documents and Settings\Anthony Espiritu\Desktop

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-07-31 14:52:44 528446 ( A.... ) "C:\WINNT\gmer.dll"
2006-07-31 14:50:52 ( .D... ) "C:\Program Files\HaxFix"
2006-07-30 14:37:04 ( .D... ) "C:\Program Files\DVD Decrypter"
2006-07-29 23:50:40 5863 ( A.... ) "C:\clean.bat"
2006-07-25 00:22:14 77312 ( A.... ) "C:\VundoFix.exe"
2006-07-23 17:48:50 4608 ( A.... ) "C:\WINNT\system32\w95inf32.dll"
2006-07-23 17:48:50 2272 ( A.... ) "C:\WINNT\system32\w95inf16.dll"
2006-07-20 23:05:26 ( .D... ) "C:\Program Files\Common Files\{FCB9FDD4-037C-1033-0628-029907090001}"
2006-07-17 18:14:26 407047 ( A.... ) "C:\WINNT\system32\mioengine.exe"
2006-07-14 14:59:54 ( .D... ) "C:\Documents and Settings\Anthony Espiritu\Application Data\ScanSoft"
2006-07-14 14:59:44 ( .D... ) "C:\Program Files\Common Files\ScanSoft Shared"
2006-07-14 14:59:32 ( .D... ) "C:\Program Files\ScanSoft"
2006-07-08 22:53:02 ( .D... ) "C:\Documents and Settings\Anthony Espiritu\Application Data\Sun"
2006-07-08 00:54:44 ( .D... ) "C:\Documents and Settings\Anthony Espiritu\Application Data\acccore"
2006-07-08 00:53:08 ( .D... ) "C:\Program Files\AOD"
2006-07-08 00:51:48 ( .D... ) "C:\Program Files\Common Files\Nullsoft"
2006-07-08 00:50:02 ( .D... ) "C:\Program Files\Common Files\aolshare"
2006-07-08 00:50:02 ( .D... ) "C:\Program Files\Common Files\AOL"
2006-07-08 00:49:22 ( .D... ) "C:\Program Files\AOL"
2006-07-07 15:41:58 ( .D... ) "C:\Documents and Settings\Anthony Espiritu\Application Data\Google"
2006-06-30 01:05:28 ( .D... ) "C:\Program Files\PeerGuardian2"
2006-06-28 15:43:04 ( .D... ) "C:\Documents and Settings\Anthony Espiritu\Application Data\SmartFTP"
2006-06-28 15:42:54 ( .D... ) "C:\Program Files\SmartFTP Client 2.0"
2006-06-28 15:42:38 ( .D... ) "C:\Program Files\SmartFTP Client 2.0 Setup Files"
2006-06-19 21:41:28 ( .D... ) "C:\Program Files\AMX Mod X"
2006-06-18 06:54:08 36864 ( A.... ) "C:\WINNT\system32\frapsvid.dll"
2006-06-17 10:28:10 ( .D... ) "C:\Documents and Settings\Anthony Espiritu\Application Data\Media Player Classic"
2006-06-17 10:27:20 ( .D... ) "C:\Program Files\K-Lite Codec Pack"
2006-06-15 19:12:44 ( .D... ) "C:\Program Files\Common Files\Designer"
2006-06-13 21:25:48 ( .D... ) "C:\Program Files\Windows"
2006-06-09 17:27:04 ( .D... ) "C:\Program Files\Combined Community Codec Pack"
2006-06-09 15:54:10 ( .D... ) "C:\Documents and Settings\Anthony Espiritu\Application Data\Mozilla"
2006-06-09 15:54:08 ( .D... ) "C:\Program Files\Mozilla Firefox"
2006-06-06 20:49:18 745531 ( A.... ) "C:\WINNT\gmer.exe"
2006-06-05 19:49:36 ( .D... ) "C:\Program Files\Common Files\xing shared"
2006-06-05 19:49:10 176167 ( A.... ) "C:\WINNT\system32\rmoc3260.dll"
2006-06-05 19:48:58 6656 ( A.... ) "C:\WINNT\system32\pndx5016.dll"
2006-06-05 19:48:58 5632 ( A.... ) "C:\WINNT\system32\pndx5032.dll"
2006-06-05 19:48:54 278528 ( A.... ) "C:\WINNT\system32\pncrt.dll"
2006-06-05 19:48:48 ( .D... ) "C:\Program Files\Common Files\Real"
2006-06-05 19:48:36 ( .D... ) "C:\Program Files\Real"
2006-06-05 19:48:24 ( .D... ) "C:\Documents and Settings\Anthony Espiritu\Application Data\Real"
2006-05-31 19:03:36 808 ( A.... ) "C:\WINNT\tmpdata.reg"
2006-03-02 21:33:52 21952 ( A..H. ) "C:\Program Files\folder.htt"
2006-03-02 21:33:52 271 ( ..SH. ) "C:\Program Files\desktop.ini"


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-07-31 14:52 745,531 C:\WINNT\gmer.exe
2006-07-31 14:52 528,446 C:\WINNT\gmer.dll
2006-07-31 14:51 90,112 C:\WINNT\system32\RegDACL.exe
2006-07-31 14:51 5,863 C:\clean.bat
2006-07-31 14:51 40,960 C:\WINNT\system32\swsc.exe
2006-07-31 14:51 4,096 C:\WINNT\system32\reboot.exe
2006-07-31 14:51 38,400 C:\WINNT\system32\moveex.exe
2006-07-31 10:30 73,728 C:\WINNT\system32\asuninst.exe
2006-07-31 10:30 11,776 C:\WINNT\system32\ZPORT4AS.dll
2006-07-27 12:00 267,964,416 C:\hiberfil.sys
2006-07-24 14:31 77,312 C:\VundoFix.exe
2006-07-23 17:49 63,488 C:\WINNT\system32\unam4ie.exe
2006-07-23 17:49 38,160 C:\WINNT\system32\LMRTREND.dll
2006-07-23 17:49 182,032 C:\WINNT\system32\dxtmsft3.dll
2006-07-23 17:48 4,608 C:\WINNT\system32\w95inf32.dll
2006-07-23 17:48 2,272 C:\WINNT\system32\w95inf16.dll
2006-07-23 17:48 10,240 C:\WINNT\system32\vidx16.dll
2006-07-17 18:14 407,047 C:\WINNT\system32\mioengine.exe
2006-06-29 16:51 8,192 C:\WINNT\system32\tsbyuv.dll
2006-06-29 16:51 49,664 C:\WINNT\system32\vfwwdm32.dll
2006-06-29 16:51 45,568 C:\WINNT\system32\iyuv_32.dll
2006-06-29 16:46 61,440 C:\WINNT\system32\dsnphv71.dll
2006-06-29 16:46 32,528 C:\WINNT\AMCAP.EXE
2006-06-29 16:46 307,200 C:\WINNT\VIDCAP32.EXE
2006-06-29 16:42 49,152 C:\WINNT\system32\vsnphv71.dll
2006-06-29 16:42 28,672 C:\WINNT\vsnphv71.exe
2006-06-29 16:42 20,480 C:\WINNT\dsnphv71.exe
2006-06-29 16:42 120,879 C:\WINNT\usnphv71.exe
2006-06-18 06:54 36,864 C:\WINNT\system32\frapsvid.dll
2006-06-17 10:27 856,064 C:\WINNT\system32\xvidcore.dll
2006-06-17 10:27 568,850 C:\WINNT\system32\x264vfw.dll
2006-06-17 10:27 5,120 C:\WINNT\system32\ff_vfw.dll
2006-06-17 10:27 286,720 C:\WINNT\system32\3ivxVfWCodec.dll
2006-06-17 10:27 217,088 C:\WINNT\system32\xvidvfw.dll
2006-06-17 10:27 157,696 C:\WINNT\system32\unrar.dll
2006-06-17 10:27 1,415,680 C:\WINNT\system32\WMV9VCM.dll
2006-06-17 10:27 1,024,000 C:\WINNT\system32\3ivx.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Synchronization Manager"="mobsync.exe /logon"
"AtiPTA"="atiptaxx.exe"
"NeroFilterCheck"="C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe"
"Omnipage"="C:\\Program Files\\ScanSoft\\OmniPageSE\\opware32.exe"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\lib\\NMBgMonitor.exe\""
"Aim6"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"{FCB9FDD4-037C-1033-0628-029907090001}"="\"C:\\Program Files\\Common Files\\{FCB9FDD4-037C-1033-0628-029907090001}\\Update.exe\" mc-110-12-0000272"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f0,01,00,00,1f,00,00,00,80,00,00,00,76,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=""
"tscuninstall"=""
"RunNarrator"="Narrator.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=""
"tscuninstall"=""
"RunNarrator"="Narrator.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="ewido shell guard"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINNT\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Anthony Espiritu^Start Menu^Programs^Startup^Adobe Gamma.lnk]
"path"="C:\\Documents and Settings\\Anthony Espiritu\\Start Menu\\Programs\\Startup\\Adobe Gamma.lnk"
"backup"="C:\\WINNT\\pss\\Adobe Gamma.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "
"item"="Adobe Gamma"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="avgcc"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\chikkav4]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ChikkaLauncher"
"hkey"="HKCU"
"command"="C:\\Program Files\\ChikkaV4\\\\ChikkaLauncher.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLSoftware"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\AOL\\1152345006\\ee\\AOLSoftware.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dumprep 0 -k"
"hkey"="HKLM"
"command"="%systemroot%\\system32\\dumprep 0 -k"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKCU"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0_03\\bin\\jusched.exe"
"inimapping"="0"

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system
DisableTaskMgr REG_DWORD 0 (0x0)
NoColorChoice REG_DWORD 0 (0x0)
NoSizeChoice REG_DWORD 0 (0x0)
NoDispScrSavPage REG_DWORD 0 (0x0)
NoDispCPL REG_DWORD 0 (0x0)
NoVisualStyleChoice REG_DWORD 0 (0x0)
NoDispSettingsPage REG_DWORD 0 (0x0)

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\semd32.sys
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\semd64.sys


Contents of the 'Scheduled Tasks' folder

Completion time: Mon 07/31/2006 15:22:12.95
ComboFix ver 06.07.15/28 - This logfile is located at C:\ComboFix.txt

ComboFix.2006-07-31.152153.txt


am i clean?

Edited by FlipBoi, 01 August 2006 - 01:37 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users