Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

No Icons, No Taskbar, No "start" Menu


  • This topic is locked This topic is locked
6 replies to this topic

#1 kleopat

kleopat

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 22 October 2006 - 11:14 AM

She says big "thank you". You've helped her a lot.
And I say "thank you" also. :thumbsup:

Situation:
She followed the steps (including the AVG) and deleted Norton and Spybot.
She can access internet and computer speed is now fine,
but Firewall informes her that she is unprotected.
And she receives messages from Ultimate cleaner and Spyware removal wizard about infections every now and then.

Question: Should she delete all antivirus programs and then install the new ones? (because you said she should have only one)

Here are the reports she sent me:

--------------------------------------------------------------------------------rapport.txt
SmitFraudFix v2.112

Scan done at 12:31:03,84, ned 22.10.2006
Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode

ťťťťťťťťťťťťťťťťťťťťťťťť Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]

"{3F143C3A-1457-6CCA-03A7-7AA23B61E40F}"="OLE Automation Module"


ťťťťťťťťťťťťťťťťťťťťťťťť Killing process


ťťťťťťťťťťťťťťťťťťťťťťťť Generic Renos Fix

GenericRenosFix by S!Ri


ťťťťťťťťťťťťťťťťťťťťťťťť Deleting infected files

C:\WINDOWS\sachostx.exe Deleted
C:\WINDOWS\xpupdate.exe Deleted
C:\WINDOWS\system32\dlh9jkdq?.exe Deleted
C:\WINDOWS\system32\intell321.exe Deleted
C:\WINDOWS\system32\kernels8.exe Deleted
Problem while deleting C:\WINDOWS\system32\oleext.dll
C:\WINDOWS\system32\sachostc.exe Deleted
C:\WINDOWS\system32\sachostp.exe Deleted
C:\WINDOWS\system32\sachosts.exe Deleted
C:\WINDOWS\system32\taskdir.exe Deleted
C:\WINDOWS\system32\taskdir~.exe Deleted

ťťťťťťťťťťťťťťťťťťťťťťťť Deleting Temp Files


ťťťťťťťťťťťťťťťťťťťťťťťť Registry Cleaning

Registry Cleaning done.

ťťťťťťťťťťťťťťťťťťťťťťťť After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]

"{3F143C3A-1457-6CCA-03A7-7AA23B61E40F}"="OLE Automation Module"



ťťťťťťťťťťťťťťťťťťťťťťťť Reboot

C:\WINDOWS\system32\oleext.dll Deleted

ťťťťťťťťťťťťťťťťťťťťťťťť End





Logfile of HijackThis v1.99.1
Scan saved at 17:32:06, on 22.10.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0EBB800B-81DE-A67F-20E2-050705AA64E4} - C:\WINDOWS\system32\mqjhyym.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gemstrmw] C:\WINDOWS\system32\gemstrmw.exe /r
O4 - HKLM\..\Run: [QuickPassword] C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [tfnewpc.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\tfnewpc.dll,sxredcg
O4 - HKLM\..\Run: [sachost] C:\WINDOWS\sachostx.exe
O4 - HKLM\..\Run: [gwiz] C:\WINDOWS\system32\ntsystem.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Ultimate Cleaner] C:\Program Files\Ultimate Cleaner\App.exe
O4 - HKLM\..\RunServices: [_mzu_stonedrv3] c:\windows\system32\_mzu_stonedrv3.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Istraživanje - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll (file missing)
O23 - Service: ActivCard Gold Autoregister (acautoreg) - ActivCard S.A. - C:\Program Files\Common Files\ActivCard\acautoreg.exe
O23 - Service: ActivCard Gold service (Accoca) - ActivCard - C:\Program Files\Common Files\ActivCard\accoca.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

Mode Edit: Logs were split from this thread: http://www.bleepingcomputer.com/forums/top...tml#entry378861
Op was helping a friend who had no Internet access. That has been corrected and she now has access to Internet.

Edited by quietman7, 22 October 2006 - 12:08 PM.


BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:54 PM

Posted 27 October 2006 - 10:08 PM

Hello kleopat,

Since you are badly infected, please run the following scans.

Disable your antivirus program and go here http://www.bitdefender.com/scan8/ie.html and run an online scan with BitDefender (you will need to use Internet Explorer for this scan). When the ActiveX Control has loaded, click on "Click here to scan" and grab a coffee. :thumbsup:

When BitDefender completes the scan, select the "Detected Problems" tab.
Click on "Click here to export scan".
Save the file as an HTML to your Desktop.
Then click on the saved file and allow it to open with your browser.
Go to Edit - Select All then copy/paste that log back here.
Post the log.


***********************

Download SUPERantispyware
  • Load SUPERantispyware and click the check for updates button.
  • Once the update is finished click the scan your computer button.
  • Check Perform Complete Scan and then next.
  • Superantispyware will now scan your computer and when its finished it will list all the infections it has found.
  • Make sure that they all have a check next to them and press next.
  • Click finish and you will be taken back to the main interface.
  • Click Preferences and then click the statistics/logs tab. Click the dated log and press view log and a text file will appear.
  • Copy and paste the log to this thread.
Submit the SUPERantispyware log, the BitDefender log and a fresh Hijackthis log.

Edited by SifuMike, 27 October 2006 - 10:22 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 kleopat

kleopat
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 04 November 2006 - 09:52 AM

here's what my friend said:

This is bitdefender scan report in notepad format.I did save it on my desktop in html format, but I coludn't past it on here. I don't know why, maybe it's too big.
<HTML>
<HEAD>
<TITLE>BitDefender Online Scanner -Scan Report</TITLE>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<meta name="generator" content="Namo WebEditor v5.0(Trial)">
</HEAD>
<BODY BGCOLOR=#FFFFFF leftmargin="10" marginwidth="0" topmargin="20" marginheight="0" >

<table align="center" border="0" cellpadding="0" cellspacing="0" width="90%">
<tr>
<td width="458">
<p><font face="Arial" color=red><span xstyle="font-size:14pt;"><b>BitDefender
Online Scanner</b></span></font></p>
</td>
<td width="40%">
<p>&nbsp;</p>
</td>
<td width="10%">
<p>&nbsp;</p>
</td>
</tr>
<tr>
<td colspan="3" width="912">
<p><font face="Arial"><span xstyle="font-size:11pt;"><B>Scan report generated
at: Tue, Oct 31, 2006 - 10:23:43</b></span></font></p>
</td>
</tr>
<tr>
<td width="458">
<p><font face="Arial"><span xstyle="font-size:11pt;"><B>&nbsp;</b></span></font>< /p>
</td>
<td width="40%">
<p>&nbsp;</p>
</td>
<td width="10%">
<p>&nbsp;</p>
</td>
</tr>
<tr>
<td width="458">
<p><font face="Arial"><span xstyle="font-size:11pt;"><B>Scan
path: </b></span><span xstyle="font-size:10pt;">A:\;C:\;D:\;E:\;F:\;G:\;</span></font></p>
</td>
<td width="40%">
<p>&nbsp;</p>
</td>
<td width="10%">
<p>&nbsp;</p>
</td>
</tr>
<tr>
<td width="458">
<p><font face="Arial"><span xstyle="font-size:11pt;"><B>&nbsp;</b></span></font>< /p>
</td>
<td width="40%">
<p>&nbsp;</p>
</td>
<td width="10%">
<p>&nbsp;</p>
</td>
</tr>
<tr>
<td width="458">
<table border="1" cellspacing="0" bordercolordark="white" bordercolorlight="black" width="100%">
<tr>
<td width="451" colspan="2" bgcolor="#CCCCCC">
<p><font face="Arial" size="2"><B>Statistics</b></font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Time</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">01:04:39</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Files</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">637246</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Folders</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">5716</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Boot Sectors</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">6</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Archives</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">3014</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Packed Files</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">64691</font></p>
</td>
</tr>
</table>
</td>
<td width="40%">
<p>&nbsp;</p>
</td>
<td width="10%">
<p>&nbsp;</p>
</td>
</tr>

<tr>
<td width="458">
<table border="1" cellspacing="0" bordercolordark="white" bordercolorlight="black" width="100%">
<tr>
<td width="451" colspan="2" bgcolor="#CCCCCC">
<p><font face="Arial" size="2"><B>Results</b></font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Identified Viruses </font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">0</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Infected Files </font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">0</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Suspect&nbsp;Files </font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">0</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Warnings</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">0</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Disinfected</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">0</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Deleted Files</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">0</font></p>
</td>
</tr>
</table>
</td>
<td width="40%">
<p>&nbsp;</p>
</td>
<td width="10%">
<p>&nbsp;</p>
</td>
</tr>
<tr>
<td width="458">
<table border="1" cellspacing="0" bordercolordark="white" bordercolorlight="black" width="100%">
<tr>
<td width="451" colspan="2" bgcolor="#CCCCCC">
<p><font face="Arial" size="2"><B>Engines Info</b></font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Virus Definitions</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">479421</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Engine build</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">AVCORE v1.0 (build 2310) (i386) (Apr 17 2006 16:24:38)</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Scan plugins</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">13</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Archive plugins</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">38</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Unpack plugins</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">6</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">E-mail plugins</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">6</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">System&nbsp;plugins</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">1</font></p>
</td>
</tr>
</table>
</td>
<td width="40%">
<p>&nbsp;</p>
</td>
<td width="10%">
<p>&nbsp;</p>
</td>
</tr>
<tr>
<td width="458">
<table border="1" cellspacing="0" bordercolordark="white" bordercolorlight="black" width="100%">
<tr>
<td width="451" colspan="2" bgcolor="#CCCCCC">
<p><font face="Arial" size="2"><B>Scan Settings</b></font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">First Action</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">Disinfect</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Second Action</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">Delete</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Heuristics</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">Yes</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Enable Warnings</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">Yes</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Scanned Extensions</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">*;</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Exclude Extensions</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">&nbsp;</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Scan Emails</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">Yes</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Scan Archives</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">Yes</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Scan Packed</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">Yes</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Scan Files</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">Yes</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Scan Boot</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">Yes</font></p>
</td>
</tr>
</table>
</td>
<td width="40%">
<p>&nbsp;</p>
</td>
<td width="10%">
<p>&nbsp;</p>
</td>
</tr>
<tr>
<td colspan=2> &nbsp;
<table border="1" cellspacing="0" bordercolordark="white" bordercolorlight="black" width="100%">
<tr>
<td width="252" bgcolor="#CCCCCC">
<p><font face="Arial" size="2"><B>Scanned File</b></font></p>
</td>
<td width="195" bgcolor="#CCCCCC" align="right">
<p align="left"><b><font size="2" face="Arial">&nbsp;Status</font></b></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">No virus found.</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">&nbsp;</font></p>
</td>
</tr>
</table>
</td>

<td width="10%">
<p>&nbsp;</p>
</td>
</tr>
<tr>
<td width="458">
<p><font face="Arial"><span xstyle="font-size:11pt;"><B>&nbsp;</b></span></font>< /p>
</td>
<td width="40%">
<p>&nbsp;</p>
</td>
<td width="10%">
<p>&nbsp;</p>
</td>
</tr>
<tr>
<td width="458">
<p><font face="Arial"><span xstyle="font-size:11pt;"><B>&nbsp;</b></span></font>< /p>
</td>
<td width="40%">
<p>&nbsp;</p>
</td>
<td width="10%">
<p>&nbsp;</p>
</td>
</tr>
</table>
<p>&nbsp;</p>
</body>
</html>


Logfile of HijackThis v1.99.1
Scan saved at 23:04:33, on 28.10.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ActivCard\acautoreg.exe
C:\Program Files\Common Files\ActivCard\accoca.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Ultimate Cleaner\App.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.hr/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0EBB800B-81DE-A67F-20E2-050705AA64E4} - C:\WINDOWS\system32\mqjhyym.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gemstrmw] C:\WINDOWS\system32\gemstrmw.exe /r
O4 - HKLM\..\Run: [QuickPassword] C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [gwiz] C:\WINDOWS\system32\ntsystem.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Ultimate Cleaner] C:\Program Files\Ultimate Cleaner\App.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: I&zvoz u Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Istraživanje - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0D128337-C1A2-4EDF-88A3-7BB080CAA026}: NameServer = 195.29.150.3 195.29.150.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{0D128337-C1A2-4EDF-88A3-7BB080CAA026}: NameServer = 195.29.150.3 195.29.150.4
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ActivCard Gold Autoregister (acautoreg) - ActivCard S.A. - C:\Program Files\Common Files\ActivCard\acautoreg.exe
O23 - Service: ActivCard Gold service (Accoca) - ActivCard - C:\Program Files\Common Files\ActivCard\accoca.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe


SUPERAntiSpyware Scan Log
Generated 10/28/2006 at 10:41 PM

Application Version : 3.3.1020

Core Rules Database Version : 3115
Trace Rules Database Version: 1139

Scan type : Complete Scan
Total Scan Time : 00:24:35

Memory items scanned : 608
Memory threats detected : 2
Registry items scanned : 5319
Registry threats detected : 21
File items scanned : 32628
File threats detected : 249

Trojan.Downloader-DoneDU
C:\WINDOWS\SYSTEM32\MQJHYYM.DLL
C:\WINDOWS\SYSTEM32\MQJHYYM.DLL
C:\WINDOWS\SYSTEM32\TFNEWPC.DLL
C:\WINDOWS\SYSTEM32\TFNEWPC.DLL

Adware.Tracking Cookie
C:\Documents and Settings\Prša\Cookies\prša@i.screensavers[1].txt
C:\Documents and Settings\Prša\Cookies\prša@data4.perf.overture[2].txt
C:\Documents and Settings\Prša\Cookies\prša@tracker.affistats[2].txt
C:\Documents and Settings\Prša\Cookies\prša@1071666856[1].txt
C:\Documents and Settings\Prša\Cookies\prša@msnportal.112.2o7[1].txt
C:\Documents and Settings\Prša\Cookies\prša@as-us.falkag[1].txt
C:\Documents and Settings\Prša\Cookies\prša@ads.belointeractive[2].txt
C:\Documents and Settings\Prša\Cookies\prša@tradedoubler[2].txt
C:\Documents and Settings\Prša\Cookies\prša@qnsr[1].txt
C:\Documents and Settings\Prša\Cookies\prša@trafficmp[2].txt
C:\Documents and Settings\Prša\Cookies\prša@microsofteup.112.2o7[1].txt
C:\Documents and Settings\Prša\Cookies\prša@m1.webstats4u[1].txt
C:\Documents and Settings\Prša\Cookies\prša@cgi-bin[5].txt
C:\Documents and Settings\Prša\Cookies\prša@ads.multimania.lycos[1].txt
C:\Documents and Settings\Prša\Cookies\prša@campaign.indieclick[1].txt
C:\Documents and Settings\Prša\Cookies\prša@ads.touregypt[1].txt
C:\Documents and Settings\Prša\Cookies\prša@atwola[2].txt
C:\Documents and Settings\Prša\Cookies\prša@a[1].txt
C:\Documents and Settings\Prša\Cookies\prša@http.edge.vru4[2].txt
C:\Documents and Settings\Prša\Cookies\prša@ads.addynamix[1].txt
C:\Documents and Settings\Prša\Cookies\prša@fortunecity[2].txt
C:\Documents and Settings\Prša\Cookies\prša@http://www.screensavers[1].txt
C:\Documents and Settings\Prša\Cookies\prša@tripod[1].txt
C:\Documents and Settings\Prša\Cookies\prša@ads2.pogodak[1].txt
C:\Documents and Settings\Prša\Cookies\prša@statcounter[1].txt
C:\Documents and Settings\Prša\Cookies\prša@realmedia[2].txt
C:\Documents and Settings\Prša\Cookies\prša@redcats.122.2o7[1].txt
C:\Documents and Settings\Prša\Cookies\prša@ads.neodelight[1].txt
C:\Documents and Settings\Prša\Cookies\prša@cgi-bin[7].txt
C:\Documents and Settings\Prša\Cookies\prša@euros4click[2].txt
C:\Documents and Settings\Prša\Cookies\prša@focalex[1].txt
C:\Documents and Settings\Prša\Cookies\prša@serving-sys[2].txt
C:\Documents and Settings\Prša\Cookies\prša@system[1].txt
C:\Documents and Settings\Prša\Cookies\prša@partners.webmasterplan[1].txt
C:\Documents and Settings\Prša\Cookies\prša@perf.overture[1].txt
C:\Documents and Settings\Prša\Cookies\prša@revsci[2].txt
C:\Documents and Settings\Prša\Cookies\prša@ford.112.2o7[1].txt
C:\Documents and Settings\Prša\Cookies\prša@stat.onestat[1].txt
C:\Documents and Settings\Prša\Cookies\prša@kanoodle[1].txt
C:\Documents and Settings\Prša\Cookies\prša@webstat[2].txt
C:\Documents and Settings\Prša\Cookies\prša@89451406[1].txt
C:\Documents and Settings\Prša\Cookies\prša@34292599[1].txt
C:\Documents and Settings\Prša\Cookies\prša@data3.perf.overture[1].txt
C:\Documents and Settings\Prša\Cookies\prša@image.masterstats[1].txt
C:\Documents and Settings\Prša\Cookies\prša@indextools[1].txt
C:\Documents and Settings\Prša\Cookies\prša@e-2dj6wjloqoc5mfq.stats.esomniture[1].txt
C:\Documents and Settings\Prša\Cookies\prša@apmebf[2].txt
C:\Documents and Settings\Prša\Cookies\prša@adopt.specificclick[2].txt
C:\Documents and Settings\Prša\Cookies\prša@e-2dj6wjloggdzkbo.stats.esomniture[2].txt
C:\Documents and Settings\Prša\Cookies\prša@ads.albawaba[1].txt
C:\Documents and Settings\Prša\Cookies\prša@ad.nifty[1].txt
C:\Documents and Settings\Prša\Cookies\prša@cgi-bin[6].txt
C:\Documents and Settings\Prša\Cookies\prša@dist.belnk[2].txt
C:\Documents and Settings\Prša\Cookies\prša@questionmarket[2].txt
C:\Documents and Settings\Prša\Cookies\prša@e-2dj6wgkiwpajkdo.stats.esomniture[2].txt
C:\Documents and Settings\Prša\Cookies\prša@ads.addesktop[2].txt
C:\Documents and Settings\Prša\Cookies\prša@counter.sparklit[1].txt
C:\Documents and Settings\Prša\Cookies\prša@server.cpmstar[2].txt
C:\Documents and Settings\Prša\Cookies\prša@maxserving[1].txt
C:\Documents and Settings\Prša\Cookies\prša@please[1].txt
C:\Documents and Settings\Prša\Cookies\prša@ads.pointroll[1].txt
C:\Documents and Settings\Prša\Cookies\prša@adrevolver[2].txt
C:\Documents and Settings\Prša\Cookies\prša@247realmedia[2].txt
C:\Documents and Settings\Prša\Cookies\prša@casalemedia[2].txt
C:\Documents and Settings\Prša\Cookies\prša@e-2dj6wfmyqkdjkko.stats.esomniture[2].txt
C:\Documents and Settings\Prša\Cookies\prša@zedo[1].txt
C:\Documents and Settings\Prša\Cookies\prša@adserver[1].txt
C:\Documents and Settings\Prša\Cookies\prša@bs.serving-sys[1].txt
C:\Documents and Settings\Prša\Cookies\prša@adopt.hbmediapro[2].txt
C:\Documents and Settings\Prša\Cookies\prša@yadro[2].txt
C:\Documents and Settings\Prša\Cookies\prša@tacoda[2].txt
C:\Documents and Settings\Prša\Cookies\prša@msninvite.112.2o7[1].txt
C:\Documents and Settings\Prša\Cookies\prša@cgi-bin[3].txt
C:\Documents and Settings\Prša\Cookies\prša@stats.adbrite[1].txt
C:\Documents and Settings\Prša\Cookies\prša@ad.iskon[1].txt
C:\Documents and Settings\Prša\Cookies\prša@belnk[1].txt
C:\Documents and Settings\Prša\Cookies\prša@winantivirus[2].txt
C:\Documents and Settings\Prša\Cookies\prša@cgi-bin[2].txt
C:\Documents and Settings\Prša\Cookies\prša@nextag[1].txt
C:\Documents and Settings\Prša\Cookies\prša@xml.bravenetmedianetwork[1].txt
C:\Documents and Settings\Prša\Cookies\prša@z1.adserver[1].txt
C:\Documents and Settings\Prša\Cookies\prša@4sexybleepes.blog[1].txt
C:\Documents and Settings\Prša\Cookies\prša@http://www.smartadserver[1].txt
C:\Documents and Settings\Prša\Cookies\prša@e-2dj6wjnyogazefq.stats.esomniture[2].txt
C:\Documents and Settings\Prša\Cookies\prša@server.iad.liveperson[1].txt
C:\Documents and Settings\Prša\Cookies\prša@2o7[2].txt
C:\Documents and Settings\Prša\Cookies\prša@revenue[2].txt
C:\Documents and Settings\Prša\Cookies\prša@microsoftwga.112.2o7[1].txt
C:\Documents and Settings\Prša\Cookies\prša@c2.gostats[2].txt
C:\Documents and Settings\Prša\Cookies\prša@http://www.soundclick[1].txt
C:\Documents and Settings\Prša\Cookies\prša@e-2dj6wfkouocjifp.stats.esomniture[1].txt
C:\Documents and Settings\Prša\Cookies\prša@spylog[2].txt
C:\Documents and Settings\Prša\Cookies\prša@ad.yieldmanager[1].txt
C:\Documents and Settings\Prša\Cookies\prša@rotator.adjuggler[2].txt
C:\Documents and Settings\Prša\Cookies\prša@bluestreak[1].txt
C:\Documents and Settings\Prša\Cookies\prša@cbs.112.2o7[1].txt
C:\Documents and Settings\Prša\Cookies\prša@overture[1].txt
C:\Documents and Settings\Prša\Cookies\prša@hotlog[1].txt
C:\Documents and Settings\Prša\Cookies\prša@totalvid.122.2o7[1].txt
C:\Documents and Settings\Prša\Cookies\prša@QgaHo26bYG[1].txt
C:\Documents and Settings\Prša\Cookies\prša@estat[1].txt
C:\Documents and Settings\Prša\Cookies\prša@adopt.euroclick[1].txt
C:\Documents and Settings\Prša\Cookies\prša@cgi-bin[4].txt
C:\Documents and Settings\Prša\Cookies\prša@adserver.o2[2].txt
C:\Documents and Settings\Prša\Cookies\prša@creative.adsrevenue[1].txt
C:\Documents and Settings\Prša\Cookies\prša@ad.zanox[1].txt
C:\Documents and Settings\Prša\Cookies\prša@adbrite[2].txt
C:\Documents and Settings\Prša\Cookies\prša@cpacampaigns.directtrack[2].txt
C:\Documents and Settings\Prša\Cookies\prša@qksrv[2].txt
C:\Documents and Settings\Prša\Cookies\prša@xiti[1].txt
C:\Documents and Settings\Prša\Cookies\prša@hit.stat[1].txt
C:\Documents and Settings\Prša\Cookies\prša@ads.glasistre[2].txt
C:\Documents and Settings\Prša\Cookies\prša@ads.freeonlinegames[1].txt
C:\Documents and Settings\Prša\Cookies\prša@1066591440[1].txt
C:\Documents and Settings\Prša\Cookies\prša@mb[1].txt
C:\Documents and Settings\Prša\Cookies\prša@adrevolver[3].txt
C:\Documents and Settings\Prša\Cookies\prša@bizrate[2].txt
C:\Documents and Settings\Prša\Cookies\prša@s[1].txt
C:\Documents and Settings\Prša\Cookies\prša@citi.bridgetrack[1].txt
C:\Documents and Settings\Prša\Cookies\prša@rambler[1].txt
C:\Documents and Settings\Prša\Cookies\prša@ads.realtechnetwork[1].txt
C:\Documents and Settings\Prša\Cookies\prša@bravenetmedianetwork[1].txt
C:\Documents and Settings\Prša\Cookies\prša@http://www.ticketsnow2[1].txt
C:\Documents and Settings\Prša\Cookies\prša@webstat[1].txt
C:\Documents and Settings\Prša\Cookies\prša@edge.ru4[2].txt
C:\Documents and Settings\Prša\Cookies\prša@adtech[2].txt
C:\Documents and Settings\Prša\Cookies\prša@stats.raileurope.co[1].txt
C:\Documents and Settings\Prša\Cookies\prša@adsrevenue[2].txt
C:\Documents and Settings\Prša\Cookies\prša@clicksor[1].txt
C:\Documents and Settings\Prša\Cookies\prša@go.winantivirus[1].txt
C:\Documents and Settings\Ante.HOME-557657E096\Cookies\ante@ads2.pogodak[1].txt
C:\Documents and Settings\Ante.HOME-557657E096\Cookies\ante@adserver.terra[2].txt
C:\Documents and Settings\Ante.HOME-557657E096\Cookies\ante@adultfriendfinder[2].txt
C:\Documents and Settings\Ante.HOME-557657E096\Cookies\ante@apmebf[2].txt
C:\Documents and Settings\Ante.HOME-557657E096\Cookies\ante@azjmp[2].txt
C:\Documents and Settings\Ante.HOME-557657E096\Cookies\ante@banners.oglasnik[2].txt
C:\Documents and Settings\Ante.HOME-557657E096\Cookies\ante@belnk[1].txt
C:\Documents and Settings\Ante.HOME-557657E096\Cookies\ante@clicksor[2].txt
C:\Documents and Settings\Ante.HOME-557657E096\Cookies\ante@dist.belnk[2].txt
C:\Documents and Settings\Ante.HOME-557657E096\Cookies\ante@elitesecurity[1].txt
C:\Documents and Settings\Ante.HOME-557657E096\Cookies\ante@hc2.humanclick[1].txt
C:\Documents and Settings\Ante.HOME-557657E096\Cookies\ante@nextag[2].txt
C:\Documents and Settings\Ante.HOME-557657E096\Cookies\ante@rb4.worldsex[2].txt
C:\Documents and Settings\Ante.HOME-557657E096\Cookies\ante@roiservice[2].txt
C:\Documents and Settings\Ante.HOME-557657E096\Cookies\ante@sex-superstore[2].txt
C:\Documents and Settings\Ante.HOME-557657E096\Cookies\ante@sexmovies.sextoyssexmovies[1].txt
C:\Documents and Settings\Ante.HOME-557657E096\Cookies\ante@smileycentral[2].txt
C:\Documents and Settings\Ante.HOME-557657E096\Cookies\ante@stat.dealtime[1].txt
C:\Documents and Settings\Ante.HOME-557657E096\Cookies\ante@toplist[1].txt
C:\Documents and Settings\Ante.HOME-557657E096\Cookies\ante@tracker.wholinked[1].txt
C:\Documents and Settings\Ante.HOME-557657E096\Cookies\ante@webstats4u[1].txt
C:\Documents and Settings\Ante.HOME-557657E096\Cookies\ante@wvw.silkroadtech[2].txt
C:\Documents and Settings\Ante.HOME-557657E096\Cookies\ante@http://www.3pintracking[1].txt
C:\Documents and Settings\Ante.HOME-557657E096\Cookies\ante@http://www.allrealitypass[1].txt
C:\Documents and Settings\Ante.HOME-557657E096\Cookies\ante@http://www.bookmarxxx[1].txt
C:\Documents and Settings\Ante.HOME-557657E096\Cookies\ante@http://www.elitesecurity[2].txt
C:\Documents and Settings\Ante.HOME-557657E096\Cookies\ante@http://www.upspiral[2].txt
C:\Documents and Settings\Ivana\Cookies\ivana@ad.adnetwork.com[1].txt
C:\Documents and Settings\Ivana\Cookies\ivana@ad.ifrance[2].txt
C:\Documents and Settings\Ivana\Cookies\ivana@ad.ir[2].txt
C:\Documents and Settings\Ivana\Cookies\ivana@ad.iskon[1].txt
C:\Documents and Settings\Ivana\Cookies\ivana@ad.strict.tbn[1].txt
C:\Documents and Settings\Ivana\Cookies\ivana@ad.tbn[2].txt
C:\Documents and Settings\Ivana\Cookies\ivana@ad.zanox[1].txt
C:\Documents and Settings\Ivana\Cookies\ivana@adknowledge[2].txt
C:\Documents and Settings\Ivana\Cookies\ivana@adlegend[1].txt
C:\Documents and Settings\Ivana\Cookies\ivana@adopt.hbmediapro[2].txt
C:\Documents and Settings\Ivana\Cookies\ivana@ads.artifice[2].txt
C:\Documents and Settings\Ivana\Cookies\ivana@ads.centraliprom[1].txt
C:\Documents and Settings\Ivana\Cookies\ivana@ads.contactmusic[1].txt
C:\Documents and Settings\Ivana\Cookies\ivana@ads.esmas[2].txt
C:\Documents and Settings\Ivana\Cookies\ivana@ads.miarroba[1].txt
C:\Documents and Settings\Ivana\Cookies\ivana@ads.monster[1].txt
C:\Documents and Settings\Ivana\Cookies\ivana@ads.neodelight[1].txt
C:\Documents and Settings\Ivana\Cookies\ivana@ads.primeinteractive[2].txt
C:\Documents and Settings\Ivana\Cookies\ivana@ads.tripod.lycos[1].txt
C:\Documents and Settings\Ivana\Cookies\ivana@ads.us.e-planning[1].txt
C:\Documents and Settings\Ivana\Cookies\ivana@ads.wwe[1].txt
C:\Documents and Settings\Ivana\Cookies\ivana@ads2.pogodak[1].txt
C:\Documents and Settings\Ivana\Cookies\ivana@ads3.grupolatinoderadio[2].txt
C:\Documents and Settings\Ivana\Cookies\ivana@adserver.adreactor[1].txt
C:\Documents and Settings\Ivana\Cookies\ivana@adserver.adremedy[2].txt
C:\Documents and Settings\Ivana\Cookies\ivana@adsrevenue[1].txt
C:\Documents and Settings\Ivana\Cookies\ivana@adstat.4u[1].txt
C:\Documents and Settings\Ivana\Cookies\ivana@adv.surinter[2].txt
C:\Documents and Settings\Ivana\Cookies\ivana@apmebf[2].txt
C:\Documents and Settings\Ivana\Cookies\ivana@atwola[1].txt
C:\Documents and Settings\Ivana\Cookies\ivana@azjmp[1].txt
C:\Documents and Settings\Ivana\Cookies\ivana@belnk[1].txt
C:\Documents and Settings\Ivana\Cookies\ivana@bizrate[1].txt
C:\Documents and Settings\Ivana\Cookies\ivana@bravenetmedianetwork[1].txt
C:\Documents and Settings\Ivana\Cookies\ivana@campaign.indieclick[1].txt
C:\Documents and Settings\Ivana\Cookies\ivana@counter.surfcounters[1].txt
C:\Documents and Settings\Ivana\Cookies\ivana@creative.adsrevenue[1].txt
C:\Documents and Settings\Ivana\Cookies\ivana@dist.belnk[2].txt
C:\Documents and Settings\Ivana\Cookies\ivana@ez-tracks[1].txt
C:\Documents and Settings\Ivana\Cookies\ivana@eztracks.us.intellitxt[1].txt
C:\Documents and Settings\Ivana\Cookies\ivana@focalex[2].txt
C:\Documents and Settings\Ivana\Cookies\ivana@fortunecity[1].txt
C:\Documents and Settings\Ivana\Cookies\ivana@indextools[1].txt
C:\Documents and Settings\Ivana\Cookies\ivana@kanoodle[1].txt
C:\Documents and Settings\Ivana\Cookies\ivana@maxserving[2].txt
C:\Documents and Settings\Ivana\Cookies\ivana@mediavantage[1].txt
C:\Documents and Settings\Ivana\Cookies\ivana@network.realmedia[2].txt
C:\Documents and Settings\Ivana\Cookies\ivana@nextag[1].txt
C:\Documents and Settings\Ivana\Cookies\ivana@optimost[1].txt
C:\Documents and Settings\Ivana\Cookies\ivana@partners.webmasterplan[2].txt
C:\Documents and Settings\Ivana\Cookies\ivana@realmedia[2].txt
C:\Documents and Settings\Ivana\Cookies\ivana@revsci[2].txt
C:\Documents and Settings\Ivana\Cookies\ivana@server.cpmstar[2].txt
C:\Documents and Settings\Ivana\Cookies\ivana@soundtrack[2].txt
C:\Documents and Settings\Ivana\Cookies\ivana@stat.dealtime[1].txt
C:\Documents and Settings\Ivana\Cookies\ivana@stats.skytizpartner[1].txt
C:\Documents and Settings\Ivana\Cookies\ivana@studenti.adbureau[1].txt
C:\Documents and Settings\Ivana\Cookies\ivana@superstats[1].txt
C:\Documents and Settings\Ivana\Cookies\ivana@toplist[1].txt
C:\Documents and Settings\Ivana\Cookies\ivana@tripod[1].txt
C:\Documents and Settings\Ivana\Cookies\ivana@video.ez-tracks[2].txt
C:\Documents and Settings\Ivana\Cookies\ivana@webadvertising[1].txt
C:\Documents and Settings\Ivana\Cookies\ivana@webstats4u[1].txt
C:\Documents and Settings\Ivana\Cookies\ivana@http://www.0stats[1].txt
C:\Documents and Settings\Ivana\Cookies\ivana@http://www.adserv[2].txt
C:\Documents and Settings\Ivana\Cookies\ivana@http://www.banneradmin.rai[2].txt
C:\Documents and Settings\Ivana\Cookies\ivana@http://www.cibleclick[1].txt
C:\Documents and Settings\Ivana\Cookies\ivana@http://www.clickxchange[1].txt
C:\Documents and Settings\Ivana\Cookies\ivana@http://www.comprabanner[2].txt
C:\Documents and Settings\Ivana\Cookies\ivana@http://www.ez-tracks[1].txt
C:\Documents and Settings\Ivana\Cookies\ivana@http://www.zanox-affiliate[1].txt
C:\Documents and Settings\Ivana\Cookies\ivana@xiti[1].txt
C:\Documents and Settings\Ivana\Cookies\ivana@xml.bravenetmedianetwork[1].txt
C:\Documents and Settings\Marija\Cookies\marija@ad.htnet[1].txt
C:\Documents and Settings\Marija\Cookies\marija@ad.iskon[1].txt
C:\Documents and Settings\Marija\Cookies\marija@ads.moj-posao[2].txt
C:\Documents and Settings\Marija\Cookies\marija@ads.realtechnetwork[2].txt
C:\Documents and Settings\Marija\Cookies\marija@apmebf[1].txt
C:\Documents and Settings\Marija\Cookies\marija@atwola[1].txt
C:\Documents and Settings\Marija\Cookies\marija@counter.relmaxtop[1].txt
C:\Documents and Settings\Marija\Cookies\marija@m1.webstats4u[1].txt
C:\Documents and Settings\Marija\Cookies\marija@nextag[2].txt
C:\Documents and Settings\Marija\Cookies\marija@realmedia[1].txt
C:\Documents and Settings\Prša\Cookies\prša@clicksor[2].txt

Trojan.Malware
HKCR\CLSID\{357A87ED-3E5D-437d-B334-DEB7EB4982A3}

Trojan.MZU_DRV-Rootkit
HKLM\SYSTEM\CurrentControlSet\Services\MZU_RK
HKLM\SYSTEM\CurrentControlSet\Services\MZU_RK#Type
HKLM\SYSTEM\CurrentControlSet\Services\MZU_RK#Start
HKLM\SYSTEM\CurrentControlSet\Services\MZU_RK#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\MZU_RK#ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\MZU_RK#DisplayName
HKLM\SYSTEM\CurrentControlSet\Services\MZU_RK#ProcessName
HKLM\SYSTEM\CurrentControlSet\Services\MZU_RK\Security
HKLM\SYSTEM\CurrentControlSet\Services\MZU_RK\Security#Security
HKLM\SYSTEM\CurrentControlSet\Services\MZU_RK\Enum
HKLM\SYSTEM\CurrentControlSet\Services\MZU_RK\Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\MZU_RK\Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\MZU_RK\Enum#NextInstance
HKLM\SYSTEM\CurrentControlSet\Services\MZU_RK\Enum#INITSTARTFAILED
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices#_mzu_stonedrv3 [ c:\windows\system32\_mzu_stonedrv3.exe ]

Trojan.Downloader-WS2F
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\winsys2freg
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\winsys2freg#DllName
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\winsys2freg#Startup
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\winsys2freg#Impersonate
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\winsys2freg#Asynchronous

Trojan.Downloader-H91
C:\DOCUMENTS AND SETTINGS\

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:54 PM

Posted 04 November 2006 - 01:05 PM

Hi kleopat,

here's what my friend said:



If your friend has Internet access, it makes it less confusing if you have her post directly.
Things get lost when it goes through another person. :thumbsup:

How is the computer acting now?

This is bitdefender scan report in notepad format.I did save it on my desktop in html format, but I coludn't past it on here. I don't know why, maybe it's too big.
<HTML>
<HEAD>
<TITLE>BitDefender Online Scanner -Scan Report</TITLE>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<meta name="generator" content="Namo WebEditor v5.0(Trial)">
</HEAD>
<BODY BGCOLOR=#FFFFFF leftmargin="10" marginwidth="0" topmargin="20" marginheight="0"



Nope, not to big. The reason it is unreadable is because you did not follow my instructions on saving the BitDefender file.
This BitDefender log is unreadable the way it is. :flowers:


1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Notes:
Do not mouseclick combofix's window while it's running. That may cause it to stall
Do not proceed with the rest of the fix if you fail to run combofix
Disable script blocking if you have Norton Antivirus installed so it will not interfere with the fix. Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.

Edited by SifuMike, 04 November 2006 - 01:13 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 kleopat

kleopat
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 06 November 2006 - 04:15 PM

I'm just c\p-ing everything she sends to me.
And she has internet access now (she didn't have it at first; that's why I'm here).
I thought that she can't reply to this thread (because I started this thread),
or do you suggest that she needs to open her account and open a new thread?


SHE HAS SENT THIS:

Prça - 06-11-06 21:16:18,09 Service Pack 2
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\Prça\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\All Users\Documents\Settings


((((((((((((((((((((((((((((((( Files Created from 2006-10-06 to 2006-11-06 ))))))))))))))))))))))))))))))))))


2006-10-28 21:21 0 --a------ C:\WINDOWS\system32\CMMGR32.EXE
2006-10-21 19:24 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-10-16 18:35 67,716 --a------ C:\WINDOWS\system32\image1.gif.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-06 21:02 -------- d-------- C:\Documents and Settings\Prsa\Application Data\Skype
2006-11-05 18:40 -------- d-------- C:\Program Files\FINA e-kartica
2006-10-31 14:26 -------- d-------- C:\Program Files\Ultimate Cleaner
2006-10-29 08:21 -------- d-------- C:\Program Files\Grisoft
2006-10-28 21:14 -------- d-------- C:\Program Files\SUPERAntiSpyware
2006-10-28 21:14 -------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2006-10-28 21:14 -------- d-------- C:\Program Files\Common Files
2006-10-28 21:14 -------- d-------- C:\Documents and Settings\Prsa\Application Data\SUPERAntiSpyware.com
2006-10-25 20:28 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2006-10-24 18:12 -------- d-------- C:\Program Files\Orasar
2006-10-22 16:29 -------- d-------- C:\Program Files\7-Zip
2006-10-22 16:28 -------- d-------- C:\Program Files\HijackThis
2006-10-22 16:15 -------- d-------- C:\Program Files\ChickenInvaders2_at
2006-10-22 16:12 -------- d-------- C:\Program Files\Norton AntiVirus
2006-10-22 16:12 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-10-22 13:28 -------- d-------- C:\Documents and Settings\Prsa\Application Data\Ultimate Cleaner
2006-10-22 11:37 -------- d-------- C:\Program Files\Google
2006-10-07 17:33 -------- d-------- C:\Program Files\Skype
2006-09-19 20:21 -------- d-------- C:\Program Files\HyperSnap 6
2006-09-18 13:39 -------- d-------- C:\Documents and Settings\Prsa\Application Data\Google
2006-09-13 06:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-08-25 16:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-21 13:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 10:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-16 12:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.0.720.3640\\GoogleToolbarNotifier.exe"
"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"SUPERAntiSpyware"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SoundMan"="SOUNDMAN.EXE"
"NWEReboot"=""
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay"
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"gemstrmw"="C:\\WINDOWS\\system32\\gemstrmw.exe /r"
"QuickPassword"="C:\\Program Files\\ActivCard\\ActivCard Gold\\agquickp.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_04\\bin\\jusched.exe"
"Ultimate Cleaner"="C:\\Program Files\\Ultimate Cleaner\\App.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,01,00,00,00,34,03,00,00,d9,02,00,00,ea,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,00
"OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{3F143C3A-1457-6CCA-03A7-7AA23B61E40F}"="OLE Automation Module"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll"

Completion time: 06-11-06 21:17:43.07
C:\ComboFix.txt ... 06-11-06 21:17

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:54 PM

Posted 06 November 2006 - 05:01 PM

do you suggest that she needs to open her account and open a new thread?


That is the best way to do it. Far less confusion that way.
Have her put my name, SifuMike in the title line along with " Continuing thread - No Icons, No Taskbar, No "start" Menu".
Then I will grab it when it appears. PM me her name, so I recognize the the thread easily.

If she puts a link in her new thread to the old one, then everyone will know the background.

Edited by SifuMike, 06 November 2006 - 05:03 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:54 PM

Posted 15 November 2006 - 06:40 PM

This thread will be locked, as the friend, schoko_bon, has posted a continuation of the log here:
http://www.bleepingcomputer.com/forums/t/71950/sifu-mikecontinuing-thread-no-icons-no-taskbar-no-start-menu/

Edited by SifuMike, 15 November 2006 - 06:51 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users