Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware Creating Files On Startup


  • Please log in to reply
15 replies to this topic

#1 ashton88

ashton88

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 25 October 2006 - 02:57 AM

It started when popups came out of nowhere and wouldn't leave. The desktop turned to black, and told me my computer was in danger. BraveSentry then asked me to buy it. I've since fixed that problem, but there is still one thing left. Here is my log filed I kept of the cleaning:

GONE stone17.exe
GONE jflwgmqc.exe
GONE loadadv628.exe
GONE vs7jit.exe
GONE dmx5A.tmp

GONE c:\windows\system32\pwinkpem.exe
GONE c:\windows\system32\_mzu_stonedrv3.exe
GONE c:\windows\system32\durvil1.exe
GONE c:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00003.exe
GONE c:\windows\BZXKJDH.EXE
GONE c:\windows\system32\BFMNH.EXE
GONE c:\windows\system32\LWJHS.EXE
GONE c:\windows\system32\MBSRRYJ.EXE
GONE c:\windows\system32\RDUJYBU.DLL
GONE c:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\STARTUP\DDHKN.EXE
GONE C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll

These pop up on startup, giving me errors because it can't find the files (I removed them)

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\WERae21.dir00\stone17.exe.mdmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\WERae21.dir00\appcompat.txt

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\WER2341.dir00\loadadv628.exe.mdmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\WER2341.dir00\appcompat.txt

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\WERff52.dir00\dmxB.tmp.mdmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\WERff52.dir00\appcompat.txt

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\WER0e4a.dir00\dmxA.tmp.mdmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\WER0e4a.dir00\appcompat.txt

It creates about 8 files in my C:\, and a dozen or so in C:\Documents and Settings\LocalService\Local Settings\Temp . It runs about 5 services in the background, I have to close them before I can delete some of the files. They always come back on startup, and I get the errors that were stated above.

I got BartPE and ran SUPERAntiSpyWare, VunduFix, SpyBot, and AdAware and they can't find anything. I have gone through msconfig, and a 3rd party startup program and removed everything that seemed like it wasn't supposed to be there, and that didn't fix anything. I ran HiJackThis and removed everything out of the ordinary, and that didn't fix anything. I tried googeling the names of the files it creates, and nothing came up. I'm at a dead end here.

My HiJackThis log file:

Logfile of HijackThis v1.99.1
Scan saved at 12:50:45 AM, on 10/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Opera\Opera.exe
C:\Documents and Settings\Administrator\Desktop\garbage\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DeeEnEs] C:\Documents and Settings\Administrator\Desktop\garbage\dyndns\DeeEnEs.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Ad Muncher] C:\Program Files\Ad Muncher\AdMunch.exe /bt
O4 - Global Startup: Adobe Gamma Loader.lnk = Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.0.97.cab
O16 - DPF: {4C563F3F-5621-4F23-BAC8-6B84DCA61AB2} (GoonzuGlobal_downloader Control) - http://cdn.goonzu.com/gscdnSkins/GoonzuGlobal_downloader0713.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol hijack: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B}
O18 - Protocol hijack: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B}
O18 - Protocol: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol hijack: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B}
O18 - Protocol: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol hijack: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6}
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll
O18 - Protocol hijack: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B}
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol hijack: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B}
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol hijack: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E}
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol hijack: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE}
O20 - AppInit_DLLs:  c:\windows\system32\ldcore.dll
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Let me get the names of the files and post them.

Edit: How do I change my display name?

Edited by ashton88, 25 October 2006 - 03:19 AM.


BC AdBot (Login to Remove)

 


#2 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:15 PM

Posted 25 October 2006 - 07:55 AM

Hi ashton88, :thumbsup:

We'e studying your log right now and will be abck to you a.s.a.p.

Thanks for your patience. :flowers:

#3 ashton88

ashton88
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 25 October 2006 - 01:22 PM

Thanks. I'll post the names of the files that it creates soon.

#4 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:15 PM

Posted 26 October 2006 - 03:41 AM

Hi ashton88, :thumbsup:

Welcome to BleepingComputer Forums and thanks again for your patience.

1.

How do I change my display name?


Go here, click Global Moderator or Moderator underneath HijackThis Logs and Analysis and ask one of them to do that for you.

2. Have you run HijackThis while in Safe Mode? If you did and still are please reboot to go back into Normal mode.

3. Unfortunately I see no firewall and AntiVirus in your running processes which probably means that you have none. I urge you to install an AV and a firewall:

> See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources!

> Good but for free firewalls:

Sygate
Kerio
Zone alarm

For a tutorial on Firewalls click: Understanding and Using Firewalls!

4. You are running HijackThis from a folder called 'garbage' on your desktop. HJT creates backups and we want them safe and secure should they be required later. For that reason I recommend to remove HijackThis to its own location. Create a folder on your C: drive: click Start > My Computer, open/double-click your C:\ drive, select New, next Folder and call it C:\hijackthis. Drag HijackThis into that folder!

5. Please upload this file to gather further information on it:

CLICK THIS TO LINK TO BE SURE YOU CAN VIEW HIDDEN FILES

Please go here: The Spy Killer Forum
  • Click on "New Topic"
  • Put your name, e-mail address, and this as the title: "c:\windows\system32\ldcore.dll"
  • Put a link to this Geeks to Go topic in the description box.
  • Then next to the file box, at the bottom, click the browse button, then navigate to this file:
    • c:\windows\system32\ldcore.dll
  • Click Open.
  • Click Post.
Thank you!

6. Run HijackThis, click Scan and checkmark the following entries:

O16 - DPF: {4C563F3F-5621-4F23-BAC8-6B84DCA61AB2} (GoonzuGlobal_downloader Control) - http://cdn.goonzu.com/gscdnSkins/GoonzuGlo...nloader0713.cab
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll


Close all browsers and windows, except for HijackThis and click the Fix Checked button; close HijackThis!

7. Download ATF Cleaner by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

8. You're using an outdated version of Java (latest one is Java Runtime Environment (JRE) 5.0 Update 9). Please update and remove the older versions. Do the following:
  • Go to Start > Control Panel double-click on the Software icon > add/remove programs.
  • Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )

    It should have next icon next to it: Posted Image
    Select it and click Remove.
  • Then Download and install the newest version from here:

    Java Runtime Environment (JRE) 5.0 Update 9
9. Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Please post the kaspersky report along wit a fresh HijackThis log for review and let me know how things are running now.

#5 ashton88

ashton88
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 27 October 2006 - 12:24 AM

I did some more tweaking after I made the first post, and now all the problems I had stated there are gone. But my computer is still slow and lags, and I recently learned my IP has been listed somewhere on a black list for IPs that could be a threat to websites because of malware. Because of it I haven't been able to access certain websites.

2. I was in normal mode.

3. I usually don't use virus scanners or firewalls because they are nagging (especially Zone Alarm), and usually gets in the way with what i'm trying to do on my computer. But i'll get some for this case.

4. I don't see why this is such a big deal, it's more convenient for me to keep it there, but okay.

5. Geeks to Go? I linked them here to this topic instead. I already know ldcore is a trojan, i'm trying to delete it. I think I may have just done so, we'll see if it comes back.

6. I had already done this. ldcore was still there (was anything supposed to change), and GoonZu isn't a problem, I know what that is, but I removed it anyways because I don't play that game anymore.

7. I had already cleaned out my computer using a similiar program, but I went ahead and used this too.

8. I hate how Java never tells me about these updates. Updating Java has always been one of the most annoying things about it. This may be why GoogleVideo and HouseCall no longer works for me.

9. I get a 404 error when trying to access this site.

I have been using computers for about 12 or 13 years now, and this is the worst I have ever been infected. I would usually just backup all of my important files, do a format, and re-install, but this time I am determined to beat this SpyWare. That and I don't have enough space on my other hard-drives to backup my files. How on earth is SpyWare legal?

Edited by ashton88, 27 October 2006 - 12:47 AM.


#6 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:15 PM

Posted 28 October 2006 - 07:11 AM

Hi ashton88, :thumbsup:

I did some more tweaking after I made the first post, and now all the problems I had stated there are gone.


Okay that's good to hear but are you sure?

... this time I am determined to beat this SpyWare.


Okay so let's be sure and continue.

I usually don't use virus scanners or firewalls because they are nagging (especially Zone Alarm), and usually gets in the way with what i'm trying to do on my computer. But i'll get some for this case.


Very good decision.

4. I don't see why this is such a big deal, it's more convenient for me to keep it there, but okay.


It's not a big deal and you may keep it there if you want as long as you realise not to delete any HJT-back ups.

5. Geeks to Go? I linked them here to this topic instead. I already know ldcore is a trojan, i'm trying to delete it.


You didn't upload the file? That's a pity since then we have lost an opportunity to learn more about that file.

6. I had already done this. ldcore was still there (was anything supposed to change)


To check I asked you to post a fresh HijackThis log.

9. I get a 404 error when trying to access this site.


It worked and still works fine for me. Please try again. If it still doesn't work run Panda's Active Scan.

Panda Online
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a few minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Post the contents of the Panda scan report together with a fresh HijackThis log

#7 ashton88

ashton88
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 31 October 2006 - 02:24 AM

I uploaded ldcore, deleted it because it was a trojan, and it's come back. Here is a fresh HiJackThis log file:

Logfile of HijackThis v1.99.1
Scan saved at 11:16:08 PM, on 10/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Ad Muncher\AdMunch.exe
C:\WINDOWS\system32\svchost.exe
C:\HiJackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Resume copy] copyfstq.exe /startup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DeeEnEs] C:\Documents and Settings\Administrator\Desktop\garbage\dyndns\DeeEnEs.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Ad Muncher] C:\Program Files\Ad Muncher\AdMunch.exe /bt
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.0.97.cab
O16 - DPF: {4C563F3F-5621-4F23-BAC8-6B84DCA61AB2} (GoonzuGlobal_downloader Control) - http://cdn.goonzu.com/gscdnSkins/GoonzuGlobal_downloader0713.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs:  c:\windows\system32\ldcore.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

I installed Zone Alarm, sometimes it takes up 100% of my CPU power. I turn it off, and then System takes up 100%. It goes from 100% down to about 13%, and keeps going like that, causing my computer to lag.

So far it looks like ldcore is the only file that's being created on startup (or is downloaded while I surf the web). Here's the thread:

http://www.thespykiller.co.uk/forum/index.php?topic=2899.0

I'm doing the Panda scan now, it's going to take a while.

Edit: I don't think this Panda thing is working. Is there supposed to be a status bar? That other site still gives me a 404 error. I just found out what the problem is. Some of the spyware decided to mess with my hosts file (c:\windows\system32\drivers\etc) telling all the websites that could help fix me computer to redirect to my computer.

127.0.0.1 www.trendmicro.com
127.0.0.1 rads.mcafee.com
127.0.0.1 customer.symantec.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 updates.symantec.com
127.0.0.1 www.nai.com
127.0.0.1 secure.nai.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 www.my-etrust.com
127.0.0.1 mast.mcafee.com
127.0.0.1 ca.com
127.0.0.1 www.ca.com
127.0.0.1 networkassociates.com
127.0.0.1 www.networkassociates.com
127.0.0.1 avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 downloads4.kaspersky-labs.com
127.0.0.1 downloads3.kaspersky-labs.com
127.0.0.1 downloads2.kaspersky-labs.com
127.0.0.1 downloads1.kaspersky-labs.com
127.0.0.1 www.f-secure.com
127.0.0.1 viruslist.com
127.0.0.1 www.viruslist.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.mcafee.com
127.0.0.1 sophos.com
127.0.0.1 www.sophos.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 www.symantec.com

I kind of thought that was the problem, I should have checked it earlier. I deleted all of that, and that site works now. Hopefully the scanning will. For some reason online scanners don't work on my computer.

Edit: Yay! It's working!

Edit: Here's the report

http://rayofash.f2o.org/virus.html

Edited by ashton88, 31 October 2006 - 09:34 PM.


#8 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:15 PM

Posted 01 November 2006 - 08:46 AM

Hi ashton88, :thumbsup:

I installed Zone Alarm, sometimes it takes up 100% of my CPU power. I turn it off, and then System takes up 100%. It goes from 100% down to about 13%, and keeps going like that, causing my computer to lag.


Okay but it is not running anymore. Try another one; there are two other ones in my post.

1. Run HijackThis, click Scan and checkmark the following entries:

O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll


Close all browsers and windows, except for HijackThis and click the Fix Checked button; close HijackThis!

2. Reboot and as the computer starts up, just before Windows starts to load, tap the F8 key a few times and then choose Safe Mode from the menu that will appear.

3. Using Windows Explorer, please delete the following folder in bold if listed:

C:\Program Files\Rainlendar2

.... and file in bold if listed:

c:\windows\system32\ldcore.dll

Let me know how this went.

Did you succeed in running Panda?

Please post the Panda Active Scan report, along with a fresh HijackThis log.

#9 ashton88

ashton88
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 01 November 2006 - 02:36 PM

Panda doesn't work, I posted the Kaspersky log. Rainlendar is a calander, very popular amongst Windows and Linux users.

I'll try deleting ldcore again. Also, are you just copying and pasting instructions from a file? You're talking like i'm new to computers, and you seem very distant.

Rainlendar: http://www.rainlendar.net/cms/index.php

Edit: I deleted ldcore, but I think it will just come back, it's a very common spyware. The problem with my computer lies deeper than that though. If you notice the Kaspersky log, it found viruses in c:\System Volume Information\ . That looks pretty bad, especially since I can't access that folder. I don't have access to a lot of the folders Kaspersky says has viruses in them. I may be able to get into them though with a boot disk like BartPE, but I don't think i'll be able to clean them.

Fresh HiJackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 12:05:26 PM, on 11/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Ad Muncher\AdMunch.exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Opera\Opera.exe
C:\HiJackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Resume copy] copyfstq.exe /startup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DeeEnEs] C:\Documents and Settings\Administrator\Desktop\garbage\dyndns\DeeEnEs.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Ad Muncher] C:\Program Files\Ad Muncher\AdMunch.exe /bt
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.0.97.cab
O16 - DPF: {4C563F3F-5621-4F23-BAC8-6B84DCA61AB2} (GoonzuGlobal_downloader Control) - http://cdn.goonzu.com/gscdnSkins/GoonzuGlobal_downloader0713.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Edited by ashton88, 01 November 2006 - 03:08 PM.


#10 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:15 PM

Posted 01 November 2006 - 03:36 PM

Hi ashton88, :thumbsup:

I posted the Kaspersky log.


Could you please post it in this thread by using the Add Reply button so I can see it as well. :flowers:

#11 ashton88

ashton88
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 01 November 2006 - 03:53 PM

It saved as an HTML file, I linked it: http://rayofash.f2o.org/virus.html

And why are you telling me to use the Add Reply button? I know how to post.

Edit: I found a way to convert it to a text file, here it is:

-------------------------------------------------------------------------------
 KASPERSKY ONLINE SCANNER REPORT
 Tuesday, October 31, 2006 6:27:10 PM
 Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
 Kaspersky Online Scanner version: 5.0.83.0
 Kaspersky Anti-Virus database last update: 31/10/2006
 Kaspersky Anti-Virus database records: 223274
-------------------------------------------------------------------------------

Scan Settings:
	Scan using the following antivirus database: standard
	Scan Archives: true
	Scan Mail Bases: true

Scan Target - My Computer:
	C:\
	D:\
	E:\
	F:\

Scan Statistics:
	Total number of scanned objects: 177788
	Number of viruses found: 18
	Number of infected objects: 75 / 0
	Number of suspicious objects: 6
	Duration of the scan process: 07:29:04

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\count.jar-15d389d-3f7de7e6.zip.bac_a01780/BlackBox.class	Infected: Exploit.Java.ByteVerify	skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\count.jar-15d389d-3f7de7e6.zip.bac_a01780/VerifierBug.class	Infected: Exploit.Java.ByteVerify	skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\count.jar-15d389d-3f7de7e6.zip.bac_a01780/Beyond.class	Infected: Trojan-Downloader.Java.OpenConnection.aa	skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\count.jar-15d389d-3f7de7e6.zip.bac_a01780	ZIP: infected - 3	skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\count.jar-15d389d-3f7de7e6.zip.bac_a01780	CryptFF.b: infected - 3	skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\dlh9jkdq2.exe.bac_a01780	Infected: Packed.Win32.Tibs	skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\dlh9jkdq5.exe.bac_a01780	Infected: Trojan-Downloader.Win32.Small.cwj	skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\dlh9jkdq6.exe.bac_a01780	Infected: Packed.Win32.Tibs	skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\dlh9jkdq7.exe.bac_a01780	Infected: Packed.Win32.Tibs	skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\IeHelperVY.dll.bac_a01780	Infected: Packed.Win32.Tibs	skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\java.jar-560f2184-4612bfae.zip.bac_a01780/GetAccess.class	Infected: Trojan-Downloader.Java.OpenConnection.aj	skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\java.jar-560f2184-4612bfae.zip.bac_a01780/Installer.class	Infected: Trojan-Downloader.Java.OpenConnection.aj	skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\java.jar-560f2184-4612bfae.zip.bac_a01780	ZIP: infected - 2	skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\java.jar-560f2184-4612bfae.zip.bac_a01780	CryptFF.b: infected - 2	skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\load54.jar-52866827-7f94ce4c.zip.bac_a01780/Matrix.class	Infected: Trojan-Downloader.Java.OpenStream.c	skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\load54.jar-52866827-7f94ce4c.zip.bac_a01780/Counter.class	Infected: Trojan.Java.ClassLoader.h	skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\load54.jar-52866827-7f94ce4c.zip.bac_a01780/Parser.class	Infected: Trojan.Java.ClassLoader.d	skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\load54.jar-52866827-7f94ce4c.zip.bac_a01780	ZIP: infected - 3	skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\load54.jar-52866827-7f94ce4c.zip.bac_a01780	CryptFF.b: infected - 3	skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\loaderadv771.jar-1175044b-718203c7.zip.bac_a01780/Matrix.class	Infected: Trojan-Downloader.Java.OpenStream.c	skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\loaderadv771.jar-1175044b-718203c7.zip.bac_a01780/Counter.class	Infected: Trojan.Java.ClassLoader.h	skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\loaderadv771.jar-1175044b-718203c7.zip.bac_a01780/Parser.class	Infected: Trojan.Java.ClassLoader.d	skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\loaderadv771.jar-1175044b-718203c7.zip.bac_a01780	ZIP: infected - 3	skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\loaderadv771.jar-1175044b-718203c7.zip.bac_a01780	CryptFF.b: infected - 3	skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\menklckf.exe.bac_a01780	Infected: Trojan-Proxy.Win32.Wopla.r	skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\pgnefoek.dll.bac_a01780	Infected: Trojan-Proxy.Win32.Wopla.s	skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winlogin.exe.bac_a01780	Infected: Trojan-Downloader.Win32.Delf.xf	skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\xpupdate.exe.bac_a01780	Infected: Packed.Win32.Tibs	skipped
C:\Documents and Settings\Administrator\.rainlendar2\rainlendar2.log	Object is locked	skipped
C:\Documents and Settings\Administrator\Application Data\Microsoft\IMJP8_1\imjp81u.dic	Object is locked	skipped
C:\Documents and Settings\Administrator\Application Data\Opera\Opera\mail\indexer\indexer.dat	Object is locked	skipped
C:\Documents and Settings\Administrator\Application Data\Opera\Opera\mail\lexicon\lexicon.dat	Object is locked	skipped
C:\Documents and Settings\Administrator\Application Data\Opera\Opera\mail\mailbase.dat	Object is locked	skipped
C:\Documents and Settings\Administrator\Cookies\index.dat	Object is locked	skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\weyrflame@hotmail.com\SharingMetadata\Logs\Dfsr.log	Object is locked	skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\weyrflame@hotmail.com\SharingMetadata\pending.dat	Object is locked	skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\weyrflame@hotmail.com\SharingMetadata\Working\database_7664_15C0_6415_8451\dfsr.db	Object is locked	skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\weyrflame@hotmail.com\SharingMetadata\Working\database_7664_15C0_6415_8451\fsr.log	Object is locked	skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\weyrflame@hotmail.com\SharingMetadata\Working\database_7664_15C0_6415_8451\fsrtmp.log	Object is locked	skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\weyrflame@hotmail.com\SharingMetadata\Working\database_7664_15C0_6415_8451\tmp.edb	Object is locked	skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Live Contacts\weyrflame@hotmail.com\real\members.stg	Object is locked	skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012006103120061101\index.dat	Object is locked	skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF81B1.tmp	Object is locked	skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF826D.tmp	Object is locked	skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\Administrator\NTUSER.DAT	Object is locked	skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Locksky1.zip/sachostx.exe	Suspicious: Password-protected-EXE	skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Locksky1.zip	ZIP: suspicious - 1	skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VcodecStarVideos13.zip/stdrun14.exe	Suspicious: Password-protected-EXE	skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VcodecStarVideos13.zip	ZIP: suspicious - 1	skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VcodecStarVideos27.zip/stdrun9.exe	Suspicious: Password-protected-EXE	skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VcodecStarVideos27.zip	ZIP: suspicious - 1	skipped
C:\Documents and Settings\LocalService\Cookies\index.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\NTUSER.DAT	Object is locked	skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG	Object is locked	skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT	Object is locked	skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG	Object is locked	skipped
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll	Object is locked	skipped
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll	Object is locked	skipped
C:\Program Files\Winamp\Plugins\AudioScrobbler.log.txt	Object is locked	skipped
C:\RECYCLER\S-1-5-18\Dc11.exe	Infected: Trojan.Win32.Kolweb.b	skipped
C:\System Volume Information\MountPointManagerRemoteDatabase	Object is locked	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP591\A0183894.exe	Object is locked	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0185089.exe	Object is locked	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0185093.exe	Object is locked	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0185096.exe	Object is locked	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0187073.dll	Object is locked	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0188082.exe	Object is locked	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0188099.exe	Object is locked	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0188100.exe	Object is locked	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0188101.exe	Object is locked	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0188102.exe	Object is locked	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0188106.exe	Object is locked	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0188112.exe	Object is locked	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0188138.exe	Infected: Trojan-Clicker.Win32.Small.ja	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0188142.exe	Object is locked	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0188149.exe	Object is locked	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0188150.dll	Object is locked	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0188368.dll	Object is locked	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0188369.dll	Object is locked	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0188399.exe	Object is locked	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0188402.exe	Object is locked	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0188403.exe	Object is locked	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0188411.dll	Object is locked	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0188449.dll	Object is locked	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0189448.dll	Object is locked	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0190448.dll	Object is locked	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0190463.exe	Infected: Trojan-Clicker.Win32.Small.ja	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0190464.dll	Object is locked	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0190466.exe	Infected: Trojan.Win32.Kolweb.b	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0190470.exe	Object is locked	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0191462.exe	Infected: Trojan.Win32.Kolweb.b	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0191528.exe	Object is locked	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0191529.exe	Infected: Trojan.Win32.Kolweb.b	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0191530.exe	Object is locked	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0193773.exe	Object is locked	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0193774.exe	Object is locked	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0193775.exe	Object is locked	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0193776.exe	Object is locked	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0193778.exe	Object is locked	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0193785.exe	Object is locked	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0193807.dll	Object is locked	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0193808.dll	Object is locked	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0194797.exe	Object is locked	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0194802.dll	Object is locked	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0194803.dll	Object is locked	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0195802.exe/EXE-file	Infected: Trojan-Downloader.Win32.Small.dxm	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0195802.exe	Embedded EXE: infected - 1	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0195806.exe/EXE-file	Infected: Trojan-Downloader.Win32.Small.dxm	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0195806.exe	Embedded EXE: infected - 1	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0195819.dll	Object is locked	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0195820.exe	Object is locked	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0195821.dll	Object is locked	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0195853.exe	Infected: Trojan.Win32.Kolweb.b	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0195859.dll	Object is locked	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0195869.exe	Object is locked	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0195902.exe/EXE-file	Infected: Trojan-Downloader.Win32.Small.dxm	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0195902.exe	Embedded EXE: infected - 1	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0195910.exe	Object is locked	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0195916.dll	Object is locked	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0195917.dll	Object is locked	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0195927.exe/EXE-file	Infected: Trojan-Downloader.Win32.Small.dxm	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0195927.exe	Embedded EXE: infected - 1	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0195928.exe	Object is locked	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0195938.exe	Object is locked	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0195945.dll	Object is locked	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0195946.dll	Object is locked	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0195952.exe	Object is locked	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0195955.dll	Object is locked	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0195956.dll	Object is locked	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0195960.exe/EXE-file	Infected: Trojan-Downloader.Win32.Small.dxm	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0195960.exe	Embedded EXE: infected - 1	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0195961.exe	Object is locked	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0195973.exe/EXE-file	Infected: Trojan-Downloader.Win32.Small.dxm	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0195973.exe	Embedded EXE: infected - 1	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0195974.exe	Object is locked	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0195980.bat	Infected: Trojan.BAT.Zapchast	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0195983.dll	Object is locked	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0195984.exe	Object is locked	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0195985.dll	Object is locked	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0195990.exe	Object is locked	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0195997.exe/EXE-file	Infected: Trojan-Downloader.Win32.Small.dxm	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0195997.exe	Embedded EXE: infected - 1	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0196005.exe	Object is locked	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0196008.dll	Object is locked	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0196009.dll	Object is locked	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0196014.exe/EXE-file	Infected: Trojan-Downloader.Win32.Small.dxm	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0196014.exe	Embedded EXE: infected - 1	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0196015.exe	Object is locked	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0196173.exe	Object is locked	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0196174.exe	Object is locked	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0196175.exe	Object is locked	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0196176.exe/EXE-file	Infected: Trojan-Downloader.Win32.Small.dxm	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0196176.exe	Embedded EXE: infected - 1	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0196177.exe	Object is locked	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0196178.exe	Object is locked	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0196179.exe	Object is locked	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0196183.exe	Object is locked	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP599\A0202689.dll	Object is locked	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP599\A0202694.exe	Object is locked	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP602\A0202881.exe	Object is locked	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP602\A0202947.sys	Object is locked	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP602\A0202948.exe	Object is locked	skipped
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP605\change.log	Object is locked	skipped
C:\WINDOWS\ac3_0006.exe	Infected: Trojan-Downloader.Win32.Small.cyh	skipped
C:\WINDOWS\Debug\PASSWD.LOG	Object is locked	skipped
C:\WINDOWS\SchedLgU.Txt	Object is locked	skipped
C:\WINDOWS\Setup90.exe/data0002	Infected: Trojan.Win32.VB.tg	skipped
C:\WINDOWS\Setup90.exe/data0005	Infected: Trojan.Win32.VB.tg	skipped
C:\WINDOWS\Setup90.exe/data0006	Infected: Trojan.Win32.VB.tg	skipped
C:\WINDOWS\Setup90.exe	NSIS: infected - 3	skipped
C:\WINDOWS\Setup99.exe/data0002	Infected: Trojan.Win32.VB.tg	skipped
C:\WINDOWS\Setup99.exe/data0005	Infected: Trojan.Win32.VB.tg	skipped
C:\WINDOWS\Setup99.exe/data0006	Infected: Trojan.Win32.VB.tg	skipped
C:\WINDOWS\Setup99.exe	NSIS: infected - 3	skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log	Object is locked	skipped
C:\WINDOWS\srvggetylx.exe/data0002	Infected: Trojan.Win32.VB.tg	skipped
C:\WINDOWS\srvggetylx.exe/data0005	Infected: Trojan.Win32.VB.tg	skipped
C:\WINDOWS\srvggetylx.exe/data0006	Infected: Trojan.Win32.VB.tg	skipped
C:\WINDOWS\srvggetylx.exe	NSIS: infected - 3	skipped
C:\WINDOWS\srvthwmqjs.exe/data0002	Infected: Trojan.Win32.VB.tg	skipped
C:\WINDOWS\srvthwmqjs.exe/data0005	Infected: Trojan.Win32.VB.tg	skipped
C:\WINDOWS\srvthwmqjs.exe/data0006	Infected: Trojan.Win32.VB.tg	skipped
C:\WINDOWS\srvthwmqjs.exe	NSIS: infected - 3	skipped
C:\WINDOWS\srvvhsahow.exe/data0002	Infected: Trojan.Win32.VB.tg	skipped
C:\WINDOWS\srvvhsahow.exe/data0005	Infected: Trojan.Win32.VB.tg	skipped
C:\WINDOWS\srvvhsahow.exe/data0006	Infected: Trojan.Win32.VB.tg	skipped
C:\WINDOWS\srvvhsahow.exe	NSIS: infected - 3	skipped
C:\WINDOWS\Sti_Trace.log	Object is locked	skipped
C:\WINDOWS\system32\ActiveScan\sporder.dll	Object is locked	skipped
C:\WINDOWS\system32\config\AppEvent.Evt	Object is locked	skipped
C:\WINDOWS\system32\config\default	Object is locked	skipped
C:\WINDOWS\system32\config\default.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\SAM	Object is locked	skipped
C:\WINDOWS\system32\config\SAM.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\SecEvent.Evt	Object is locked	skipped
C:\WINDOWS\system32\config\SECURITY	Object is locked	skipped
C:\WINDOWS\system32\config\SECURITY.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\software	Object is locked	skipped
C:\WINDOWS\system32\config\software.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\SysEvent.Evt	Object is locked	skipped
C:\WINDOWS\system32\config\system	Object is locked	skipped
C:\WINDOWS\system32\config\system.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\IMJP8_1\imjp81u.dic	Object is locked	skipped
C:\WINDOWS\system32\drivers\atapi.sys	Object is locked	skipped
C:\WINDOWS\system32\h323log.txt	Object is locked	skipped
C:\WINDOWS\system32\tmp_40a.dll	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP	Object is locked	skipped
C:\WINDOWS\wiadebug.log	Object is locked	skipped
C:\WINDOWS\wiaservc.log	Object is locked	skipped
C:\WINDOWS\WindowsUpdate.log	Object is locked	skipped
D:\11b927e9ac692f2a3e27\sp2gdr\msmsgs.exe	Object is locked	skipped
D:\11b927e9ac692f2a3e27\sp2qfe\msmsgs.exe	Object is locked	skipped
D:\11b927e9ac692f2a3e27\update\branches.inf	Object is locked	skipped
D:\11b927e9ac692f2a3e27\update\eula.txt	Object is locked	skipped
D:\11b927e9ac692f2a3e27\update\KB887472.CAT	Object is locked	skipped
D:\11b927e9ac692f2a3e27\update\spcustom.dll	Object is locked	skipped
D:\11b927e9ac692f2a3e27\update\update.exe	Object is locked	skipped
D:\11b927e9ac692f2a3e27\update\update.ver	Object is locked	skipped
D:\11b927e9ac692f2a3e27\update\updatebr.inf	Object is locked	skipped
D:\11b927e9ac692f2a3e27\update\update_SP2GDR.inf	Object is locked	skipped
D:\11b927e9ac692f2a3e27\update\update_SP2QFE.inf	Object is locked	skipped
D:\System Volume Information\MountPointManagerRemoteDatabase	Object is locked	skipped
D:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP605\change.log	Object is locked	skipped
F:\System Volume Information\MountPointManagerRemoteDatabase	Object is locked	skipped
F:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP605\change.log	Object is locked	skipped

Scan process completed.

The HTML file is much easier to read.

Edited by ashton88, 01 November 2006 - 03:56 PM.


#12 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:15 PM

Posted 02 November 2006 - 07:47 AM

Hi ashton88, :thumbsup:

Rainlendar is a calander, very popular amongst Windows and Linux users.


Thanks for the info.

...are you just copying and pasting instructions from a file? You're talking like i'm new to computers, and you seem very distant.


I do use canned speeches if that is what you mean; no sense in doing all the instructions over and over. Sorry if it makes me 'sound' distant.

If you notice the Kaspersky log, it found viruses in c:\System Volume Information\ . That looks pretty bad,


Anything in C:\System Volume Information\_restore can be flushed out by disabling then re-enabling System Restore.
Malware inside system restore is harmless unless that feature is used to restore the machine to an infected restore point. Once you're clean I will ask you to remove previous restore points and set a new one to purge any malware that may have been backed up; so please wait until I ask you to do that.

1. Download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

2. Download, install, and update AVG Anti-Spyware 7.5

1. Save the installer to desktop
2. Double click the installer, select your language, and then select OK
3. Click NEXT>>Do or don't read the "User License Agreement"
Select I Agree>>>NEXT>>>INSTALL
4. AVG will now install and afterwards click FINISH
5. AVG Anti-Spyware 7.5 should now Load
6. Click the Update tab at the top. Under Manual Update click Start update.
7. After the update finishes (the status bar at the bottom will display "Update successful")
8. Close AVG Anti-Spyware 7.5. Do not run it yet.

3. Reboot your computer into Safe Mode. To boot into Safe Mode, please restart your computer. Tap F8 a few times before Windows loads. Select Safe Mode at the top, on the screen that appears.
Sign in with your normal user account

Once in safe mode

* Then run AVG Anti-Spyware 7.5 and click on the Scanner tab at the top
* Click the "Settings" tab and then change the recommended action to Quarantine and ensure that Automatically generate report after every scan is selected and
Uncheck "Only if Threats are found"
* Click back to the "Scan" tab and then click on Complete System Scan.
This scan can take quite a while to run, so be prepared.
* AVG Anti-Spyware 7.5 will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVG Anti-Spyware 7.5 will display "All actions have been applied" on the right hand side.
* Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).

4. Using Windows Explorer, please delete the following files in bold if listed:

C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
C:\WINDOWS\ac3_0006.exe
C:\WINDOWS\Setup90.exe
C:\WINDOWS\Setup99.exe
C:\WINDOWS\srvggetylx.exe
C:\WINDOWS\srvthwmqjs.exe
C:\WINDOWS\srvvhsahow.exe

Let me know if you had problems with this step.

5. Clean your Cache and Cookies in IE:

* Close all instances of Outlook Express and Internet Explorer
* Go to Control Panel > Internet Options > General tab
* Click the "Delete Cookies" button
* Next to it, Click the "Delete Files" button
* When prompted, place a check in: "Delete all offline content", click OK

Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):

* Go to Tools > Options.
* Click Privacy in the menu on the left side of the Options window.
* Click the Clear button located to the right of each option (History, Cookies, Cache).
* Click OK to close the Options window
Alternatively, you can clear all information stored while browsing by clicking Clear All.
A confirmation dialog box will be shown before clearing the information.

Clean other Temporary files + Recycle bin

* Go to start > run and type: cleanmgr and click ok.
* Let it scan your system for files to remove.
* Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
* Press OK to remove them.

Please reboot to go back into Normal mode and post the Smitfraud report along with the AVG report and a fresh HijackThis log.

#13 ashton88

ashton88
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 02 November 2006 - 09:50 PM

HiJack this log:

Logfile of HijackThis v1.99.1
Scan saved at 6:47:11 PM, on 11/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Ad Muncher\AdMunch.exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\eMule\emule.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Opera\Opera.exe
C:\HiJackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Resume copy] copyfstq.exe /startup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DeeEnEs] C:\Documents and Settings\Administrator\Desktop\garbage\dyndns\DeeEnEs.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Ad Muncher] C:\Program Files\Ad Muncher\AdMunch.exe /bt
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.0.97.cab
O16 - DPF: {4C563F3F-5621-4F23-BAC8-6B84DCA61AB2} (GoonzuGlobal_downloader Control) - http://cdn.goonzu.com/gscdnSkins/GoonzuGlobal_downloader0713.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

Smitfraud log:

SmitFraudFix v2.117

Scan done at 11:32:01.02, 11/02/2006 Thu
Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode

ササササササササササササササササササササササササ C:\


ササササササササササササササササササササササササ C:\WINDOWS


ササササササササササササササササササササササササ C:\WINDOWS\system


ササササササササササササササササササササササササ C:\WINDOWS\Web


ササササササササササササササササササササササササ C:\WINDOWS\system32


ササササササササササササササササササササササササ C:\WINDOWS\system32\LogFiles


ササササササササササササササササササササササササ C:\Documents and Settings\Administrator


ササササササササササササササササササササササササ C:\Documents and Settings\Administrator\Application Data


ササササササササササササササササササササササササ Start Menu


ササササササササササササササササササササササササ C:\DOCUME~1\ADMINI~1\FAVORI~1


ササササササササササササササササササササササササ Desktop


ササササササササササササササササササササササササ C:\Program Files 


ササササササササササササササササササササササササ Corrupted keys


ササササササササササササササササササササササササ Desktop Components
 
 

ササササササササササササササササササササササササ Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


ササササササササササササササササササササササササ AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


ササササササササササササササササササササササササ pe386-msguard-lzx32

pe386 detected, use a Rootkit scanner

ササササササササササササササササササササササササ Scanning wininet.dll infection


ササササササササササササササササササササササササ End

AVG log:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

 + Created at:	1:15:09 PM 11/2/2006

 + Scan result:	



C:\WINDOWS\system32\dhhtavjv.exe -> Adware.Searchcolor : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0185099.dll -> Adware.TopInstalls : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0188137.dll -> Adware.TopInstalls : Cleaned with backup (quarantined).
C:\WINDOWS\system32\gtool.dll -> Adware.TopInstalls : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP602\A0202948.exe -> Downloader.Nurech.h : Cleaned with backup (quarantined).
C:\WINDOWS\system32\tmp_40a.dll -> Downloader.Small.cyn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP599\A0202694.exe -> Downloader.Small.dgk : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP599\A0202689.dll -> Downloader.Small.dxm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0184099.exe -> Hijacker.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0185082.exe -> Hijacker.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0188065.exe -> Hijacker.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0188158.exe -> Hijacker.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0188426.exe -> Hijacker.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0191612.exe -> Hijacker.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0191613.exe -> Hijacker.Small : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{06849E9F-C8D7-4D59-B87D-784B7D6BE083} -> Logger.Agent.io : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Desktop\garbage\devious\BluesPortScan.exe -> Not-A-Virus.NetTool.Win32.Delf.d : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0191530.exe -> Proxy.Wopla.ac : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP602\A0202947.sys -> Rootkit.Agent.cf : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Cookies\administrator@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@citi.bridgetrack[1].txt -> TrackingCookie.Bridgetrack : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@anad.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0196173.exe -> Trojan.ProcKill.DJ : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP602\A0202881.exe -> Trojan.Sinowal.be : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP606\A0205373.dll -> Trojan.Sinowal.be : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP606\A0205372.dll -> Trojan.Sinowal.bg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B70F02FD-1CFD-487B-B34F-3B037946C84D}\RP594\A0195980.bat -> Trojan.Zapchast : Cleaned with backup (quarantined).


::Report end

Also, since I removed ZoneAlarm from my computer my system resources problem went away. I now use Sygate. So my computer isn't really having any problems anymore.

Edited by ashton88, 03 November 2006 - 12:20 AM.


#14 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:15 PM

Posted 03 November 2006 - 10:29 AM

Hi ashton88, :thumbsup:

Also, since I removed ZoneAlarm from my computer my system resources problem went away. I now use Sygate. So my computer isn't really having any problems anymore.


That's good to hear but I'am afraid we're not done yet, so stick with me.

1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Drivers to unload:
pe386


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Run HijackThis, click Scan and checkmark the following entry:

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

Close all browsers and windows, except for HijackThis and click the Fix Checked button; close HijackThis!

Please reboot again and copy/paste the content of c:\avenger.txt into your reply along with a fresh HijackThis log log.

#15 ashton88

ashton88
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 03 November 2006 - 01:12 PM

HiJackThis:

Logfile of HijackThis v1.99.1
Scan saved at 10:11:32 AM, on 11/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Ad Muncher\AdMunch.exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\svchost.exe
C:\HiJackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Resume copy] copyfstq.exe /startup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DeeEnEs] C:\Documents and Settings\Administrator\Desktop\garbage\dyndns\DeeEnEs.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Ad Muncher] C:\Program Files\Ad Muncher\AdMunch.exe /bt
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.0.97.cab
O16 - DPF: {4C563F3F-5621-4F23-BAC8-6B84DCA61AB2} (GoonzuGlobal_downloader Control) - http://cdn.goonzu.com/gscdnSkins/GoonzuGlobal_downloader0713.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

Avenger:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\whmmjmkm

*******************

Script file located at: \??\C:\WINDOWS\fsfxfwwi.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver pe386 unloaded successfully.

Completed script processing.

*******************

Finished!  Terminate.

Edited by ashton88, 03 November 2006 - 01:15 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users