Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware,spyware Running In Backround


  • This topic is locked This topic is locked
12 replies to this topic

#1 1976MKIV

1976MKIV

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 20 January 2007 - 10:12 PM

I believe I have some malware or spyware running on my computer. I've found files with game01, game02,game 03, up to game 06 in some places. Ive deleted files with the name pfunk, aaaaa and various others I cant remember. Ive tried to manually search and delete all this stuff, but I dont think I've got the real problem yet. These things still show up in searches after I restart the computer. Here is a Hi-Jack This log. Thanks for the help.

Logfile of HijackThis v1.99.1
Scan saved at 12:03:30 PM, on 1/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Browser MOUSE\mouse32a.exe
C:\Program Files\TRIXX\TRIXX.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\clcbt.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Belkin\Nostromo\nost_LM.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Tigerpaw\My Documents\HiJackThis\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SoftwareDistribution\Download\Install\IE7-WindowsXP-x86-enu.exe
e:\30b6942d5648e75d96\update\iesetup.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [TRIXX] "C:\Program Files\TRIXX\TRIXX.exe" -s
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [agent] C:\WINDOWS\system32\ppl.exe
O4 - HKLM\..\Run: [system spool] C:\WINDOWS\system32\syspools.exe
O4 - HKLM\..\Run: [sysinter] C:\WINDOWS\system32\adirss.exe
O4 - HKLM\..\Run: [clcbt.exe] C:\WINDOWS\system32\clcbt.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [agent] C:\WINDOWS\system32\ppl.exe
O4 - HKCU\..\Run: [system spool] C:\WINDOWS\system32\syspools.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\system32\taskdir.exe
O4 - Global Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: WMP54GSSVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe" "WMP54GSv1_1.exe (file missing)

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:56 PM

Posted 21 January 2007 - 07:39 AM

Hello,

You have several different nasty infections present. Actually, this doesn't suprise me at all though..

because I do not see you are running an Antivirus and Firewall!!
This is somewhat suicidal in today's digital world.
That's why I want you to install them first!!

Avira, AVG OR Avast OR Active Virus Shield (uncheck the Security Toolbar during install) are good FREE antivirus.
Never install more than one antivirusscanner or firewall on your system! Several together can give problems and decrease the reliability of it seriously!
Agnitum Outpost Free, ZoneAlarm Free OR Kerio are FREE firewalls.

Understanding and using firewalls

You are unfortunately dealing with a File infector. This means here, in this case, EVERY exe and rar file may be infected on your system. This means legit files as well. And those may not get deleted, but disinfected instead. So actually it's now all up to the scanners to disinfect them, because we can't do anything manually here.

Problem with this File Infector is (since I tested this one myself), when it attempts to infect a legit exe file, it sometimes may fail in doing this properly as well > result, the legit file doesn't get infected, but gets corrupted instead. Since those are not infected, Antivirusscanners won't flag them either, leaving you with a corrupt legit exe instead. So after the Antivirusscanner was able to disinfect the files, many files may still be present that are corrupt and won't work anymore. Those you'll have to replace afterwards with a "working" copy.

We can give this a try, but keep in mind that damage can still appear afterwards and a format and reinstall will still be the best - fastest and safest option.... since we can't always restore the corrupted files and fix the errors.
So if you decide to give it a try, perform next steps in the right order..

Then,

I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
How to disable TeaTimer during HijackThis Cleanup
Then, Download ResetTeaTimer.bat.
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.

* Download SDFix and save it to your Desktop.

* Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

* Reboot into Safe Mode`: ( without networking support !)
°To get into the Windows Safe Mode, restart your computer and, just before Windows starts to load, tap the F8 key a few times.
Choose Safe Mode from the menu that will appear and press Enter.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O4 - HKLM\..\Run: [agent] C:\WINDOWS\system32\ppl.exe
O4 - HKLM\..\Run: [system spool] C:\WINDOWS\system32\syspools.exe
O4 - HKLM\..\Run: [sysinter] C:\WINDOWS\system32\adirss.exe
O4 - HKLM\..\Run: [clcbt.exe] C:\WINDOWS\system32\clcbt.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [agent] C:\WINDOWS\system32\ppl.exe
O4 - HKCU\..\Run: [system spool] C:\WINDOWS\system32\syspools.exe
O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\system32\taskdir.exe


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
    I need the logs later
* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply together with a new Hijackthislog and log from SDfix.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 1976MKIV

1976MKIV
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 22 January 2007 - 05:47 AM

OK, I downloaded AVG for a anti-virus, and zone alarm for a fire wall. I also completed all the steps in the previous post.

First the Dr Web log-


atiptaxx.exe;c:\program files\ati technologies\ati control panel;Win32.Dref;Cured.;
nerocheck.exe;c:\program files\common files\ahead\lib;Win32.Dref;Cured.;
idrivert.exe;c:\program files\common files\installshield\driver\11\intel 32;Win32.Dref;Cured.;
osa.exe;c:\program files\microsoft office\office10;Win32.Dref;Cured.;
qttask.exe;c:\program files\quicktime;Win32.Dref;Cured.;
aspnet_state.exe;c:\windows\microsoft.net\framework\v1.1.4322;Win32.Dref;Cured.;
ati2sgag.exe;c:\windows\system32;Win32.Dref;Cured.;
uvklqeaa.cov;c:\windows\system32;Trojan.Click.1242;Deleted.;
gmxeelqq.t;E:\Driv3r;Win32.Dref;Incurable.Moved.;
gmxeepuq.t;E:\Driv3r;Win32.Dref;Incurable.Moved.;
gmxjgdor.t;E:\Driv3r;Win32.Dref;Incurable.Moved.;
pfufuctp.t;E:\Driv3r;Win32.Dref;Incurable.Moved.;
pfukkuia.t;E:\Driv3r;Win32.Dref;Incurable.Moved.;
pfukkuuq.t;E:\Driv3r;Win32.Dref;Incurable.Moved.;
vrsookhy.t;E:\Driv3r;Win32.Dref;Incurable.Moved.;
vrstehbm.t;E:\Driv3r;Win32.Dref;Incurable.Moved.;
gmxeepcm.t;E:\KOTOR;Win32.Dref;Incurable.Moved.;
gmxeepfw.t;E:\KOTOR;Win32.Dref;Incurable.Moved.;
pfufucnx.t;E:\KOTOR;Win32.Dref;Incurable.Moved.;
sltwrctx.t;E:\KOTOR;Win32.Dref;Incurable.Moved.;
swupdate.exe;E:\KOTOR;Win32.Dref;Cured.;
swstub.exe;E:\KOTOR\utils;Win32.Dref;Cured.;
hk5nWOD.exe;E:\Pictures\Little Rob;Win32.Dref;Incurable.Moved.;
A0048739.exe;E:\System Volume Information\_restore{22C16DBA-0C05-4D7E-88BE-F375262A8D1B}\RP285;Win32.Dref;Cured.;
A0048740.exe;E:\System Volume Information\_restore{22C16DBA-0C05-4D7E-88BE-F375262A8D1B}\RP285;Win32.Dref;Cured.;
A0048741.exe;E:\System Volume Information\_restore{22C16DBA-0C05-4D7E-88BE-F375262A8D1B}\RP285;Win32.Dref;Cured.;
A0048742.exe;E:\System Volume Information\_restore{22C16DBA-0C05-4D7E-88BE-F375262A8D1B}\RP285;Win32.Dref;Cured.;
A0048743.exe;E:\System Volume Information\_restore{22C16DBA-0C05-4D7E-88BE-F375262A8D1B}\RP285;Win32.Dref;Cured.;
A0048744.exe;E:\System Volume Information\_restore{22C16DBA-0C05-4D7E-88BE-F375262A8D1B}\RP285;Win32.Dref;Cured.;
A0048745.exe;E:\System Volume Information\_restore{22C16DBA-0C05-4D7E-88BE-F375262A8D1B}\RP285;Win32.Dref;Cured.;
A0048746.exe;E:\System Volume Information\_restore{22C16DBA-0C05-4D7E-88BE-F375262A8D1B}\RP285;Win32.Dref;Cured.;
A0048768.exe;E:\System Volume Information\_restore{22C16DBA-0C05-4D7E-88BE-F375262A8D1B}\RP285;Win32.Dref;Cured.;
A0048769.exe;E:\System Volume Information\_restore{22C16DBA-0C05-4D7E-88BE-F375262A8D1B}\RP285;Win32.Dref;Cured.;
A0048770.exe;E:\System Volume Information\_restore{22C16DBA-0C05-4D7E-88BE-F375262A8D1B}\RP285;Win32.Dref;Cured.;
A0048771.exe;E:\System Volume Information\_restore{22C16DBA-0C05-4D7E-88BE-F375262A8D1B}\RP285;Win32.Dref;Cured.;
A0048772.exe;E:\System Volume Information\_restore{22C16DBA-0C05-4D7E-88BE-F375262A8D1B}\RP285;Trojan.DownLoader.6811;Deleted.;
A0048773.exe;E:\System Volume Information\_restore{22C16DBA-0C05-4D7E-88BE-F375262A8D1B}\RP285;Win32.Dref;Cured.;
A0048774.exe;E:\System Volume Information\_restore{22C16DBA-0C05-4D7E-88BE-F375262A8D1B}\RP285;Win32.Dref;Cured.;
A0048775.exe;E:\System Volume Information\_restore{22C16DBA-0C05-4D7E-88BE-F375262A8D1B}\RP285;Win32.Dref;Cured.;
A0048776.exe;E:\System Volume Information\_restore{22C16DBA-0C05-4D7E-88BE-F375262A8D1B}\RP285;Win32.Dref;Cured.;
A0048777.exe;E:\System Volume Information\_restore{22C16DBA-0C05-4D7E-88BE-F375262A8D1B}\RP285;Win32.Dref;Cured.;
A0048782.exe;E:\System Volume Information\_restore{22C16DBA-0C05-4D7E-88BE-F375262A8D1B}\RP285;Win32.Dref;Cured.;
A0048787.exe;E:\System Volume Information\_restore{22C16DBA-0C05-4D7E-88BE-F375262A8D1B}\RP285;Win32.Dref;Cured.;
A0048789.exe;E:\System Volume Information\_restore{22C16DBA-0C05-4D7E-88BE-F375262A8D1B}\RP285;Win32.Dref;Cured.;
A0048949.exe;E:\System Volume Information\_restore{22C16DBA-0C05-4D7E-88BE-F375262A8D1B}\RP290;Win32.Dref;Cured.;
A0048950.exe;E:\System Volume Information\_restore{22C16DBA-0C05-4D7E-88BE-F375262A8D1B}\RP290;Win32.Dref;Cured.;
A0048951.exe;E:\System Volume Information\_restore{22C16DBA-0C05-4D7E-88BE-F375262A8D1B}\RP290;Win32.Dref;Cured.;
A0048952.exe;E:\System Volume Information\_restore{22C16DBA-0C05-4D7E-88BE-F375262A8D1B}\RP290;Win32.Dref;Cured.;
A0048953.exe;E:\System Volume Information\_restore{22C16DBA-0C05-4D7E-88BE-F375262A8D1B}\RP290;Trojan.DownLoader.6811;Deleted.;
A0048954.exe;E:\System Volume Information\_restore{22C16DBA-0C05-4D7E-88BE-F375262A8D1B}\RP290;Win32.Dref;Cured.;
A0048955.exe;E:\System Volume Information\_restore{22C16DBA-0C05-4D7E-88BE-F375262A8D1B}\RP290;Win32.Dref;Cured.;
A0048956.exe;E:\System Volume Information\_restore{22C16DBA-0C05-4D7E-88BE-F375262A8D1B}\RP290;Win32.Dref;Cured.;
A0048957.exe;E:\System Volume Information\_restore{22C16DBA-0C05-4D7E-88BE-F375262A8D1B}\RP290;Win32.Dref;Cured.;
A0048958.exe;E:\System Volume Information\_restore{22C16DBA-0C05-4D7E-88BE-F375262A8D1B}\RP290;Win32.Dref;Cured.;
A0048960.exe;E:\System Volume Information\_restore{22C16DBA-0C05-4D7E-88BE-F375262A8D1B}\RP290;Win32.Dref;Cured.;
A0048961.exe;E:\System Volume Information\_restore{22C16DBA-0C05-4D7E-88BE-F375262A8D1B}\RP290;Win32.Dref;Cured.;
A0048963.exe;E:\System Volume Information\_restore{22C16DBA-0C05-4D7E-88BE-F375262A8D1B}\RP290;Win32.Dref;Cured.;
A0050172.exe;E:\System Volume Information\_restore{22C16DBA-0C05-4D7E-88BE-F375262A8D1B}\RP293;Win32.Dref;Cured.;
A0050173.exe;E:\System Volume Information\_restore{22C16DBA-0C05-4D7E-88BE-F375262A8D1B}\RP293;Win32.Dref;Cured.;
A0050174.exe;E:\System Volume Information\_restore{22C16DBA-0C05-4D7E-88BE-F375262A8D1B}\RP293;Win32.Dref;Cured.;
A0050175.exe;E:\System Volume Information\_restore{22C16DBA-0C05-4D7E-88BE-F375262A8D1B}\RP293;Win32.Dref;Cured.;
A0050176.exe;E:\System Volume Information\_restore{22C16DBA-0C05-4D7E-88BE-F375262A8D1B}\RP293;Trojan.DownLoader.6811;Deleted.;
A0050177.exe;E:\System Volume Information\_restore{22C16DBA-0C05-4D7E-88BE-F375262A8D1B}\RP293;Win32.Dref;Cured.;
A0050178.exe;E:\System Volume Information\_restore{22C16DBA-0C05-4D7E-88BE-F375262A8D1B}\RP293;Win32.Dref;Cured.;
A0050179.exe;E:\System Volume Information\_restore{22C16DBA-0C05-4D7E-88BE-F375262A8D1B}\RP293;Win32.Dref;Cured.;
A0050463.rbf;E:\System Volume Information\_restore{22C16DBA-0C05-4D7E-88BE-F375262A8D1B}\RP305;Win32.Dref;Cured.;
gmxjgbaf.t;C:\Program Files\MSN\MSNCoreFiles;Win32.Dref;Incurable.Moved.;
sltctryl.t;C:\Program Files\MSN\MSNCoreFiles;Win32.Dref;Incurable.Moved.;
vrstqvfr.t;C:\Program Files\MSN\MSNCoreFiles;Win32.Dref;Incurable.Moved.;
vrstqvjj.t;C:\Program Files\MSN\MSNCoreFiles;Win32.Dref;Incurable.Moved.;
pfukwnwp.t;C:\Program Files\MSN\MSNCoreFiles\Setup;Win32.Dref;Incurable.Moved.;
gmxjgbxq.t;C:\RECYCLER\S-1-5-21-448539723-1935655697-682003330-1004;Win32.Dref;Incurable.Moved.;
sltctrwe.t;C:\RECYCLER\S-1-5-21-448539723-1935655697-682003330-1004;Win32.Dref;Incurable.Moved.;
Process.exe;C:\SDFix\apps;Tool.Prockill;Incurable.Moved.;
A0050108.exe;C:\System Volume Information\_restore{22C16DBA-0C05-4D7E-88BE-F375262A8D1B}\RP290;Trojan.DownLoader.14222;Deleted.;
A0050456.rbf;C:\System Volume Information\_restore{22C16DBA-0C05-4D7E-88BE-F375262A8D1B}\RP304;Win32.Dref;Cured.;
A0050457.rbf;C:\System Volume Information\_restore{22C16DBA-0C05-4D7E-88BE-F375262A8D1B}\RP304;Win32.Dref;Cured.;
A0050458.rbf;C:\System Volume Information\_restore{22C16DBA-0C05-4D7E-88BE-F375262A8D1B}\RP304;Win32.Dref;Cured.;
A0051038.exe;C:\System Volume Information\_restore{22C16DBA-0C05-4D7E-88BE-F375262A8D1B}\RP314;BackDoor.Groan;Deleted.;
A0056194.exe;C:\System Volume Information\_restore{22C16DBA-0C05-4D7E-88BE-F375262A8D1B}\RP319;BackDoor.Groan;Deleted.;
A0056210.sys;C:\System Volume Information\_restore{22C16DBA-0C05-4D7E-88BE-F375262A8D1B}\RP319;BackDoor.Groan;Deleted.;
pfukwnls.t;C:\WINDOWS\Downloaded Program Files;Win32.Dref;Incurable.Moved.;
ccwhdzhs.exe;C:\WINDOWS\system32;Trojan.DownLoader.14222;Deleted.;
mcfhjhou.exe;C:\WINDOWS\system32;Trojan.DownLoader.14222;Deleted.;
riolndlv.exe;C:\WINDOWS\system32;Trojan.DownLoader.14222;Deleted.;
uwdkaomo.exe;C:\WINDOWS\system32;Trojan.DownLoader.14222;Deleted.;
wtbjoalo.exe;C:\WINDOWS\system32;Trojan.DownLoader.14222;Deleted.;
aaaamwda.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
aaaamwde.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
aaaamwdr.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
aaaamwha.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
aaaamwhf.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
aaaamwlk.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
aaaamwls.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
aaaamwlx.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
aaaamwpk.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
aaaamwpw.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
aaaamwpx.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
aaaamwtd.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
aaaamwte.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
aaaamwtf.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
aaaamwtg.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
aaaamwtp.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
aaaamwyd.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
aaaamwye.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
aaaamwyg.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
aaaamwyj.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
aaaamwyk.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
aaaamwym.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
aaaamwyw.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
dgyrjbam.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
dgyrjbax.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
dgyrjbay.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
dgyrjbff.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
dgyrjbfk.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
dgyrjbfp.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
dgyrjbja.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
dgyrjbjk.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
dgyrjbjs.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
dgyrjbjy.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
dgyrjbnd.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
dgyrjbnl.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
dgyrjbnr.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
dgyrjbrw.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
dgyrjbva.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
dgyrjbve.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
dgyrjbvq.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
gmxjgfck.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
gmxjgfcw.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
gmxjgfcy.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
gmxjgfga.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
gmxjgfgf.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
gmxjgfgj.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
gmxjgfgq.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
gmxjgfgy.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
gmxjgfla.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
gmxjgfle.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
gmxjgflg.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
gmxjgfll.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
gmxjgflr.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
gmxjgfpa.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
gmxjgfpe.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
gmxjgftx.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
gmxjgfxa.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
gmxjgfxe.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
gmxjgfxl.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
jswbdjee.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
jswbdjef.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
jswbdjeq.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
jswbdjew.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
jswbdjia.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
jswbdjik.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
jswbdjiw.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
jswbdjix.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
jswbdjmg.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
jswbdjmp.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
jswbdjng.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
jswbdjrd.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
jswbdjrs.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
jswbdjrw.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
jswbdjvd.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
jswbdjvg.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
jswbdjvp.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
jswbdjvs.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
jswbdjvw.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
myvsanca.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
myvsancj.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
myvsanck.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
myvsancp.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
myvsancx.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
myvsancy.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
myvsanga.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
myvsangl.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
myvsangp.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
myvsankf.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
myvsankj.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
myvsankm.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
myvsankr.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
myvsanor.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
myvsansk.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
myvsansq.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
myvsanxl.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
myvsanxp.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
myvsanxx.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
pfukwref.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
pfukwrem.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
pfukwres.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
pfukwrey.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
pfukwrif.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
pfukwril.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
pfukwrmg.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
pfukwrmr.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
pfukwrqe.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
pfukwrqj.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
pfukwrqw.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
pfukwrqy.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
pfukwrug.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
pfukwrul.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
pfukwrup.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
pfukwrur.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
pfukwryl.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
pfukwryw.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
sltctvbl.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
sltctvbq.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
sltctvfe.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
sltctvfy.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
sltctvkd.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
sltctvke.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
sltctvkj.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
sltctvks.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
sltctvkw.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
sltctvky.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
sltctvod.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
sltctvoj.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
sltctvom.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
sltctvop.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
sltctvse.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
sltctvsg.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
sltctvss.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
sltctvsw.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
sltctvwd.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
sltctvwe.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
sltctvwf.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
sltctvwg.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
sltctvws.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
vrstqadd.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
vrstqadf.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
vrstqadj.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
vrstqadr.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
vrstqadw.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
vrstqahf.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
vrstqahj.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
vrstqahk.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
vrstqala.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
vrstqalf.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
vrstqalg.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
vrstqalq.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
vrstqals.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
vrstqaqd.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
vrstqaqx.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
vrstqaum.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
vrstqaus.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
vrstqaya.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;
vrstqayd.t;C:\WINDOWS\system32\dllcache;Win32.Dref;Incurable.Moved.;

Second, HiJackThis-

Logfile of HijackThis v1.99.1
Scan saved at 7:39:04 PM, on 1/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Browser MOUSE\mouse32a.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\TRIXX\TRIXX.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Belkin\Nostromo\nost_LM.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Documents and Settings\Tigerpaw\My Documents\HiJackThis\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [TRIXX] "C:\Program Files\TRIXX\TRIXX.exe" -s
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WMP54GSSVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe" "WMP54GSv1_1.exe (file missing)

And Lastly, SD Fix



SDFix: Version 1.61

Mon 01/22/2007 - 17:16:01.56

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
wincom32

Path:
\??\C:\WINDOWS\system32\wincom32.sys

wincom32 Deleted

Restoring Windows Registry Entries
Restoring Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

Files will be copied to Backups folder and removed:

C:\WINDOWS\system32\\Winlogon.ini - Deleted
C:\WINDOWS\system32\game0.exe.exe - Deleted
C:\WINDOWS\system32\game5.exe.exe - Deleted
C:\WINDOWS\system32\google.png.exe - Deleted
C:\WINDOWS\system32\adir.dll - Deleted
C:\WINDOWS\system32\adirss.exe - Deleted
C:\WINDOWS\system32\clcbt.exe - Deleted
C:\WINDOWS\system32\DAP.exe - Deleted
C:\WINDOWS\system32\game0.exe - Deleted
C:\WINDOWS\system32\game1.exe - Deleted
C:\WINDOWS\system32\game2.exe - Deleted
C:\WINDOWS\system32\game4.exe - Deleted
C:\WINDOWS\system32\game5.exe - Deleted
C:\WINDOWS\system32\peers.ini - Deleted
C:\WINDOWS\system32\syspools.exe - Deleted
C:\WINDOWS\system32\taskdir.exe - Deleted
C:\WINDOWS\system32\w.exe - Deleted
C:\WINDOWS\system32\wincom32.ini - Deleted
C:\WINDOWS\system32\wincom32.sys - Deleted
C:\WINDOWS\system32\zlbw.dll - Deleted



Alternate Streams Check:

C:\WINDOWS\system32
No streams found.

Final Check:

Remaining Services:
------------------


Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\LucasArts\\SWKotOR\\swupdate.exe"="C:\\Program Files\\LucasArts\\SWKotOR\\swupdate.exe:*:Enabled:Star Wars: Knights of the old Republic Update Program"
"C:\\Program Files\\World of Warcraft\\WoW-1.5.1.4449-to-1.9.0.4937-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-1.5.1.4449-to-1.9.0.4937-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"E:\\KOTOR\\swupdate.exe"="E:\\KOTOR\\swupdate.exe:*:Enabled:Star Wars: Knights of the old Republic Update Program"
"E:\\Empire Interactive\\FlatOut 2\\flatout2.exe"="E:\\Empire Interactive\\FlatOut 2\\flatout2.exe:*:Enabled:FlatOut 2"
"C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\uTorrent\\utorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\WINDOWS\\system32\\game1.exe"="C:\\WINDOWS\\system32\\game1.exe:*:Enabled:enable"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"


Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip


Checking For Files with Hidden Attributes :

C:\NTDETECT.COM
C:\RECYCLER\S-1-5-21-448539723-1935655697-682003330-1004\Dc1491.exe
C:\WINDOWS\system32\cdplayer.exe.manifest
C:\WINDOWS\system32\logonui.exe.manifest
C:\WINDOWS\system32\msmapi32.exe.MANIFEST
C:\IO.SYS
C:\MSDOS.SYS
C:\pagefile.sys

Finished

And that should be all of it.

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:56 PM

Posted 22 January 2007 - 01:57 PM

Hi,

Since you decided to do the manual removal instead, you have to keep in mind that programs may still be corrupt and errors may still appear. This is normal when dealing with file infectors. There isn't much we can do about this unfortunately.

Also, your system was badly infected with other nasty malware (backdoors/trojans), so you will never be able to trust this system for 100% again.

And we are not finished here yet.... Please perform next steps in the right order..

Please set your system to show all files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Please hide your hidden files and folders afterwards again, when we are done with this thread and your problems are solved, because above instructions to set your system to show all files, unhide legit files and folders as well.
And I don't want you to delete them because they may look suspicious. To hide them again, just perform the above instructions in the opposite way.


Delete next file:

C:\WINDOWS\system32\msmapi32.exe.MANIFEST

Don't delete any other manifest file there!!

Then,

Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\game1.exe"=-

Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.
(In case you are unsure how to create a reg file, take a look here with screenshots.)

* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click "Delete".
  • Click "Delete Files", "Delete cookies" and "Delete history"
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
Then, * Perform an onlinescan with panda: (please use this scanner instead of any other scanner!)
Panda Online
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
I need the results of the Panda scan afterwards.

* Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post this log in your next reply together with the results of Pandascan.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 1976MKIV

1976MKIV
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 23 January 2007 - 09:08 AM

I've completed all those steps.

Here is the Panda Scan log


Incident Status Location

Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Tigerpaw\Desktop\Computer fixes\SDFix.exe[SDFix\apps\Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Tigerpaw\DoctorWeb\Quarantine\Process.exe
Adware:Adware/AntispywareSoldier Not disinfected C:\Program Files\backups\backup-20061020-063120-529.dll
Adware:Adware/AntispywareSoldier Not disinfected C:\Program Files\backups\backup-20061020-064919-271.dll
Adware:adware/thespyguard Not disinfected C:\WINDOWS\bg.gif
Adware:Adware/AntispywareSoldier Not disinfected C:\WINDOWS\system32\instreg_tmp.exe
And now the Combo Log

"Tigerpaw" - 07-01-23 23:00:13 Service Pack 2
ComboFix 07-01-23.2 - Running from: "C:\Documents and Settings\Tigerpaw\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-12-23 to 2007-01-23 ))))))))))))))))))))))))))))))))))


2007-01-23 22:16 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-01-23 22:16 <DIR> d-------- C:\WINDOWS\LastGood
2007-01-23 10:47 28,276 --a------ C:\WINDOWS\system32\drivers\MxlW2k.sys
2007-01-23 09:59 <DIR> d-------- C:\Program Files\Common Files\Real
2007-01-23 09:59 <DIR> d-------- C:\DOCUME~1\Tigerpaw\Application Data\Real
2007-01-23 00:50 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-01-23 00:47 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-01-22 19:21 <DIR> dr-h----- C:\$VAULT$.AVG
2007-01-22 18:01 816,672 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2007-01-22 18:01 4,960 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys
2007-01-22 18:01 4,224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2007-01-22 18:01 3,968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys
2007-01-22 18:01 28,416 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2007-01-22 18:01 18,240 --a------ C:\WINDOWS\system32\drivers\avgmfx86.sys
2007-01-22 18:01 <DIR> d-------- C:\Program Files\Grisoft
2007-01-22 18:01 <DIR> d-------- C:\DOCUME~1\Tigerpaw\Application Data\AVG7
2007-01-22 18:01 <DIR> d-------- C:\DOCUME~1\LOCALS~1\Application Data\AVG7
2007-01-22 18:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Grisoft
2007-01-22 18:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\avg7
2007-01-22 17:42 <DIR> d-------- C:\DOCUME~1\Tigerpaw\DoctorWeb
2007-01-22 16:50 <DIR> d-------- C:\SDFix
2007-01-22 16:40 75,512 --a------ C:\WINDOWS\zllsputility.exe
2007-01-22 16:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-01-22 16:40 1,087,216 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-01-22 16:40 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-01-22 16:39 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-01-21 12:08 <DIR> d-------- C:\WINDOWS\WBEM
2007-01-21 12:08 <DIR> d-------- C:\WINDOWS\system32\en-US
2007-01-21 12:07 <DIR> d--h-c--- C:\WINDOWS\ie7
2007-01-21 12:06 121,856 --------- C:\WINDOWS\system32\xmllite.dll
2007-01-21 12:05 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-01-20 22:22 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Spybot - Search & Destroy
2007-01-20 21:50 <DIR> d-------- C:\Program Files\CCleaner
2007-01-11 21:57 <DIR> d-------- C:\Program Files\Ventrilo
2007-01-11 21:57 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-01-01 23:54 178,408 --a------ C:\WINDOWS\system32\muweb.dll
2006-12-30 12:15 15,360 --a------ C:\WINDOWS\system32\intr32.dll
2006-12-24 11:02 <DIR> d-------- C:\WINDOWS\system32\LogFiles


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-23 22:56 -------- d-------- C:\DOCUME~1\Tigerpaw\Application Data\skype
2007-01-23 22:33 -------- d-------- C:\Program Files\trixx
2007-01-23 22:30 -------- d-------- C:\Program Files\linksys wireless-g pci network adapter with speedbooster
2007-01-23 22:28 -------- d-------- C:\Program Files\itunes
2007-01-23 22:27 -------- d-------- C:\Program Files\browser mouse
2007-01-23 21:00 -------- d-------- C:\Program Files\consoleclassix.com
2007-01-23 11:38 -------- d-------- C:\Program Files\Common Files\ahead
2007-01-23 10:46 -------- d--h----- C:\Program Files\installshield installation information
2007-01-23 02:40 -------- d-------- C:\Program Files\thomson
2007-01-22 20:17 -------- d-------- C:\Program Files\quicktime
2007-01-22 20:17 -------- d-------- C:\Program Files\messenger
2007-01-22 18:00 -------- d---s---- C:\DOCUME~1\Tigerpaw\Application Data\microsoft
2007-01-11 21:50 -------- d-------- C:\Program Files\ventsrv
2007-01-11 09:37 -------- d-------- C:\Program Files\dvd shrink
2007-01-11 09:37 -------- d-------- C:\Program Files\avi codec pack
2007-01-11 09:36 -------- d-------- C:\Program Files\windows nt
2007-01-11 09:33 -------- d-------- C:\Program Files\limewire
2007-01-11 09:33 -------- d-------- C:\Program Files\irfanview
2007-01-11 09:32 -------- d-------- C:\Program Files\ares mp3
2007-01-11 09:30 -------- d-------- C:\Program Files\utorrent
2007-01-01 14:41 -------- d-------- C:\Program Files\backups
2006-12-27 12:05 -------- d-------- C:\DOCUME~1\Tigerpaw\Application Data\utorrent
2006-12-19 15:21 -------- d-------- C:\Program Files\java
2006-12-02 15:34 5965 --a------ C:\Program Files\hijackthis.log
2006-11-28 20:40 -------- d-------- C:\Program Files\Common Files\blizzard entertainment
2006-11-25 12:41 43520 --a------ C:\WINDOWS\system32\cmdlineext03.dll
2006-11-08 14:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-07 21:03 6049280 --------- C:\WINDOWS\system32\ieframe.dll
2006-11-07 21:03 50688 --------- C:\WINDOWS\system32\msfeedsbs.dll
2006-11-07 21:03 458752 --------- C:\WINDOWS\system32\msfeeds.dll
2006-11-07 21:03 413696 --a------ C:\WINDOWS\system32\vbscript.dll
2006-11-07 21:03 231424 --a------ C:\WINDOWS\system32\webcheck.dll
2006-11-07 21:03 180736 --------- C:\WINDOWS\system32\ieui.dll
2006-11-07 21:03 156160 --a------ C:\WINDOWS\system32\msls31.dll
2006-11-07 03:27 382976 --a------ C:\WINDOWS\system32\iedkcs32.dll
2006-11-07 03:27 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
2006-11-07 03:26 71680 --a------ C:\WINDOWS\system32\admparse.dll
2006-11-07 03:26 55296 --a------ C:\WINDOWS\system32\iesetup.dll
2006-11-07 03:26 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
2006-11-07 03:26 43008 --a------ C:\WINDOWS\system32\iernonce.dll
2006-11-07 03:26 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
2006-11-07 03:26 13312 --a------ C:\WINDOWS\system32\ieudinit.exe
2006-11-07 03:26 123904 --a------ C:\WINDOWS\system32\advpack.dll
2006-11-07 03:25 161792 --a------ C:\WINDOWS\system32\ieakui.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"Smapp"="C:\\Program Files\\Analog Devices\\SoundMAX\\SMTray.exe"
"MULTIMEDIA KEYBOARD"="C:\\Program Files\\Netropa\\Multimedia Keyboard\\MMKeybd.exe"
"FLMOFFICE4DMOUSE"="C:\\Program Files\\Browser MOUSE\\mouse32a.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"ATIPTA"="\"C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\""
"TRIXX"="\"C:\\Program Files\\TRIXX\\TRIXX.exe\" -s"
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay"
"ZoneAlarm Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"NeroFilterCheck"="C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"taskdir"="C:\\WINDOWS\\system32\\taskdir.exe"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"taskdir"="C:\\WINDOWS\\system32\\taskdir.exe"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0


Completion time: 07-01-23 23:02:27

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:56 PM

Posted 23 January 2007 - 09:17 AM

Hello,

Delete next files and folder:

C:\Program Files\backups <= folder
C:\WINDOWS\bg.gif
C:\WINDOWS\system32\instreg_tmp.exe
C:\WINDOWS\system32\intr32.dll

Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"taskdir"=-

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"taskdir"=-

Save this as remove.reg Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.
(In case you are unsure how to create a reg file, take a look here with screenshots.)

As a final check..

Download and Save blacklight to your desktop.
F-Secure Blacklight: https://europe.f-secure.com/blacklight/try.shtml
Double-click blbeta.exe then accept the agreement.
click > scan then > next,
You'll see a list of all items found - if found, so don't worry it tells that there were no files found.
In case hidden files were found, Don't choose for rename yet! I want to see the log first, because legit items can also be present there...
There must be also a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)
Post the contents of the log in your next reply.

Edited by miekiemoes, 23 January 2007 - 09:19 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 1976MKIV

1976MKIV
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 23 January 2007 - 10:38 AM

I have completed those steps.

Here is the Blacklight log

01/24/07 00:26:24 [Info]: BlackLight Engine 1.0.55 initialized
01/24/07 00:26:24 [Info]: OS: 5.1 build 2600 (Service Pack 2)
01/24/07 00:26:25 [Note]: 7019 4
01/24/07 00:26:25 [Note]: 7005 0
01/24/07 00:26:34 [Note]: 7006 0
01/24/07 00:26:34 [Note]: 7011 2860
01/24/07 00:26:34 [Note]: 7026 0
01/24/07 00:26:34 [Note]: 7026 0
01/24/07 00:26:39 [Note]: FSRAW library version 1.7.1021
01/24/07 00:36:10 [Note]: 7007 0

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:56 PM

Posted 23 January 2007 - 10:39 AM

Looking good.
How are things now?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 1976MKIV

1976MKIV
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 23 January 2007 - 11:41 AM

As far as I can tell (with my limited experience lol) everything looks good.

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:56 PM

Posted 23 January 2007 - 11:51 AM

Ok, good to hear.

In anyway, it wouldn't hurt to perform a full scan with your Antivirus to get rid of the leftovers if still present.
I guess you were very lucky here though, because in most such cases a format and reinstall was necessary.

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 1976MKIV

1976MKIV
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 23 January 2007 - 11:52 AM

Thanks for the help. I appreciate it.

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:56 PM

Posted 23 January 2007 - 11:59 AM

You're welcome :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:56 PM

Posted 24 January 2007 - 08:45 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users