Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Seeking Help Against Hijacking


  • This topic is locked This topic is locked
10 replies to this topic

#1 seifer_md

seifer_md

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:35 AM

Posted 30 January 2007 - 06:08 AM

I've gone home to my family's house these holidays to find the computer here is hugely infected with spyware. The most noticeable symptoms include the homepage being changed to www.virushelpzone.com and the sudden closing of programs such as hijackthis and regedit/msconfig. I got a log for hijackthis in safe mode which will follow this post. If anyone could help me out I would be truly grateful, thanks.

Hijackthis log:
----------------
Logfile of HijackThis v1.99.1
Scan saved at 9:42:28 PM, on 30/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com/ap/ap/en/gen/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com/ap/ap/en/gen/default.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com/ap/ap/en/gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.com/ap/ap/en/gen/default.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Vet Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [{A81C6387-0C78-1033-0525-05011205003d}] "C:\Program Files\Common Files\{A81C6387-0C78-1033-0525-05011205003d}\Update.exe" te-110-12-0000282
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - Global Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS3\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O18 - Protocol: bw+0 - {FFD06EAF-07D8-4551-BCF7-85D9F37DCCBD} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {FFD06EAF-07D8-4551-BCF7-85D9F37DCCBD} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {FFD06EAF-07D8-4551-BCF7-85D9F37DCCBD} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {FFD06EAF-07D8-4551-BCF7-85D9F37DCCBD} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {FFD06EAF-07D8-4551-BCF7-85D9F37DCCBD} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {FFD06EAF-07D8-4551-BCF7-85D9F37DCCBD} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {FFD06EAF-07D8-4551-BCF7-85D9F37DCCBD} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {FFD06EAF-07D8-4551-BCF7-85D9F37DCCBD} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {FFD06EAF-07D8-4551-BCF7-85D9F37DCCBD} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {FFD06EAF-07D8-4551-BCF7-85D9F37DCCBD} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {FFD06EAF-07D8-4551-BCF7-85D9F37DCCBD} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {FFD06EAF-07D8-4551-BCF7-85D9F37DCCBD} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {FFD06EAF-07D8-4551-BCF7-85D9F37DCCBD} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {FFD06EAF-07D8-4551-BCF7-85D9F37DCCBD} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {FFD06EAF-07D8-4551-BCF7-85D9F37DCCBD} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {FFD06EAF-07D8-4551-BCF7-85D9F37DCCBD} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {FFD06EAF-07D8-4551-BCF7-85D9F37DCCBD} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {FFD06EAF-07D8-4551-BCF7-85D9F37DCCBD} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {FFD06EAF-07D8-4551-BCF7-85D9F37DCCBD} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {FFD06EAF-07D8-4551-BCF7-85D9F37DCCBD} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {FFD06EAF-07D8-4551-BCF7-85D9F37DCCBD} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {FFD06EAF-07D8-4551-BCF7-85D9F37DCCBD} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {FFD06EAF-07D8-4551-BCF7-85D9F37DCCBD} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {FFD06EAF-07D8-4551-BCF7-85D9F37DCCBD} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {FFD06EAF-07D8-4551-BCF7-85D9F37DCCBD} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {FFD06EAF-07D8-4551-BCF7-85D9F37DCCBD} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {FFD06EAF-07D8-4551-BCF7-85D9F37DCCBD} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {FFD06EAF-07D8-4551-BCF7-85D9F37DCCBD} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {FFD06EAF-07D8-4551-BCF7-85D9F37DCCBD} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {FFD06EAF-07D8-4551-BCF7-85D9F37DCCBD} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {FFD06EAF-07D8-4551-BCF7-85D9F37DCCBD} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {FFD06EAF-07D8-4551-BCF7-85D9F37DCCBD} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {FFD06EAF-07D8-4551-BCF7-85D9F37DCCBD} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {FFD06EAF-07D8-4551-BCF7-85D9F37DCCBD} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {FFD06EAF-07D8-4551-BCF7-85D9F37DCCBD} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {FFD06EAF-07D8-4551-BCF7-85D9F37DCCBD} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {FFD06EAF-07D8-4551-BCF7-85D9F37DCCBD} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {FFD06EAF-07D8-4551-BCF7-85D9F37DCCBD} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {FFD06EAF-07D8-4551-BCF7-85D9F37DCCBD} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {FFD06EAF-07D8-4551-BCF7-85D9F37DCCBD} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {FFD06EAF-07D8-4551-BCF7-85D9F37DCCBD} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {FFD06EAF-07D8-4551-BCF7-85D9F37DCCBD} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {FFD06EAF-07D8-4551-BCF7-85D9F37DCCBD} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {FFD06EAF-07D8-4551-BCF7-85D9F37DCCBD} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {FFD06EAF-07D8-4551-BCF7-85D9F37DCCBD} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {FFD06EAF-07D8-4551-BCF7-85D9F37DCCBD} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {FFD06EAF-07D8-4551-BCF7-85D9F37DCCBD} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {FFD06EAF-07D8-4551-BCF7-85D9F37DCCBD} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {FFD06EAF-07D8-4551-BCF7-85D9F37DCCBD} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {FFD06EAF-07D8-4551-BCF7-85D9F37DCCBD} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {FFD06EAF-07D8-4551-BCF7-85D9F37DCCBD} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {FFD06EAF-07D8-4551-BCF7-85D9F37DCCBD} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {FFD06EAF-07D8-4551-BCF7-85D9F37DCCBD} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {FFD06EAF-07D8-4551-BCF7-85D9F37DCCBD} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {FFD06EAF-07D8-4551-BCF7-85D9F37DCCBD} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {FFD06EAF-07D8-4551-BCF7-85D9F37DCCBD} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {FFD06EAF-07D8-4551-BCF7-85D9F37DCCBD} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {FFD06EAF-07D8-4551-BCF7-85D9F37DCCBD} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {FFD06EAF-07D8-4551-BCF7-85D9F37DCCBD} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {FFD06EAF-07D8-4551-BCF7-85D9F37DCCBD} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {FFD06EAF-07D8-4551-BCF7-85D9F37DCCBD} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {FFD06EAF-07D8-4551-BCF7-85D9F37DCCBD} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {FFD06EAF-07D8-4551-BCF7-85D9F37DCCBD} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {FFD06EAF-07D8-4551-BCF7-85D9F37DCCBD} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {FFD06EAF-07D8-4551-BCF7-85D9F37DCCBD} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {FFD06EAF-07D8-4551-BCF7-85D9F37DCCBD} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {FFD06EAF-07D8-4551-BCF7-85D9F37DCCBD} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {FFD06EAF-07D8-4551-BCF7-85D9F37DCCBD} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {FFD06EAF-07D8-4551-BCF7-85D9F37DCCBD} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {FFD06EAF-07D8-4551-BCF7-85D9F37DCCBD} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {FFD06EAF-07D8-4551-BCF7-85D9F37DCCBD} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {FFD06EAF-07D8-4551-BCF7-85D9F37DCCBD} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {FFD06EAF-07D8-4551-BCF7-85D9F37DCCBD} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {FFD06EAF-07D8-4551-BCF7-85D9F37DCCBD} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {FFD06EAF-07D8-4551-BCF7-85D9F37DCCBD} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {FFD06EAF-07D8-4551-BCF7-85D9F37DCCBD} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: offline-8876480 - {FFD06EAF-07D8-4551-BCF7-85D9F37DCCBD} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000282 (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe
---------------------------

Uninstall List log:
-------------------

Adobe Download Manager 2.0 (Remove Only)
Adobe Reader 7.0
Adobe SVG Viewer 3.0
Azureus
Battlefield 2™
CCleaner (remove only)
CDuke
Christen Eagle II 1.0
Command & Conquer The First Decade
Company of Heroes
Counter-Strike 1.6
Creative MediaSource
Crimsonland
DATAFAB Media Reader
Dell Support 3.1
Diablo II
DivX
DivX Player
DRIV3R
EA SPORTS online 2006
EPSON Printer Software
eTrust Vet Antivirus
Fallout Tactics
Far Cry
GameSpy Arcade
Google Earth Pro
GTR 2 1.0.0.0
Half-Life® 2
Hamachi 0.9.9.9
High Definition Audio Driver Package - KB835221
HijackThis 1.99.1
Hotfix for Windows XP (KB909394)
Hotfix for Windows XP (KB929120)
Intel Matrix Storage Manager
Intel® PRO Network Connections Software v9.2.4.11
Intel® PROSafe for Wired Connections
Intel® PROSafe for Wired Connections
iPod for Windows 2005-09-23
iTunes
J2SE Runtime Environment 5.0 Update 8
Java™ SE Runtime Environment 6
Just Flight FS Terrain v1.00
Lab DJ 2
Launchy 1.0 Beta
LEGO Star Wars II
LimeWire 4.12.6
Logitech Desktop Messenger
Logitech SetPoint
Macromedia Flash Player 8
Macromedia Shockwave Player
Medal of Honor Allied Assault
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft ActiveSync 4.0
Microsoft Age of Empires
Microsoft Flight Simulator 2004 A Century of Flight
Microsoft Flight Simulator X Demo
Microsoft Visual C++ 2005 Redistributable
Microsoft Works 7.0
Mozilla Firefox (1.5.0.9)
Mozilla Thunderbird (1.0.6)
MSN
MSN Messenger 7.5
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 Parser and SDK
MSXML4 Parser
Musicnotes Player V1.22.2
Neighbours From Hell 2
Neighbours From Hell Online Demo
Network Play System (Patching)
Neverwinter Nights
NVIDIA Drivers
NVIDIA Windows 95/98/ME/2000/XP Stereo Drivers
Oblivion
Outerinfo
Outerinfo
PerformanceTest v6.0
PowerDVD 5.5
PSPWare
Puzzle Pirates
QuickTime
Race Driver 3
RealPlayer Basic
Registry Mechanic 5.2
Road Angel - AU
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB929969)
Sid Meier's Civilization 4
Skype 1.4
Sonic DLA
Sonic MyDVD LE
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Sony MP4 Shared Library
Sound Blaster Audigy 2 ZS
Spy Sweeper
Steam™
StyleXP (remove only)
SWAT 4
The Sims Hot Date
Theme Hospital
Themexp.org File
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Viewpoint Media Player (Remove Only)
WebCyberCoach 3.2 Dell
WebEQ Trial
Window Washer
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 10 Hotfix - KB894476
WinRAR archiver
World of Warcraft
Xfire (remove only)
Yahoo! Toolbar
----------------------

BC AdBot (Login to Remove)

 


#2 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:35 PM

Posted 30 January 2007 - 02:00 PM

Hello and welcome aboard :thumbsup:

Lets get started.

Just for a fast log clean up (these aren't malware, optional though, definately not necessary in the log -- just takes space).... Please run a scan with HijackThis and check ALL the O18 Logitech Desktop Messenger lines like this EXCEPT FOR ONE:

O18 - Protocol: bw+0 - {FFD06EAF-07D8-4551-BCF7-85D9F37DCCBD} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

Basically, check all the similar lines to this for removal (leave 1), then hit FIX CHECKED -- with all open windows closed except for HijackThis, including this browser window.

Now for the malware cleanup :flowers:

Through Add/Remove Programs list, uninstall this entry:

Outerinfo <-- Anything that says outerinfo.

Then....

---

Please download Combofix to your desktop:
  • Double-click combofix.exe & follow the prompts.
  • When finished, it shall produce a log for you. Post that log in your next reply.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Hi there, stranger!

#3 seifer_md

seifer_md
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:35 AM

Posted 30 January 2007 - 05:42 PM

Thank you very much for your prompt response. Here's the ComboFix log:


--------------------------------------------------------
"Richard" - 07-01-31 9:30:22 Service Pack 2
ComboFix 07.01.30 - Running from: "C:\Documents and Settings\Richard\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\Yazzle1122OinAdmin.exe
C:\DOCUME~1\Richard\Desktop\install.exe
C:\WINDOWS\system32\yyykieuthx\winlogon.exe
C:\WINDOWS\system32\yyykieuthx\winlogon.ini
C:\Program Files\Ipwindows\ipwins.dll
C:\Program Files\Ipwindows\ipwins.exe
C:\WINDOWS\system32\netstat.com
C:\WINDOWS\system32\taskkill.com
C:\WINDOWS\system32\unsvchosts.lzma
C:\WINDOWS\system32\wapisvsu.exe
C:\utc.exe
C:\Program Files\Common Files\{381C6~1
C:\Program Files\Ipwindows
C:\WINDOWS\system32\svchosts.exe
C:\Program Files\Common Files\{A81C6~1
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\Program Files\WNSXS~1
C:\qoobox\purity\Program Files\WNSXS~1\winspool.exe


((((((((((((((((((((((((((((((( Files Created from 2006-12-31 to 2007-01-31 ))))))))))))))))))))))))))))))))))


2007-01-31 09:33 <DIR> d-------- C:\WINDOWS\ERDNT
2007-01-30 21:40 <DIR> d-------- C:\DOCUME~1\NETWOR~1\Application Data\Webroot
2007-01-30 21:34 <DIR> d-------- C:\Program Files\HijackThis
2007-01-30 17:56 <DIR> d-------- C:\DOCUME~1\Will\Application Data\Talkback
2007-01-30 17:55 <DIR> d-------- C:\DOCUME~1\Will\Application Data\Webroot
2007-01-30 17:55 <DIR> d-------- C:\DOCUME~1\Will\Application Data\Launchy
2007-01-18 10:27 <DIR> d-------- C:\Program Files\14 Degrees East
2007-01-15 17:55 <DIR> d-------- C:\Program Files\Launchy
2007-01-15 17:55 <DIR> d-------- C:\DOCUME~1\Richard\Application Data\Launchy
2007-01-15 00:43 <DIR> d-------- C:\DOCUME~1\Mike\Application Data\Template
2007-01-14 11:36 <DIR> d-------- C:\DOCUME~1\Richard\Application Data\Google
2007-01-13 21:42 <DIR> d-------- C:\Program Files\Google
2007-01-12 16:51 <DIR> d-------- C:\Program Files\National Instruments
2007-01-12 16:51 <DIR> d-------- C:\Program Files\Kip Tracer
2007-01-12 16:47 60 --a------ C:\WINDOWS\system32\SYSWQDRV.SYS
2007-01-12 16:46 <DIR> d-------- C:\Program Files\Blaze Audio
2007-01-10 14:27 <DIR> d-------- C:\GTR2
2007-01-10 07:48 123,503 --a------ C:\tysb.exe
2007-01-08 08:19 92,485 --a------ C:\tc.exe
2007-01-02 19:25 <DIR> d-------- C:\Program Files\ReflexiveArcade
2007-01-02 19:25 <DIR> d-------- C:\Program Files\Crimsonland
2006-12-31 15:26 92,485 --a------ C:\gp.exe
2006-12-31 14:24 <DIR> d--hs---- C:\WINDOWS\system32\yyykieuthx
2006-12-31 11:37 <DIR> d-------- C:\LST0AAT1
2006-12-31 11:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\DVD Shrink
2006-12-31 11:20 <DIR> d-------- C:\Program Files\DVD Shrink


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-31 09:31 -------- d-------- C:\Documents and Settings\Richard\Application Data\launchy
2007-01-31 09:29 -------- d-------- C:\Program Files\mozilla firefox
2007-01-30 21:32 -------- d-------- C:\Program Files\java
2007-01-19 20:50 -------- d-------- C:\Documents and Settings\Richard\Application Data\azureus
2007-01-19 17:04 -------- d-------- C:\Program Files\azureus
2007-01-17 14:26 -------- d-------- C:\Program Files\thq
2007-01-14 13:24 -------- d-------- C:\Documents and Settings\Richard\Application Data\creative
2007-01-14 11:36 -------- d-------- C:\Documents and Settings\Richard\Application Data\google
2007-01-14 11:35 -------- d--h----- C:\Program Files\installshield installation information
2007-01-02 12:01 -------- d-------- C:\Program Files\diablo ii
2006-12-30 20:31 -------- d-------- C:\Documents and Settings\Richard\Application Data\Ódobe
2006-12-28 10:33 -------- d-------- C:\Program Files\gamespy arcade
2006-12-27 20:39 -------- d-------- C:\Program Files\ea games
2006-12-21 12:27 -------- d-------- C:\Program Files\ubisoft
2006-12-18 20:45 -------- d-------- C:\Program Files\world of warcraft
2006-12-16 09:29 -------- d-------- C:\Program Files\lego media
2006-12-16 09:29 -------- d-------- C:\Program Files\lego island
2006-12-16 09:27 -------- d-------- C:\Program Files\warcraft iii
2006-12-16 09:22 -------- d-------- C:\Documents and Settings\Richard\Application Data\installshield
2006-12-16 08:36 -------- d-------- C:\Program Files\registry mechanic
2006-12-15 18:04 -------- d-------- C:\Documents and Settings\Richard\Application Data\leadertech
2006-12-15 17:14 -------- d-------- C:\Program Files\atari
2006-12-14 17:17 -------- d-------- C:\Program Files\activision
2006-12-09 18:15 -------- d-------- C:\Program Files\Common Files\blizzard entertainment
2006-12-07 17:40 2362184 --------- C:\WINDOWS\system32\wmvcore.dll
2006-11-29 18:10 43520 --a------ C:\WINDOWS\system32\cmdlineext03.dll
2006-11-29 18:05 94208 --a------ C:\WINDOWS\diiunin.exe
2006-11-29 18:05 2829 --a------ C:\WINDOWS\diiunin.pif
2006-11-27 19:45 60416 --------- C:\WINDOWS\system32\tzchange.exe
2006-11-08 16:06 679424 --------- C:\WINDOWS\system32\inetcomm.dll
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-11-04 10:58 98304 --a------ C:\WINDOWS\system32\cmdlineext.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"ISUSPM Startup"="\"C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe\" -startup"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"CaAvTray"="\"C:\\Program Files\\CA\\eTrust Vet Antivirus\\CAVTray.exe\""
"CAVRID"="\"C:\\Program Files\\CA\\eTrust Vet Antivirus\\CAVRID.exe\""
"SpySweeper"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeperUI.exe\" /startintray"
"DAEMON Tools"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"NvCplDaemon"="\"RUNDLL32.EXE\" C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0\\bin\\jusched.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
"Flags"=dword:00000008

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
"backup"="C:\\WINDOWS\\pss\\Logitech Desktop Messenger.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Logitech\\DESKTO~1\\8876480\\Program\\LDMConf.exe /start"
"item"="Logitech Desktop Messenger"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
"backup"="C:\\WINDOWS\\pss\\Logitech SetPoint.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Logitech\\SetPoint\\KEM.exe "
"item"="Logitech SetPoint"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Richard^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
"backup"="C:\\WINDOWS\\pss\\LimeWire On Startup.lnkStartup"
"location"="Startup"
"item"="LimeWire On Startup"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Richard^Start Menu^Programs^Startup^Registration Lock On]
"backup"="C:\\WINDOWS\\pss\\Registration Lock OnStartup"
"location"="Startup"
"item"="Registration Lock On"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DVDLauncher"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RealPlay"
"hkey"="HKLM"
"command"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Steam"
"hkey"="HKCU"
"command"="C:\\Program Files\\Valve\\Steam\\\\Steam.exe -silent"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e047816f-4b4f-11db-91cf-00123f72905f}]
Shell\AutoRun\command E:\.pspware\PSPWareLauncher.exe


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\ANZ McAfee.com Scan for Viruses - My Computer (THEGAMER-Richard).job

Completion time: 07-01-31 9:36:06

------------------------------------------------

#4 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:35 PM

Posted 31 January 2007 - 03:41 AM

Lets run a very thorough scanner --- then we can go at the rest manually. :thumbsup:

Please print these instructions out, or save them to a notepad file, as you can't read them during the fix.

Please download MWav:
  • Unzip it to its predetermined directory (C:\Kaspersky)
  • Locate kavupd.exe in the new folder and double-click to Update.
  • If your firewall gives any messages about this program accessing to internet, allow it.
  • If it says the signatures are more than 30 days old, keep trying, until you get the actual definition updates.
  • When you see Updates Downloaded Successfully, hit Enter to continue.
  • Restart onto Safe Mode and locate the Kaspersky folder.
  • Locate mwavscan.com and double-click on it to launch the MWAV Scanner.
Now lets do the settings:
  • Leave the Default Settings checked.
  • Add a check to Drives
  • This will light up All Drives
  • Add a check to Scan all Files
  • Click Scan Clean to begin.
This scan might take around 3+ hours to finish when set to scan everything.
  • Please be sure it has finished before proceeding.
  • Once the scan has finished, all entries identified as Infected, will be displayed in the lower panel.
  • Highlight everything that is inside the lower panel and hit Ctrl+C at the same time to copy.
  • Open an empty notepad file and paste the results (Ctrl+V) to it. Save the notepad to your desktop, name it as you want (e.g; MWav Results).
Reboot into normal Windows and post the results here along with a fresh HijackThis AND a fresh ComboFix log. You'll need to post several replies to get it all fit in. :flowers:
Hi there, stranger!

#5 seifer_md

seifer_md
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:35 AM

Posted 31 January 2007 - 08:13 AM

MWAV Scanner Results:

-------------------------------
File C:\WINDOWS\NDNuninstall6_98.exe tagged as not-a-virus:AdWare.Win32.NewDotNet.e. No Action Taken.
File C:\Documents and Settings\Richard\Application Data\SecuROM\UserData\???????????p???????? infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\Richard\Application Data\SecuROM\UserData\???????????p??????????? infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\Richard\Desktop\regular_plugin.exe infected by "Trojan-Downloader.Win32.IstBar.gen" Virus. Action Taken: File Deleted.
File C:\gp.exe infected by "Trojan-Downloader.Win32.Agent.bdr" Virus. Action Taken: File Deleted.
File C:\Program Files\Microsoft AntiSpyware\Quarantine\00127FF3-32F0-4139-8E4A-761A8D\C431E958-5F65-4FA3-8F04-431AD8 tagged as not-a-virus:AdWare.Win32.NewDotNet.e. No Action Taken.
File C:\Program Files\Microsoft AntiSpyware\Quarantine\5118006A-F10C-42DF-A79D-9791CE\0B113FDE-8784-4525-A8FF-1A0214 tagged as not-a-virus:AdWare.Win32.NewDotNet. No Action Taken.
File C:\Program Files\themexp\Themexp.org File\NNWDAB638.EXE tagged as not-a-virus:AdWare.Win32.NewDotNet. No Action Taken.
File C:\RECYCLER\S-1-5-18\Dc1\system.dll tagged as not-a-virus:AdWare.Win32.Softomate.u. No Action Taken.
File C:\RECYCLER\S-1-5-18\Dc1\Update.exe tagged as not-a-virus:AdWare.Win32.Softomate.u. No Action Taken.
File C:\RECYCLER\S-1-5-18\Dc2\system.dll tagged as not-a-virus:AdWare.Win32.Softomate.u. No Action Taken.
File C:\RECYCLER\S-1-5-18\Dc2\Update.exe tagged as not-a-virus:AdWare.Win32.Softomate.u. No Action Taken.
File C:\tc.exe infected by "Trojan-Downloader.Win32.Agent.bdr" Virus. Action Taken: File Deleted.
File C:\tysb.exe infected by "Trojan-Downloader.Win32.IstBar.gen" Virus. Action Taken: File Deleted.
File C:\WINDOWS\NDNuninstall6_98.exe tagged as not-a-virus:AdWare.Win32.NewDotNet.e. No Action Taken.
----------------------------------------------------

#6 seifer_md

seifer_md
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:35 AM

Posted 31 January 2007 - 08:14 AM

New Hijackthis log:

-------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 12:12:40 AM, on 1/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wwSecure.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\CA\eTrust Vet Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Launchy\Launchy.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com/ap/ap/en/gen/default.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {9FA2032C-94CE-E841-EE4F-9D6C2F1D529E} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Vet Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - Global Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe
O8 - Extra context menu item: Image Converter 2 ??? - C:\Program Files\Sony\Image Converter 2\menu.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS3\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O18 - Protocol: bw+0 - {FFD06EAF-07D8-4551-BCF7-85D9F37DCCBD} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: offline-8876480 - {FFD06EAF-07D8-4551-BCF7-85D9F37DCCBD} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe
-------------------------------------------

#7 seifer_md

seifer_md
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:35 AM

Posted 31 January 2007 - 08:19 AM

New ComboFix log:

----------------------------------------------------
"Richard" - 07-02-01 0:14:14 Service Pack 2
ComboFix 07.01.30 - Running from: "C:\Documents and Settings\Richard\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\Program Files\WNSXS~1
C:\qoobox\purity\Program Files\WNSXS~1\winspool.exe


((((((((((((((((((((((((((((((( Files Created from 2007-01-01 to 2007-02-01 ))))))))))))))))))))))))))))))))))


2007-01-31 21:56 <DIR> d-------- C:\Downloads
2007-01-31 21:56 <DIR> d-------- C:\Bases
2007-01-31 21:55 <DIR> d-------- C:\Kaspersky
2007-01-31 09:33 <DIR> d-------- C:\WINDOWS\ERDNT
2007-01-30 21:40 <DIR> d-------- C:\DOCUME~1\NETWOR~1\Application Data\Webroot
2007-01-30 21:34 <DIR> d-------- C:\Program Files\HijackThis
2007-01-30 17:56 <DIR> d-------- C:\DOCUME~1\Will\Application Data\Talkback
2007-01-30 17:55 <DIR> d-------- C:\DOCUME~1\Will\Application Data\Webroot
2007-01-30 17:55 <DIR> d-------- C:\DOCUME~1\Will\Application Data\Launchy
2007-01-18 10:27 <DIR> d-------- C:\Program Files\14 Degrees East
2007-01-15 17:55 <DIR> d-------- C:\Program Files\Launchy
2007-01-15 17:55 <DIR> d-------- C:\DOCUME~1\Richard\Application Data\Launchy
2007-01-15 00:43 <DIR> d-------- C:\DOCUME~1\Mike\Application Data\Template
2007-01-14 11:36 <DIR> d-------- C:\DOCUME~1\Richard\Application Data\Google
2007-01-13 21:42 <DIR> d-------- C:\Program Files\Google
2007-01-12 16:51 <DIR> d-------- C:\Program Files\National Instruments
2007-01-12 16:51 <DIR> d-------- C:\Program Files\Kip Tracer
2007-01-12 16:47 60 --a------ C:\WINDOWS\system32\SYSWQDRV.SYS
2007-01-12 16:46 <DIR> d-------- C:\Program Files\Blaze Audio
2007-01-10 14:27 <DIR> d-------- C:\GTR2
2007-01-02 19:25 <DIR> d-------- C:\Program Files\ReflexiveArcade
2007-01-02 19:25 <DIR> d-------- C:\Program Files\Crimsonland


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-02-01 00:10 -------- d-------- C:\Program Files\mozilla firefox
2007-02-01 00:08 -------- d-------- C:\Program Files\limewire
2007-01-30 21:32 -------- d-------- C:\Program Files\java
2007-01-19 20:50 -------- d-------- C:\DOCUME~1\Richard\Application Data\azureus
2007-01-19 17:04 -------- d-------- C:\Program Files\azureus
2007-01-17 14:26 -------- d-------- C:\Program Files\thq
2007-01-14 13:24 -------- d-------- C:\DOCUME~1\Richard\Application Data\creative
2007-01-14 11:35 -------- d--h----- C:\Program Files\installshield installation information
2007-01-02 12:01 -------- d-------- C:\Program Files\diablo ii
2007-01-01 17:15 -------- d-------- C:\Program Files\dvd shrink
2006-12-30 20:31 -------- d-------- C:\DOCUME~1\Richard\Application Data\Ódobe
2006-12-28 10:33 -------- d-------- C:\Program Files\gamespy arcade
2006-12-27 20:39 -------- d-------- C:\Program Files\ea games
2006-12-21 12:27 -------- d-------- C:\Program Files\ubisoft
2006-12-18 20:45 -------- d-------- C:\Program Files\world of warcraft
2006-12-16 09:29 -------- d-------- C:\Program Files\lego media
2006-12-16 09:29 -------- d-------- C:\Program Files\lego island
2006-12-16 09:27 -------- d-------- C:\Program Files\warcraft iii
2006-12-16 09:22 -------- d-------- C:\DOCUME~1\Richard\Application Data\installshield
2006-12-16 08:36 -------- d-------- C:\Program Files\registry mechanic
2006-12-15 18:04 -------- d-------- C:\DOCUME~1\Richard\Application Data\leadertech
2006-12-15 17:14 -------- d-------- C:\Program Files\atari
2006-12-14 17:17 -------- d-------- C:\Program Files\activision
2006-12-09 18:15 -------- d-------- C:\Program Files\Common Files\blizzard entertainment
2006-12-07 17:40 2362184 --------- C:\WINDOWS\system32\wmvcore.dll
2006-11-29 18:10 43520 --a------ C:\WINDOWS\system32\cmdlineext03.dll
2006-11-29 18:05 94208 --a------ C:\WINDOWS\diiunin.exe
2006-11-29 18:05 2829 --a------ C:\WINDOWS\diiunin.pif
2006-11-27 19:45 60416 --------- C:\WINDOWS\system32\tzchange.exe
2006-11-08 16:06 679424 --------- C:\WINDOWS\system32\inetcomm.dll
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-11-04 10:58 98304 --a------ C:\WINDOWS\system32\cmdlineext.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"ISUSPM Startup"="\"C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe\" -startup"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"CaAvTray"="\"C:\\Program Files\\CA\\eTrust Vet Antivirus\\CAVTray.exe\""
"CAVRID"="\"C:\\Program Files\\CA\\eTrust Vet Antivirus\\CAVRID.exe\""
"SpySweeper"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeperUI.exe\" /startintray"
"DAEMON Tools"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"NvCplDaemon"="\"RUNDLL32.EXE\" C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0\\bin\\jusched.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
"Flags"=dword:00000008

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
"backup"="C:\\WINDOWS\\pss\\Logitech Desktop Messenger.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Logitech\\DESKTO~1\\8876480\\Program\\LDMConf.exe /start"
"item"="Logitech Desktop Messenger"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
"backup"="C:\\WINDOWS\\pss\\Logitech SetPoint.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Logitech\\SetPoint\\KEM.exe "
"item"="Logitech SetPoint"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Richard^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
"backup"="C:\\WINDOWS\\pss\\LimeWire On Startup.lnkStartup"
"location"="Startup"
"item"="LimeWire On Startup"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Richard^Start Menu^Programs^Startup^Registration Lock On]
"backup"="C:\\WINDOWS\\pss\\Registration Lock OnStartup"
"location"="Startup"
"item"="Registration Lock On"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DVDLauncher"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RealPlay"
"hkey"="HKLM"
"command"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Steam"
"hkey"="HKCU"
"command"="C:\\Program Files\\Valve\\Steam\\\\Steam.exe -silent"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{95dc1d64-5fad-11da-90bb-00123f72905f}]
Shell\AutoRun\command G:\FalloutTacticsLauncher.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e047816f-4b4f-11db-91cf-00123f72905f}]
Shell\AutoRun\command E:\.pspware\PSPWareLauncher.exe


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\ANZ McAfee.com Scan for Viruses - My Computer (THEGAMER-Richard).job

Completion time: 07-02-01 0:16:53
C:\ComboFix2.txt ... 07-01-31 09:36
----------------------------------

#8 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:35 PM

Posted 31 January 2007 - 09:23 AM

Hi again :flowers:

Go ahead and delete MWaV and ComboFix if you wish.

Please run a scan with HijackThis and check the following object for removal:

R3 - URLSearchHook: (no name) - {9FA2032C-94CE-E841-EE4F-9D6C2F1D529E} - (no file)

Now close ALL other open windows except for HijackThis and hit FIX CHECKED. Exit HijackThis.

Next, please navigate to, and delete the following files if present:

C:\WINDOWS\NDNuninstall6_98.exe
C:\Program Files\themexp\Themexp.org File\NNWDAB638.EXE
C:\WINDOWS\NDNuninstall6_98.exe


And the following folder:

C:\WINDOWS\system32\yyykieuthx

If you cannot see them -- make sure you can see hidden files. Also, if you are unable to delete them (errors, in use), please try again in Safe Mode.

-----

Hows the system running at the moment? :thumbsup:
Hi there, stranger!

#9 seifer_md

seifer_md
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:35 AM

Posted 31 January 2007 - 06:39 PM

OK I've done everything you asked and deleted those files (I couldn't find the last folder you mentioned however). In terms of the symptoms I was experiencing at the start, everything appears to be functioning normal now so I guess you have vanquished all my greater concerns. Thank you very much for all your support. I will try and leave you a donation for your troubles, hopefully this will be enough to go buy yourself a beer. Thanks again.

#10 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:35 PM

Posted 01 February 2007 - 12:54 AM

OK I've done everything you asked and deleted those files (I couldn't find the last folder you mentioned however). In terms of the symptoms I was experiencing at the start, everything appears to be functioning normal now so I guess you have vanquished all my greater concerns. Thank you very much for all your support. I will try and leave you a donation for your troubles, hopefully this will be enough to go buy yourself a beer. Thanks again.

Thank you so much and I'm glad I could help!! :thumbsup:

Please read here how to clear old restore points and create a new one.

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Here's some tips for future to prevent spyware;

Detect and Remove Programs:
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed. (My favourite)
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Other necessary Programs:
  • AntiVirus Program <= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kaspersky, this is a must have. (Note to only use 1 at-the-time)
  • Firewall <= A firewall is definitely a must have. Two good free versions are Kerio Personal Firewall and ZoneLabs. (Note to only use 1 at-the-time)
  • More Secure Browser <= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox.
And also see TonyKlein's good advice;
So how did I get infected in the first place?
Hi there, stranger!

#11 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:35 PM

Posted 09 February 2007 - 10:06 AM

Since this issue appears to be resolved, this Topic has been closed. Should you need this Topic reopened, please PM a Staff member with the address of this thread. :thumbsup:
Hi there, stranger!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users