Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help! Hijackthis Log


  • Please log in to reply
18 replies to this topic

#1 mongkok

mongkok

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:53 AM

Posted 10 February 2007 - 03:53 PM

Logfile of HijackThis v1.99.1
Scan saved at 04:50:12, on 11/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\DC\Desktop\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - C:\Program Files\Need2Find\bar\1.bin\ND2FNBAR.DLL (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\system32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {1FAF427B-1EE5-43D3-A023-3009142AFCD5} (CS Order Entry Control (HLG)) - http://download.excelforce.com.my/hlg/cab/csoex_hlg.cab
O16 - DPF: {B9B2EE1A-E314-4338-A305-BE845EACB112} (CyberStock 250) - http://download.excelforce.com.my/hlg/cab/cswx.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: winzlo32 - winzlo32.dll (file missing)
O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - (no file)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Gray_Pigeon_Server2.0 (GrayPigeonServer2.0) - Unknown owner - C:\WINDOWS\G_Server2.0.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


#2 mongkok

mongkok
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:53 AM

Posted 10 February 2007 - 04:02 PM

Need anymore information?? I scan with Spyware Doctor and show that got few infection some like Keylog Sters...... i can't remember the name ady.

#3 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:53 PM

Posted 10 February 2007 - 04:11 PM

Welcome to Bleeping Computer mongkok :thumbsup:

Click on Start>Run and type Services.msc then hit Ok.
Scroll down and find the service called:
Gray_Pigeon_Server2.0 (GrayPigeonServer2.0)
When you find it, double-click on it.
In the next window that opens, click the 'Stop' button.
Then change the 'Startup Type:' to 'Disabled'.
Now press Apply and then Ok and close any open windows.

==========================

Download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Reboot your computer into SAFE MODE" using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select #2 and hit Enter to delete the infected files.
You will be prompted: 'Do you want to clean the registry?' answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): 'Replace infected file ?' answer Y (yes) and hit Enter to restore a clean file.
A reboot may be needed to finish the cleaning process.
The report can be found at the root of the system drive, usually at C:\rapport.txt
Post the smitfraudfix report into your next reply

==========================

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - C:\Program Files\Need2Find\bar\1.bin\ND2FNBAR.DLL (file missing)
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O20 - Winlogon Notify: winzlo32 - winzlo32.dll (file missing)
O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - (no file)
O23 - Service: Gray_Pigeon_Server2.0 (GrayPigeonServer2.0) - Unknown owner - C:\WINDOWS\G_Server2.0.exe (file missing)

Exit Hijackthis.

==========================

Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

You should copy/print the following because you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE" using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:
* Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
* Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
* Once the short scan has finished, Click Options > Change settings
* Choose the "Scan tab" and UNcheck "Heuristic analysis"
* Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
* Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
* When done, a message will be displayed at the bottom advising if any viruses were found.
* Click "Yes to all" if it asks if you want to cure/move the file.
* When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
* Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
* Save the DrWeb.csv report to your desktop.
* Exit Dr.Web Cureit when done.
* Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
* After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Reboot,post SmitfraudFix report,the DrWeb.cvs report,and a new Hijackthis log in your next reply.
Let me know how your pc is running now please.
Posted Image
Posted Image

#4 mongkok

mongkok
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:53 AM

Posted 11 February 2007 - 12:26 PM

SmitFraudFix v2.141

Scan done at 22:22:29.85, 11/02/2007
Run from C:\Documents and Settings\DC\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

换换换换换换换换换换换换 SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"incestuously"="{03413bf7-e34c-445b-bfc0-a2b127255871}"


换换换换换换换换换换换换 Killing process


换换换换换换换换换换换换 hosts

127.0.0.1 localhost

换换换换换换换换换换换换 Generic Renos Fix

GenericRenosFix by S!Ri


换换换换换换换换换换换换 Deleting infected files

C:\WINDOWS\system32\ot.ico Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted
C:\DOCUME~1\DC\FAVORI~1\Antivirus Test Online.url Deleted

换换换换换换换换换换换换 Deleting Temp Files


换换换换换换换换换换换换 Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


换换换换换换换换换换换换 Registry Cleaning

Registry Cleaning done.

换换换换换换换换换换换换 SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


换换换换换换换换换换换换 End



Dr Web Log
A0378797.exe;C:\System Volume Information\_restore{972E0F1F-A428-4164-A5C8-3EBC2F1DBE1D}\RP324;Tool.Prockill;Incurable.Moved.;
A0378798.exe;C:\System Volume Information\_restore{972E0F1F-A428-4164-A5C8-3EBC2F1DBE1D}\RP324;Tool.ShutDown.11;Incurable.Moved.;
A0378799.DLL;C:\System Volume Information\_restore{972E0F1F-A428-4164-A5C8-3EBC2F1DBE1D}\RP324;Adware.Msearch;Incurable.Moved.;


Logfile of HijackThis v1.99.1
Scan saved at 01:18:27, on 12/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\DC\Desktop\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\system32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1FAF427B-1EE5-43D3-A023-3009142AFCD5} (CS Order Entry Control (HLG)) - http://download.excelforce.com.my/hlg/cab/csoex_hlg.cab
O16 - DPF: {B9B2EE1A-E314-4338-A305-BE845EACB112} (CyberStock 250) - http://download.excelforce.com.my/hlg/cab/cswx.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#5 mongkok

mongkok
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:53 AM

Posted 11 February 2007 - 12:28 PM

After done this my internet speed become more stable although still cannot reach the speed before. One things, that is u ask me to use Hijackthis to do File Check, i got 2 files cannot found, that is
O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - (no file)
O23 - Service: Gray_Pigeon_Server2.0 (GrayPigeonServer2.0) - Unknown owner - C:\WINDOWS\G_Server2.0.exe (file missing)

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:53 PM

Posted 11 February 2007 - 12:36 PM

Please download Combofix and save to the desktop:
http://download.bleepingcomputer.com/sUBs/combofix.exe
http://www.techsupportforum.com/sectools/combofix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe & follow the prompts.
When finished, it will produce a log.
Post the C:\ComboFix.txt in your next reply.
Note:
Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.

Post the C:\ComboFix.txt into your next reply.
Posted Image
Posted Image

#7 mongkok

mongkok
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:53 AM

Posted 12 February 2007 - 10:11 AM

"DC" - 07-02-12 22:53:20 Service Pack 2
ComboFix 07-02-11 - Running from: "C:\Documents and Settings\DC\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\{38089~1
C:\Program Files\Common Files\{58089~1
C:\WINDOWS\system32\components


((((((((((((((((((((((((((((((( Files Created from 2007-01-12 to 2007-02-12 ))))))))))))))))))))))))))))))))))


2007-02-11 22:58 <DIR> d-------- C:\DOCUME~1\DC\DoctorWeb
2007-02-11 22:22 3,436 --a------ C:\WINDOWS\system32\tmp.reg
2007-02-11 22:18 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-02-11 22:17 <DIR> d-------- C:\WINDOWS\pss
2007-02-11 04:26 <DIR> d-------- C:\fixwareout
2007-02-11 03:33 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\Application Data\TEMP
2007-02-05 16:46 <DIR> dr-h----- C:\$VAULT$.AVG
2007-02-03 13:47 <DIR> d-------- C:\Program Files\DAEMON Tools
2007-02-03 13:45 646,392 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-02-03 07:35 3,665 --a------ C:\WINDOWS\urls.dat
2007-02-03 07:35 17,896 --a------ C:\WINDOWS\htmlcode.dat
2007-02-03 07:35 <DIR> d-------- C:\WINDOWS\system32\drv32dta
2007-02-02 23:00 57,868 --a------ C:\WINDOWS\War3Unin.dat
2007-02-02 23:00 2,829 --a------ C:\WINDOWS\War3Unin.pif
2007-02-02 23:00 139,264 --a------ C:\WINDOWS\War3Unin.exe
2007-01-18 23:01 221,184 --a------ C:\WINDOWS\system32\wmpns.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-02-10 19:37 148912 --a------ C:\WINDOWS\system32\drivers\dump_wmimmc.sys
2007-02-10 14:08 839936 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2007-02-10 14:08 27776 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2007-02-10 03:17 -------- d-------- C:\DOCUME~1\DC\Application Data\avg7
2006-12-19 18:11 12283855 --------- C:\AVG7QT.DAT
2006-12-18 02:18 -------- d--h----- C:\Program Files\installshield installation information
2006-12-18 02:18 -------- d-------- C:\Program Files\Common Files\installshield
2006-12-08 12:02 251672 --a------ C:\WINDOWS\system32\xactengine2_5.dll
2006-11-29 13:06 3426072 --a------ C:\WINDOWS\system32\d3dx9_32.dll
2006-11-17 00:22 869 --a------ C:\DOCUME~1\DC\Application Data\adobedlm.log
2006-11-17 00:22 0 --a------ C:\DOCUME~1\DC\Application Data\dm.ini
2006-11-15 11:38 15128 --a------ C:\WINDOWS\system32\x3daudio1_1.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.908.5008\\GoogleToolbarNotifier.exe"
"DAEMON Tools"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"MSPY2002"="C:\\WINDOWS\\system32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"NeroCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
@=""
"Sony Ericsson PC Suite"="\"C:\\Program Files\\Sony Ericsson\\Mobile2\\Application Launcher\\Application Launcher.exe\" /startoptions"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"P2P Networking"="C:\\WINDOWS\\system32\\P2P Networking\\P2P Networking.exe /AUTOSTART"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{05e505f3-fea0-11da-a5a7-806d6172696f}]
Shell\AutoRun\command H:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1051df97-37f7-11db-a472-806d6172696f}]
Shell\AutoRun\command F:\start.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{13c8b419-f0ac-11da-9b55-806d6172696f}]
Shell\AutoRun\command H:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{14a7c599-2c59-11db-95a1-806d6172696f}]
Shell\AutoRun\command H:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{14d0e417-58dd-11db-af1f-806d6172696f}]
Shell\AutoRun\command F:\setup.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{14d0e419-58dd-11db-af1f-806d6172696f}]
Shell\AutoRun\command H:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{15479fc7-a218-11da-8464-000c61000000}]
Shell\AutoRun\command H:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{17977319-2946-11db-94e6-806d6172696f}]
Shell\AutoRun\command H:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{17c9a9f3-7282-11db-a864-806d6172696f}]
Shell\AutoRun\command H:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1a468988-b34a-11db-b64b-000c61000000}]
Shell\AutoRun\command G:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1bb748f3-8b1a-11db-9fcb-806d6172696f}]
Shell\AutoRun\command H:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1ddc4799-0b6f-11db-9df4-806d6172696f}]
Shell\AutoRun\command H:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1e36ae19-85f9-11db-a568-806d6172696f}]
Shell\AutoRun\command H:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{204a6597-4871-11db-a65c-806d6172696f}]
shell\play\Command "C:\Program Files\Windows Media Player\wmplayer.exe" /prefetch:3 /device:AudioCD "%L"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{21e63699-fe07-11da-bc9f-806d6172696f}]
Shell\AutoRun\command H:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{25e49897-1f1d-11db-9c1e-806d6172696f}]
Shell\AutoRun\command H:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2c3a7d19-a044-11db-9525-806d6172696f}]
Shell\AutoRun\command H:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{32497f73-0064-11db-94b0-806d6172696f}]
Shell\AutoRun\command H:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{35951519-0d95-11db-aeb3-806d6172696f}]
Shell\AutoRun\command H:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{38f30ff3-4bda-11db-a96d-806d6172696f}]
Shell\AutoRun\command H:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{39162d4d-5478-11db-a7d3-806d6172696f}]
Shell\AutoRun\command H:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{39469297-1891-11db-b661-806d6172696f}]
Shell\AutoRun\command H:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3a64c999-6ca0-11db-a1e1-806d6172696f}]
Shell\AutoRun\command H:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3fd77e99-e8cf-11da-a198-806d6172696f}]
Shell\AutoRun\command H:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{41856a19-52e5-11db-9bef-806d6172696f}]
Shell\AutoRun\command H:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{46d9caf1-59f9-11db-9567-806d6172696f}]
Shell\AutoRun\command F:\setup.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{46d9caf3-59f9-11db-9567-806d6172696f}]
Shell\AutoRun\command H:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{477a2873-0e30-11db-8d5f-806d6172696f}]
Shell\AutoRun\command H:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4df61e19-4b93-11db-b7fb-806d6172696f}]
Shell\AutoRun\command H:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4f386ef3-e031-11da-aa10-806d6172696f}]
Shell\AutoRun\command H:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5500cb97-5153-11db-9dd6-806d6172696f}]
Shell\AutoRun\command H:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5595c799-35d3-11db-a35b-806d6172696f}]
Shell\AutoRun\command H:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{57af4219-f5f3-11da-83ac-806d6172696f}]
Shell\AutoRun\command H:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5ac6e919-7c8c-11db-a32f-806d6172696f}]
Shell\AutoRun\command H:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5f9b88cc-b7da-11db-9049-000c61000000}]
Shell\AutoRun\command H:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{612036f2-b91f-11db-88d8-000c61000000}]
Shell\AutoRun\command H:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{61ccf319-1cbc-11db-a03c-806d6172696f}]
Shell\AutoRun\command H:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{63772319-2ad2-11db-a3af-806d6172696f}]
Shell\AutoRun\command H:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6409bdf3-11ac-11db-94a1-806d6172696f}]
Shell\AutoRun\command H:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{69887019-3a90-11db-b042-806d6172696f}]
Shell\AutoRun\command H:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6b85e373-9356-11db-8f7e-806d6172696f}]
Shell\AutoRun\command H:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6d0e9573-dddf-11da-9ace-806d6172696f}]
Shell\AutoRun\command H:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{73f9b2cd-f842-11da-b411-806d6172696f}]
Shell\AutoRun\command H:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{748f1999-91c1-11db-8dfd-806d6172696f}]
Shell\AutoRun\command H:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{76a8ddf3-3bc4-11db-88f9-806d6172696f}]
Shell\AutoRun\command H:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8a9350f3-9242-11db-8d71-806d6172696f}]
Shell\AutoRun\command H:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9037adf3-55e6-11db-92d2-806d6172696f}]
Shell\AutoRun\command H:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91ddb299-270e-11db-a7a7-806d6172696f}]
Shell\AutoRun\command H:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{926f9673-10e3-11db-9702-806d6172696f}]
Shell\AutoRun\command H:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{93651f16-e274-11da-a1e6-806d6172696f}]
shell\play\Command "C:\Program Files\Windows Media Player\wmplayer.exe" /prefetch:3 /device:AudioCD "%L"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{93c8a919-73c2-11db-a690-806d6172696f}]
Shell\AutoRun\command H:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{980c5973-ed8d-11da-ace7-806d6172696f}]
Shell\AutoRun\command H:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{98a148f2-b34b-11db-82ec-000c61000000}]
Shell\AutoRun\command H:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9b20d317-6bc8-11db-be6a-806d6172696f}]
Shell\AutoRun\command H:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9f2b40f3-941c-11db-b39c-806d6172696f}]
Shell\AutoRun\command H:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a42bc719-ad15-11db-8f83-806d6172696f}]
Shell\AutoRun\command H:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a52fa299-34b0-11db-8bda-806d6172696f}]
Shell\AutoRun\command H:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a89b1dcc-b86a-11db-a1a6-000c61000000}]
Shell\AutoRun\command H:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{aa882c19-aae6-11db-83a0-806d6172696f}]
Shell\AutoRun\command H:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{aa882c1b-aae6-11db-83a0-000c61000000}]
Shell\Auto\command infrom.exe
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL infrom.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ab4fefc8-1beb-11db-b5e7-000c61000000}]
Shell\AutoRun\command I:\RavMon.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ac95b5b5-60c7-11db-a7c7-000c61000000}]
Shell\Auto\command I:\infrom.exe
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL infrom.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{add5cc71-7bc0-11db-838c-806d6172696f}]
Shell\AutoRun\command H:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ae522899-5d17-11db-a6ee-806d6172696f}]
Shell\AutoRun\command H:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b4893499-f77a-11da-8be2-806d6172696f}]
Shell\AutoRun\command H:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b6582119-f94f-11da-906f-806d6172696f}]
Shell\AutoRun\command H:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{bb1070f5-ae26-11db-bed6-000c61000000}]
Shell\Auto\command infrom.exe
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL infrom.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{bd9334f3-e0f6-11da-aaa2-806d6172696f}]
Shell\AutoRun\command H:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c0dec399-17f5-11db-897b-806d6172696f}]
Shell\AutoRun\command H:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c0dec39c-17f5-11db-897b-000c61000000}]
Shell\AutoRun\command F:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c24c4119-1275-11db-a1cf-806d6172696f}]
Shell\AutoRun\command H:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c27aa5f0-b1a9-11db-8b31-806d6172696f}]
Shell\AutoRun\command E:\autoplay.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c27aa5f3-b1a9-11db-8b31-806d6172696f}]
Shell\AutoRun\command H:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c969d0f3-2876-11db-95e5-806d6172696f}]
Shell\AutoRun\command H:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c9909919-e1b7-11da-af10-806d6172696f}]
Shell\AutoRun\command H:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{cc7a4d73-395a-11db-8a91-806d6172696f}]
Shell\AutoRun\command H:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{cffb0b19-eafd-11da-be96-806d6172696f}]
Shell\AutoRun\command H:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d1434b73-2778-11db-be88-806d6172696f}]
Shell\AutoRun\command H:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d2fa7f73-f6f3-11da-ac42-806d6172696f}]
Shell\AutoRun\command H:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d46e5473-e02e-11da-b485-806d6172696f}]
Shell\AutoRun\command H:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d905dff3-26e5-11db-8fe6-806d6172696f}]
Shell\AutoRun\command H:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{dac9f072-b778-11db-b67c-000c61000000}]
Shell\AutoRun\command H:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e5f55373-a954-11db-9c97-806d6172696f}]
Shell\AutoRun\command H:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ec5cfc4d-3ce9-11db-96f3-806d6172696f}]
Shell\AutoRun\command H:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f06d3019-8465-11db-8f4b-806d6172696f}]
Shell\AutoRun\command H:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f487e519-165f-11db-9f3c-806d6172696f}]
Shell\AutoRun\command H:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f5273c19-f462-11da-a401-806d6172696f}]
Shell\AutoRun\command H:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fd5c9219-3e2a-11db-bb25-806d6172696f}]
Shell\AutoRun\command H:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ffe8a476-2ec2-11db-8d6a-806d6172696f}]
Shell\AutoRun\command H:\autorun.exe


********************************************************************

catchme 0.1 W2K/XP - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-02-12 23:02:31

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:53 PM

Posted 12 February 2007 - 10:43 AM

Copy and paste the following bold blue text below into Notepad.
Click on File(in the menu at the top)>Save as..Save as Type: 'All Files' File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktop and agree to merge it into the registry,then reboot.
********************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"P2P Networking"=-
[-HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ab4fefc8-1beb-11db-b5e7-000c61000000}]
[-HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ac95b5b5-60c7-11db-a7c7-000c61000000}]
[-HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{bb1070f5-ae26-11db-bed6-000c61000000}]


********************************************

Download and scan with the free 15 day trial of Counterspy
Once installed launch Counterspy.
Click on 'Spyware Scan',then click 'Updates' at the top right.
Once any available updates have been installed,click the 'Scan Now' button.
Save the report when it's finished:
1.Once Counterspy has done scanning,the 'Scan Results' box will appear.
2.Click on 'View Results'.
3.Under (Recommended Action),using the drop down menus at the side of each entry found,set EVERYTHING to 'Remove'.
4.Then click on 'Take Action'.
5.Once everything has been removed,click on 'View Details'.
6.Copy and Paste those details into a Word/Text document,then save it to your desktop.

Reboot,post the Counterspy report and a new Hijackthis log into your next reply.
Let me know how your pc is running now.
Posted Image
Posted Image

#9 mongkok

mongkok
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:53 AM

Posted 12 February 2007 - 01:45 PM

I facing one problem here. I can't finish scan using Counterspy, it will freeze at the same place, i try for 2 times already. What should i do??

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:53 PM

Posted 12 February 2007 - 01:52 PM

Try running Counterspy in Safe Mode:
Reboot your computer into SAFE MODE" using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".
Posted Image
Posted Image

#11 mongkok

mongkok
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:53 AM

Posted 13 February 2007 - 02:09 PM

The problem is still there even i scan in safe mode, freeze at the same place, that is when scanning registry key. Below is the Counter detect:
- Need2FindBar Potentially Unwanted Program ( 16 Objects )
- Dimpy.Win32VBsy Backdoor (5 objects )
- Twain Tech Adware ( General )

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:53 PM

Posted 13 February 2007 - 04:22 PM

Warning:

Dimpy.Win32VBsy is a Backdoor trojan that records certain keystrokes and steals other data from the infected machine. Dimpy.Win32VBsy monitors keystrokes for passwords for login information and passwords for certain banking sites. It also steals the user's email address book, email login and passwords. Dimpy.Win32VBsy has backdoor functionality that may give an attacker control of the machine from a remote location. Dimpy.Win32VBsy is downloaded through security exploits with other malware.

If your computer was used for online banking or has credit card information on it, all passwords should be changed immediately to include those used for email, eBay and forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information.

Banking and credit card institutions should be notified of the possible security breech.

*******************************************

Please run this online virus scan:Activescan using Internet Explorer.
Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on Local Disks to start the scan
When the scan completes,click the See Report button, then Save Report, and save it to your desktop.

Post the Activescan report into your next reply please.

Edited by RichieUK, 16 February 2007 - 11:08 AM.

Posted Image
Posted Image

#13 mongkok

mongkok
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:53 AM

Posted 14 February 2007 - 12:27 PM

Incident Status Location

Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\DC\Cookies\dc@2o7[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\DC\Cookies\dc@ad.yieldmanager[1].txt
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\DC\Cookies\dc@adtech[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\DC\Cookies\dc@atdmt[2].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\DC\Cookies\dc@bluestreak[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\DC\Cookies\dc@bs.serving-sys[1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\DC\Cookies\dc@casalemedia[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\DC\Cookies\dc@com[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\DC\Cookies\dc@doubleclick[2].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\DC\Cookies\dc@ehg-dig.hitbox[2].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\DC\Cookies\dc@fastclick[2].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\DC\Cookies\dc@go[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\DC\Cookies\dc@hitbox[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\DC\Cookies\dc@mediaplex[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\DC\Cookies\dc@serving-sys[1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\DC\Cookies\dc@statcounter[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\DC\Cookies\dc@tribalfusion[2].txt
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\DC\Cookies\dc@yadro[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\DC\Cookies\dc@zedo[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\DC\Desktop\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\DC\DoctorWeb\Quarantine\A0378797.exe
Potentially unwanted tool:Application/Need2Find Not disinfected C:\Documents and Settings\DC\DoctorWeb\Quarantine\A0378799.DLL
Potentially unwanted tool:Application/Need2Find Not disinfected C:\Documents and Settings\DC\DoctorWeb\Quarantine\N2PLUGIN.DLL
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\DC\DoctorWeb\Quarantine\Process.exe
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Public\Cookies\public@go[1].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\fixwareout\FindT\nircmd.exe
Potentially unwanted tool:Application/Need2Find Not disinfected C:\Program Files\Need2Find\bar\1.bin\NPND2FN.DLL
Virus:trj/briz.f Disinfected C:\WINDOWS\htmlcode.dat
Potentially unwanted tool:application/bestoffer Not disinfected C:\WINDOWS\smdat32m.sys

#14 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:53 PM

Posted 14 February 2007 - 01:31 PM

Hows your pc running now please.
Posted Image
Posted Image

#15 mongkok

mongkok
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:53 AM

Posted 15 February 2007 - 07:40 PM

My computer now faster already, and i also can finish do the Counterspy scan.



Scan History Details
Start Date: 15/02/2007 17:59:58
End Date: 15/02/2007 18:20:02
Total Time: 20 Min 4 Sec
Detected security risks

Cookie: ATDMT.com Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\dc\cookies\dc@atdmt[2].txt


Cookie: Bluestreak.com Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\dc\cookies\dc@bluestreak[1].txt


Cookie: BS.Serving-Sys Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\dc\cookies\dc@bs.serving-sys[1].txt
c:\documents and settings\dc\cookies\dc@serving-sys[1].txt


Cookie: CGI-Bin Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\dc\cookies\dc@cgi-bin[2].txt
c:\documents and settings\dc\cookies\dc@cgi-bin[3].txt


Cookie: Com.com Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\dc\cookies\dc@com[1].txt


Cookie: DoubleClick Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\dc\cookies\dc@doubleclick[2].txt


Cookie: Hitbox.com Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\dc\cookies\dc@hitbox[1].txt


Cookie: FastClick.com Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\dc\cookies\dc@fastclick[2].txt


Cookie: GeoCities Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\public\cookies\public@geocities[1].txt


Cookie: IndexTools.com Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\dc\cookies\dc@indextools[2].txt


Cookie: Mediaplex.com Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\dc\cookies\dc@mediaplex[1].txt


Cookie: RedEye.Willhill.com Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\public\cookies\public@redeye.willhill[1].txt


Cookie: Zedo Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\dc\cookies\dc@zedo[1].txt


Cookie: TribalFusion.com Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\dc\cookies\dc@tribalfusion[2].txt


Twain Tech Adware (General) more information...
Details: Twain-Tech is an adware based Internet Explorer browser helper object that deliver targeted ads based on a user's browsing patters. Twain-Tech does not provide any other relevant purpose other then to display pop-up ads.
Status: Deleted

Files detected
C:\WINDOWS\smdat32m.sys


Cookie: casalemedia.com Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\dc\cookies\dc@casalemedia[1].txt


Cookie: statcounter.com Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\dc\cookies\dc@statcounter[1].txt


Cookie: ad.yieldmanager Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\dc\cookies\dc@ad.yieldmanager[1].txt


Dimpy.Win32VBsy Backdoor more information...
Details: Dimpy.Win32VBsy is a trojan that records certain keystrokes and steals other data from the infected machine.
Status: Deleted

Files detected
C:\WINDOWS\system32\drv32dta\klg.tmp
C:\WINDOWS\system32\drv32dta\pstore_070203_073515.txt
C:\WINDOWS\SYSTEM32\DRV32DTA


Need2FindBar Potentially Unwanted Program more information...
Details: Need2FindBar is a browser helper object (BHO) toolbar that has a search function.
Status: Deleted

Files detected
C:\Documents and Settings\DC\DoctorWeb\Quarantine\A0378799.DLL
C:\Documents and Settings\DC\DoctorWeb\Quarantine\N2PLUGIN.DLL
C:\PROGRAM FILES\NEED2FIND\bar\1.bin\N2FFXTBR.JAR
C:\PROGRAM FILES\NEED2FIND\bar\1.bin\N2NTSTBR.JAR
C:\PROGRAM FILES\NEED2FIND\bar\1.bin\NPND2FN.DLL
C:\PROGRAM FILES\NEED2FIND\bar\1.bin\PARTNER.DAT
C:\PROGRAM FILES\NEED2FIND\bar\Cache\00B246BB
C:\PROGRAM FILES\NEED2FIND\bar\Cache\files.ini
C:\PROGRAM FILES\NEED2FIND\bar\History\search
C:\PROGRAM FILES\NEED2FIND\bar\Settings\prevcfg.htm
C:\PROGRAM FILES\NEED2FIND
C:\PROGRAM FILES\NEED2FIND\BAR
C:\PROGRAM FILES\NEED2FIND\BAR\1.BIN
C:\PROGRAM FILES\NEED2FIND\BAR\CACHE
C:\PROGRAM FILES\NEED2FIND\BAR\HISTORY
C:\PROGRAM FILES\NEED2FIND\BAR\SETTINGS




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users