Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Registry Editing Has Been Disabled


  • This topic is locked This topic is locked
19 replies to this topic

#1 pasta

pasta

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:12 AM

Posted 07 March 2007 - 03:04 AM

i was using vundofix and it says "registry editing has been disabled by the administrator"
i dont remember doing anything to disable it, pleases help!
also im having problem with Backdoor.SDbot.aad
oops forgot to say what protections i have

AVG anti-virus
AVG anti-spyware
Spybot
Spywareblaster

Logfile of HijackThis v1.99.1
Scan saved at 3:57:22 PM, on 3/7/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
F2 - REG:system.ini: Shell=Explorer.exe "
O1 - Hosts: 127.0.0.3 www.ucleaner.com
O1 - Hosts: 127.0.0.3 ucleaner.com
O1 - Hosts: 127.0.0.3 www.spywareremovalnews.com
O1 - Hosts: 127.0.0.3 spywareremovalnews.com
O2 - BHO: (no name) -  - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: (no name) - {41FBE030-1F37-468D-855C-2601EF9CE6EC} - (no file)
O2 - BHO: (no name) - {481E7983-1F2B-4250-951A-44E0902DF978} - (no file)
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - (no file)
O2 - BHO: (no name) - {6DAD678A-561F-45BE-A163-EF3B1118665A} - (no file)
O2 - BHO: (no name) - {710E8C67-4067-43B1-A67E-F0BD57388D21} - C:\WINDOWS\System32\mlljh.dll (file missing)
O2 - BHO: (no name) - {8E5A2506-A3B7-4219-8ED2-BCEB8FCA968E} - C:\WINDOWS\system32\gebcywx.dll (file missing)
O2 - BHO: (no name) - {A8C4707B-E170-4E55-9062-681E904B62E0} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-us\msntb.dll
O2 - BHO: (no name) - {D4E0C464-30CE-4075-9A10-71FD106C2847} - (no file)
O2 - BHO: (no name) - {DB083F90-A5CB-447B-913C-66BCEF8A1842} - C:\WINDOWS\System32\gebbcbx.dll (file missing)
O2 - BHO: (no name) - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - (no file)
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-us\msntb.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {74DD705D-6834-439C-A735-A6DBE2677452} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: LimeWire On Startup.lnk.disabled
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-us\msntb.dll/search.htm
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0000.1110\en-us\msntabres.dll/229?8c5083b46101428aace99c74ee61379
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0000.1110\en-us\msntabres.dll/230?8c5083b46101428aace99c74ee61379
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: WebControlDeploy - https://grouper.com/v1/GrouperSetup.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {590FFB84-6A29-4797-9C0E-B15DF2C4CDCB} -
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - https://my.levelupgames.ph/KeyCrypt/npkcx.cab
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} -
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\System32\a3dxq.dll (file missing)
O20 - Winlogon Notify: geeba - C:\WINDOWS\
O20 - Winlogon Notify: geedd - C:\WINDOWS\System32\geedd.dll (file missing)
O20 - Winlogon Notify: iifcyaa - iifcyaa.dll (file missing)
O20 - Winlogon Notify: mljgdef - mljgdef.dll (file missing)
O20 - Winlogon Notify: opnllij - C:\WINDOWS\
O20 - Winlogon Notify: opnmkli - opnmkli.dll (file missing)
O20 - Winlogon Notify: opnnmlj - opnnmlj.dll (file missing)
O20 - Winlogon Notify: pmkhi - C:\WINDOWS\System32\pmkhi.dll (file missing)
O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll
O20 - Winlogon Notify: ssqnlll - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Control Task Manager - Unknown owner - C:\WINDOWS\system32\cvsys.exe (file missing)
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Local Debug Manager - Unknown owner - C:\WINDOWS\system32\spoolvc.exe (file missing)
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Process Manager - Unknown owner - C:\WINDOWS\system32\spoolvc.exe (file missing)
O23 - Service: Security Task Manager - Unknown owner - C:\WINDOWS\system32\spoolvc.exe (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

Edited by pasta, 07 March 2007 - 03:06 AM.


BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:12 AM

Posted 07 March 2007 - 05:22 AM

Hi,

This is a nasty log :thumbsup:

Please perform my next instructions in the right order without missing any step!

First and very important thing you should do is, I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
How to disable TeaTimer during HijackThis Cleanup
Then, Download ResetTeaTimer.bat.
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.

Then,

* Download SDFix and save it to your Desktop.

* Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

* Reboot into Safe Mode`: ( without networking support !)
°To get into the Windows Safe Mode, restart your computer and, just before Windows starts to load, tap the F8 key a few times.
Choose Safe Mode from the menu that will appear and press Enter.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
F2 - REG:system.ini: Shell=Explorer.exe "
O1 - Hosts: 127.0.0.3 www.ucleaner.com
O1 - Hosts: 127.0.0.3 ucleaner.com
O1 - Hosts: 127.0.0.3 www.spywareremovalnews.com
O1 - Hosts: 127.0.0.3 spywareremovalnews.com
O2 - BHO: (no name) -  - (no file)
O2 - BHO: (no name) - {41FBE030-1F37-468D-855C-2601EF9CE6EC} - (no file)
O2 - BHO: (no name) - {481E7983-1F2B-4250-951A-44E0902DF978} - (no file)
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL (file missing)
O2 - BHO: (no name) - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - (no file)
O2 - BHO: (no name) - {6DAD678A-561F-45BE-A163-EF3B1118665A} - (no file)
O2 - BHO: (no name) - {710E8C67-4067-43B1-A67E-F0BD57388D21} - C:\WINDOWS\System32\mlljh.dll (file missing)
O2 - BHO: (no name) - {8E5A2506-A3B7-4219-8ED2-BCEB8FCA968E} - C:\WINDOWS\system32\gebcywx.dll (file missing)
O2 - BHO: (no name) - {A8C4707B-E170-4E55-9062-681E904B62E0} - (no file)
O2 - BHO: (no name) - {D4E0C464-30CE-4075-9A10-71FD106C2847} - (no file)
O2 - BHO: (no name) - {DB083F90-A5CB-447B-913C-66BCEF8A1842} - C:\WINDOWS\System32\gebbcbx.dll (file missing)
O2 - BHO: (no name) - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {74DD705D-6834-439C-A735-A6DBE2677452} - (no file)
O4 - Startup: LimeWire On Startup.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O16 - DPF: {590FFB84-6A29-4797-9C0E-B15DF2C4CDCB} -
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - https://my.levelupgames.ph/KeyCrypt/npkcx.cab
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} -
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\System32\a3dxq.dll (file missing)
O20 - Winlogon Notify: geeba - C:\WINDOWS\
O20 - Winlogon Notify: geedd - C:\WINDOWS\System32\geedd.dll (file missing)
O20 - Winlogon Notify: iifcyaa - iifcyaa.dll (file missing)
O20 - Winlogon Notify: mljgdef - mljgdef.dll (file missing)
O20 - Winlogon Notify: opnllij - C:\WINDOWS\
O20 - Winlogon Notify: opnmkli - opnmkli.dll (file missing)
O20 - Winlogon Notify: opnnmlj - opnnmlj.dll (file missing)
O20 - Winlogon Notify: pmkhi - C:\WINDOWS\System32\pmkhi.dll (file missing)
O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll
O20 - Winlogon Notify: ssqnlll - C:\WINDOWS\
O23 - Service: Control Task Manager - Unknown owner - C:\WINDOWS\system32\cvsys.exe (file missing)
O23 - Service: Local Debug Manager - Unknown owner - C:\WINDOWS\system32\spoolvc.exe (file missing)
O23 - Service: Remote Process Manager - Unknown owner - C:\WINDOWS\system32\spoolvc.exe (file missing)
O23 - Service: Security Task Manager - Unknown owner - C:\WINDOWS\system32\spoolvc.exe (file missing)


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
    I need that log later.
* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe, Click Start and Allow to run the express scan.
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • It could be possible it displays a popup to buy it in between, to buy or 50% discount. Just close that popup again.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply together with the log from SDFix and a new Hijackthislog.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 pasta

pasta
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:12 AM

Posted 08 March 2007 - 12:37 AM

THANKS for the help, this is the results after the steps
and for some reason i cant make a hijackthis log, when i click to save the log, it just closes the application
and when i was scanning with dr.web avg keeps popping up, i think it was detecting what dr.web found, should i have disabled avg?


SDFix: Version 1.69

Run by Mark - Thu 03/08/2007 @ 1:43:30.23

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
Remote Process Manager
Security Task Manager




Killing PID 156 'smss.exe'
Killing PID 228 'winlogon.exe'
Killing PID 228 'winlogon.exe'
Killing PID 156 'smss.exe'
Killing PID 228 'winlogon.exe'

Restoring Windows Registry Entries
Restoring Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\47QDUF2N\SMARTL~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\G9MRM7GL\SMARTL~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\G9MRM7GL\SMARTL~2.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\47QDUF2N\SMARTL~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\G9MRM7GL\SMARTL~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\G9MRM7GL\SMARTL~2.HTM - Deleted
C:\WINDOWS\system32\ma.exe.exe - Deleted
C:\WINDOWS\system32\pp.exe.exe - Deleted
C:\WINDOWS\system32\zu.exe.exe - Deleted
C:\WINDOWS\system32\edfimg_87234.exe - Deleted
C:\WINDOWS\system32\eraseme_00602.exe - Deleted
C:\WINDOWS\system32\eraseme_06654.exe - Deleted
C:\WINDOWS\system32\eraseme_14047.exe - Deleted
C:\WINDOWS\system32\eraseme_21575.exe - Deleted
C:\WINDOWS\system32\eraseme_32282.exe - Deleted
C:\WINDOWS\system32\eraseme_45235.exe - Deleted
C:\WINDOWS\system32\eraseme_47302.exe - Deleted
C:\WINDOWS\system32\eraseme_53341.exe - Deleted
C:\WINDOWS\system32\eraseme_55504.exe - Deleted
C:\WINDOWS\system32\adirss.exe - Deleted
C:\WINDOWS\system32\dd.exe - Deleted
C:\WINDOWS\system32\i - Deleted
C:\WINDOWS\system32\kernels88.exe - Deleted
C:\WINDOWS\system32\lnwin.exe - Deleted
C:\WINDOWS\system32\peers.ini - Deleted
C:\WINDOWS\system32\rpcc.dll - Deleted
C:\WINDOWS\system32\sm.exe - Deleted
C:\WINDOWS\system32\unsvchosts.lzma - Deleted
C:\WINDOWS\system32\winsub.xml - Deleted
C:\WINDOWS\Temp\removalfile.bat - Deleted



ADS Check:

C:\WINDOWS\system32
No streams found.


Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]


Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip


Checking For Files with Hidden Attributes :

C:\Documents and Settings\Mark\Local Settings\Temp\worrysye.dll
C:\WINDOWS\system32\mfee.exe
C:\WINDOWS\system32\syslem.exe
C:\Documents and Settings\Mark\Application Data\Microsoft\Word\~WRL0003.tmp
C:\Documents and Settings\Mark\Application Data\Microsoft\Word\~WRL0004.tmp
C:\Documents and Settings\Mark\Application Data\Microsoft\Word\~WRL0019.tmp
C:\Documents and Settings\Mark\Application Data\Microsoft\Word\~WRL0050.tmp
C:\Documents and Settings\Mark\Application Data\Microsoft\Word\~WRL0112.tmp
C:\Documents and Settings\Mark\Application Data\Microsoft\Word\~WRL0885.tmp
C:\Documents and Settings\Mark\Application Data\Microsoft\Word\~WRL1056.tmp
C:\Documents and Settings\Mark\Application Data\Microsoft\Word\~WRL1408.tmp
C:\Documents and Settings\Mark\Application Data\Microsoft\Word\~WRL1501.tmp
C:\Documents and Settings\Mark\Application Data\Microsoft\Word\~WRL1520.tmp
C:\Documents and Settings\Mark\Application Data\Microsoft\Word\~WRL2070.tmp
C:\Documents and Settings\Mark\Application Data\Microsoft\Word\~WRL2838.tmp
C:\Documents and Settings\Mark\Application Data\Microsoft\Word\~WRL3599.tmp
C:\Documents and Settings\Mark\Application Data\Microsoft\Word\~WRL3820.tmp
C:\Documents and Settings\Mark\Application Data\Microsoft\Word\~WRL4059.tmp
C:\Documents and Settings\Mark\My Documents\~WRL0003.tmp
C:\Documents and Settings\Mark\My Documents\~WRL0328.tmp
C:\Documents and Settings\Mark\My Documents\~WRL0458.tmp
C:\Documents and Settings\Mark\My Documents\~WRL0685.tmp
C:\Documents and Settings\Mark\My Documents\~WRL0972.tmp
C:\WINDOWS\LastGood.Tmp\INF\oem32.inf
C:\WINDOWS\LastGood.Tmp\INF\oem32.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem5.inf
C:\WINDOWS\LastGood.Tmp\INF\oem5.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem9.inf
C:\WINDOWS\LastGood.Tmp\INF\oem9.PNF
C:\WINDOWS\system32\config\default.tmp.LOG
C:\WINDOWS\system32\config\software.tmp.LOG
C:\WINDOWS\system32\config\system.tmp.LOG

Add/Remove Programs List:

ECHO is off.
Adobe Photoshop CS2
AndreaMosaic 3.18
AVG 7.5
AVG Anti-Spyware 7.5
BitLord 1.1
CCleaner (remove only)
Chikka Messenger V4
Combined Community Codec Pack 2006-12-15
DivX Content Uploader
ESC45 Reference Guide
ESC45 Software Guide
HijackThis 1.99.1
hp psc 1200 series
i-Fun Viewer
LimeWire PRO 4.13.0
Logitech Print Service
Mozilla Firefox (1.5)
Nero Suite
nProtect KeyCrypt
NVIDIA Drivers
Plugin Manager 2.1
RescuePROT 3.0
RM Converter 3.28
Spybot - Search & Destroy 1.3
SpywareBlaster v3.5.1
SWiSHmax
River Past Video Cleaner Pro
WinRAR archiver
WinZip
WordWeb
Yahoo! Toolbar
Yahoo! extras
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Toolbar
Yahoo! Install Manager
Zuma Deluxe 1.0
Microsoft Office 2000 Premium
Microsoft Office Web Components
AutoUpdate
Google Toolbar for Internet Explorer
Adobe Photoshop CS2
Macromedia Flash 8
Nokia Connectivity Cable Driver
Nero 7 Premium
Macromedia Extension Manager
Nokia PC Suite
Apple Software Update
Sony USB Driver
HP Photo and Imaging 2.0 - All-in-One Drivers
Java 2 Runtime Environment, SE v1.4.2_05
VSAdd-in for Internet Explorer
Adobe Stock Photos 1.0
DivX Codec
MSN Search Toolbar
Macromedia Flash Player 8
DivX Player
Macromedia Flash 8 Video Encoder
Adobe Common File Installer
Macromedia Flash Player 8 Plugin
Adobe Illustrator CS
Realtek RTL8139/810x Fast Ethernet NIC Driver Setup
HP Photo and Imaging 2.0 - All-in-One
Intel Application Accelerator
Logitech QuickCam
Adobe Reader 6.0.1
ShadowFixer
DivX Converter
HP Memories Disc
DivX Web Player
Adobe Bridge 1.0
MSN Messenger 7.5
Adobe Creative Suite
Google Toolbar for Internet Explorer
Logitech Mobile Video
Adobe Help Center 1.0
QuickTime


Finished

DR.WEB LOG

awtrpnk.dll;c:\windows\system32;Trojan.Virtumod;Will be cured after reboot.;
cvsys.exe;c:\windows\system32;Win32.HLLW.MyBot.based;Deleted.;
mlljk.dll;c:\windows\system32;Trojan.Virtumod;Will be cured after reboot.;
acid[1].exe;C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\TI7RQYDX;Trojan.Virtumod;Deleted.;
lo1[1];C:\Documents and Settings\Mark\Local Settings\Temporary Internet Files\Content.IE5\QBKBJS58;Trojan.Virtumod;Deleted.;
A0003514.dll;C:\System Volume Information\_restore{873095B9-52FB-40D9-BA25-18CC680E5B9F}\RP11;Trojan.Virtumod;Deleted.;
A0003515.exe;C:\System Volume Information\_restore{873095B9-52FB-40D9-BA25-18CC680E5B9F}\RP11;Win32.HLLW.MyBot.based;Deleted.;
A0003527.exe;C:\System Volume Information\_restore{873095B9-52FB-40D9-BA25-18CC680E5B9F}\RP11;Tool.Prockill;;
A0003547.exe;C:\System Volume Information\_restore{873095B9-52FB-40D9-BA25-18CC680E5B9F}\RP11;Win32.HLLW.MyBot.based;Deleted.;
A0003552.exe;C:\System Volume Information\_restore{873095B9-52FB-40D9-BA25-18CC680E5B9F}\RP12;Win32.HLLW.MyBot.based;Deleted.;
A0003565.dll;C:\System Volume Information\_restore{873095B9-52FB-40D9-BA25-18CC680E5B9F}\RP12;Trojan.Virtumod;Deleted.;
A0003574.exe;C:\System Volume Information\_restore{873095B9-52FB-40D9-BA25-18CC680E5B9F}\RP12;Win32.HLLW.MyBot.based;Deleted.;
A0003575.exe;C:\System Volume Information\_restore{873095B9-52FB-40D9-BA25-18CC680E5B9F}\RP12;Win32.HLLW.MyBot.based;Deleted.;
A0003576.exe;C:\System Volume Information\_restore{873095B9-52FB-40D9-BA25-18CC680E5B9F}\RP12;Win32.HLLW.MyBot.based;Deleted.;
A0003577.exe;C:\System Volume Information\_restore{873095B9-52FB-40D9-BA25-18CC680E5B9F}\RP12;Win32.HLLW.MyBot.based;Deleted.;
A0003579.exe;C:\System Volume Information\_restore{873095B9-52FB-40D9-BA25-18CC680E5B9F}\RP12;Win32.HLLW.MyBot.based;Deleted.;
A0003581.exe;C:\System Volume Information\_restore{873095B9-52FB-40D9-BA25-18CC680E5B9F}\RP12;Win32.HLLW.MyBot.based;Deleted.;
A0003582.exe;C:\System Volume Information\_restore{873095B9-52FB-40D9-BA25-18CC680E5B9F}\RP12;Win32.HLLW.MyBot.based;Deleted.;
A0003583.exe;C:\System Volume Information\_restore{873095B9-52FB-40D9-BA25-18CC680E5B9F}\RP12;Win32.HLLW.MyBot.based;Deleted.;
A0003584.exe;C:\System Volume Information\_restore{873095B9-52FB-40D9-BA25-18CC680E5B9F}\RP12;Win32.HLLW.MyBot.based;Deleted.;
A0003585.exe;C:\System Volume Information\_restore{873095B9-52FB-40D9-BA25-18CC680E5B9F}\RP12;Win32.HLLW.MyBot.based;Deleted.;
A0003614.exe;C:\System Volume Information\_restore{873095B9-52FB-40D9-BA25-18CC680E5B9F}\RP12;Win32.HLLW.MyBot.based;Deleted.;
awtrpnk.dll;C:\WINDOWS\system32;Trojan.Virtumod;Will be cured after reboot.;
cvsys.exe;C:\WINDOWS\system32;Win32.HLLW.MyBot.based;Deleted.;
eraseme_57372.exe;C:\WINDOWS\system32;Win32.HLLW.MyBot.based;Deleted.;
mbakbtvx.dll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
mlljk.dll;C:\WINDOWS\system32;Trojan.Virtumod;Will be cured after reboot.;
tuvvutt.dll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
A0003528.exe;D:\System Volume Information\_restore{873095B9-52FB-40D9-BA25-18CC680E5B9F}\RP11;Tool.Prockill;;
A0003529.exe;D:\System Volume Information\_restore{873095B9-52FB-40D9-BA25-18CC680E5B9F}\RP11;Tool.ShutDown.11;;

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:12 AM

Posted 08 March 2007 - 12:52 AM

Hi,

I knew you were dealing with a lot of infections, but I didn't know it was that bad :thumbsup:
Your system is really terribly infected. Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.
Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.
So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.


Please set your system to show all files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Please hide your hidden files and folders afterwards again, when we are done with this thread and your problems are solved, because above instructions to set your system to show all files, unhide legit files and folders as well.
And I don't want you to delete them because they may look suspicious. To hide them again, just perform the above instructions in the opposite way.


* Please download the Suspicious File Packer from here:
http://www.safer-networking.org/files/sfp.zip
Unzip it to the desktop and run it.

Paste the following bold part into the Suspicious File Packer window:

C:\Documents and Settings\Mark\Local Settings\Temp\worrysye.dll
C:\WINDOWS\system32\mfee.exe
C:\WINDOWS\system32\syslem.exe


Allow SFP to pack the file. This will generate a CAB archive on your desktop.
Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, click the browse button next to the second field and browse to the CAB archive that was been created on your desktop.
The cab file will be called requested-files[*].cab (the * stands for the date and hour).
Then click the Send File button below.

Browse to and delete next files:

C:\Documents and Settings\Mark\Local Settings\Temp\worrysye.dll
C:\WINDOWS\system32\mfee.exe
C:\WINDOWS\system32\syslem.exe

* Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.
If your Hijackthis won't open, Can you rename Hijackthis.exe to Analyse.exe
Then scan with Analyse.exe and post the log in your next reply (which will be a hijackthislog ofcourse)
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 pasta

pasta
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:12 AM

Posted 08 March 2007 - 02:20 AM

yeah, i figured that it cant be fully fixed, i was already planning on buying a new HD and reinstall windows, then reformat this infected one :thumbsup:
anyways until i can afford a new HD ill try this method and post the results.

again, THANKS for taking the time to help me :flowers:

#6 pasta

pasta
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:12 AM

Posted 08 March 2007 - 02:42 AM

Here are the results! :thumbsup:




"Mark" - 07-03-08 15:32:21 Service Pack 1
ComboFix 07-03-08 - Running from: "C:\Documents and Settings\Mark\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\keyboard191.dat
C:\WINDOWS\keyboard201.dat
C:\WINDOWS\system32\vexga1me4t1.exe
C:\WINDOWS\system32\vexga3me2.exe
C:\WINDOWS\system32\vexga5me3.exe
C:\WINDOWS\system32\vexga8me6.exe
C:\INSTALL.LOG
C:\WINDOWS\system32\m2.exe
C:\Program Files\Common Files\{943DD~1
C:\Program Files\Common Files\{943DD~2
C:\DOCUME~1\Mark\APPLIC~1.\SearchToolbarCorp
C:\DOCUME~1\Mark\APPLIC~1.\SearchToolbarCorp\Toolbar Vision
C:\Program Files\Common Files\misc002
C:\Program Files\VSAdd-in


((((((((((((((((((((((((((((((( Files Created from 2007-02-08 to 2007-03-08 ))))))))))))))))))))))))))))))))))


2007-03-08 13:34 0 --a------ C:\WINDOWS\system32\setup_25207.exe
2007-03-08 13:29 41,804 --a------ C:\WINDOWS\system32\eraseme_06711.exe
2007-03-08 13:18 41,804 -r-hs---- C:\WINDOWS\system32\cvsys.exe
2007-03-08 13:17 41,804 --a------ C:\WINDOWS\system32\setup_14047.exe
2007-03-08 11:09 5,821,808 --a------ C:\drweb-cureit.exe
2007-03-08 08:50 446,678 ---hs---- C:\WINDOWS\system32\kjllm.bak1
2007-03-08 08:50 282,212 --------- C:\WINDOWS\system32\mlljk.dll
2007-03-08 08:45 26,685 --------- C:\WINDOWS\system32\awtrpnk.dll
2007-03-08 02:04 <DIR> d-------- C:\DOCUME~1\Mark\DoctorWeb
2007-03-06 00:00 68,888 --a------ C:\WINDOWS\system32\xinput1_3.dll
2007-03-06 00:00 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll
2007-03-06 00:00 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll
2007-03-06 00:00 255,848 --a------ C:\WINDOWS\system32\xactengine2_6.dll
2007-03-06 00:00 251,672 --a------ C:\WINDOWS\system32\xactengine2_5.dll
2007-03-06 00:00 237,848 --a------ C:\WINDOWS\system32\xactengine2_4.dll
2007-03-06 00:00 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll
2007-03-06 00:00 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2007-03-06 00:00 15,128 --a------ C:\WINDOWS\system32\x3daudio1_1.dll
2007-03-05 23:59 98,816 --a------ C:\WINDOWS\system32\dmstyle.dll
2007-03-05 23:59 974,848 --a------ C:\WINDOWS\system32\dxdiag.exe
2007-03-05 23:59 83,968 --a------ C:\WINDOWS\system32\drivers\nabtsfec.sys
2007-03-05 23:59 80,896 --a------ C:\WINDOWS\system32\dpvsetup.exe
2007-03-05 23:59 8,192 --a------ C:\WINDOWS\system32\d3d8thk.dll
2007-03-05 23:59 797,184 --a------ C:\WINDOWS\system32\d3dim700.dll
2007-03-05 23:59 79,360 --a------ C:\WINDOWS\system32\dpwsockx.dll
2007-03-05 23:59 77,824 --a------ C:\WINDOWS\system32\dpmodemx.dll
2007-03-05 23:59 76,800 --a------ C:\WINDOWS\system32\dmscript.dll
2007-03-05 23:59 733,184 --a------ C:\WINDOWS\system32\qedwipes.dll
2007-03-05 23:59 723,968 --a------ C:\WINDOWS\system32\dpnet.dll
2007-03-05 23:59 7,424 --a------ C:\WINDOWS\system32\drivers\mskssrv.sys
2007-03-05 23:59 68,096 --a------ C:\WINDOWS\system32\dpnhupnp.dll
2007-03-05 23:59 667,648 --a------ C:\WINDOWS\system32\dinput8.dll
2007-03-05 23:59 66,408 --a------ C:\WINDOWS\system32\dxdllreg.exe
2007-03-05 23:59 648,704 --a------ C:\WINDOWS\system32\dinput.dll
2007-03-05 23:59 64,512 --a------ C:\WINDOWS\system32\amstream.dll
2007-03-05 23:59 602,624 --a------ C:\WINDOWS\system32\dx7vb.dll
2007-03-05 23:59 590,336 --a------ C:\WINDOWS\system32\d3dramp.dll
2007-03-05 23:59 58,368 --a------ C:\WINDOWS\system32\dmcompos.dll
2007-03-05 23:59 52,096 --a------ C:\WINDOWS\system32\drivers\msdv.sys
2007-03-05 23:59 5,248 --a------ C:\WINDOWS\system32\drivers\mspclock.sys
2007-03-05 23:59 491,520 --a------ C:\WINDOWS\system32\dsdmoprp.dll
2007-03-05 23:59 48,512 --a------ C:\WINDOWS\system32\drivers\stream.sys
2007-03-05 23:59 470,528 --a------ C:\WINDOWS\system32\qdvd.dll
2007-03-05 23:59 47,616 --a------ C:\WINDOWS\system32\d3dxof.dll
2007-03-05 23:59 47,104 --a------ C:\WINDOWS\system32\wstdecod.dll
2007-03-05 23:59 467,968 --a------ C:\WINDOWS\system32\diactfrm.dll
2007-03-05 23:59 44,032 --a------ C:\WINDOWS\system32\dimap.dll
2007-03-05 23:59 436,224 --a------ C:\WINDOWS\system32\d3dim.dll
2007-03-05 23:59 4,608 --a------ C:\WINDOWS\system32\drivers\mspqm.sys
2007-03-05 23:59 4,096 --a------ C:\WINDOWS\system32\drivers\swenum.sys
2007-03-05 23:59 381,952 --a------ C:\WINDOWS\system32\dsound.dll
2007-03-05 23:59 381,952 --a------ C:\WINDOWS\system32\dpvoice.dll
2007-03-05 23:59 354,816 --a------ C:\WINDOWS\system32\psisdecd.dll
2007-03-05 23:59 350,208 --a------ C:\WINDOWS\system32\d3drm.dll
2007-03-05 23:59 34,816 --a------ C:\WINDOWS\system32\d3dpmesh.dll
2007-03-05 23:59 34,304 --a------ C:\WINDOWS\system32\mciqtz32.dll
2007-03-05 23:59 33,280 --a------ C:\WINDOWS\system32\dmloader.dll
2007-03-05 23:59 324,096 --a------ C:\WINDOWS\system32\mswebdvd.dll
2007-03-05 23:59 32,768 --a------ C:\WINDOWS\system32\dpnhpast.dll
2007-03-05 23:59 316,928 --a------ C:\WINDOWS\system32\qdv.dll
2007-03-05 23:59 31,744 --a------ C:\WINDOWS\system32\pid.dll
2007-03-05 23:59 3,072 --a------ C:\WINDOWS\system32\dpnlobby.dll
2007-03-05 23:59 3,072 --a------ C:\WINDOWS\system32\dpnaddr.dll
2007-03-05 23:59 292,864 --a------ C:\WINDOWS\system32\ddraw.dll
2007-03-05 23:59 28,160 --a------ C:\WINDOWS\system32\dplaysvr.exe
2007-03-05 23:59 27,136 --a------ C:\WINDOWS\system32\dmband.dll
2007-03-05 23:59 257,024 --a------ C:\WINDOWS\system32\qcap.dll
2007-03-05 23:59 24,064 --a------ C:\WINDOWS\system32\ddrawex.dll
2007-03-05 23:59 230,400 --a------ C:\WINDOWS\system32\dplayx.dll
2007-03-05 23:59 223,232 --a------ C:\WINDOWS\system32\gcdef.dll
2007-03-05 23:59 19,968 --a------ C:\WINDOWS\system32\dpvacm.dll
2007-03-05 23:59 186,880 --a------ C:\WINDOWS\system32\dsdmo.dll
2007-03-05 23:59 181,248 --a------ C:\WINDOWS\system32\dmime.dll
2007-03-05 23:59 18,944 --a------ C:\WINDOWS\system32\encapi.dll
2007-03-05 23:59 18,688 --a------ C:\WINDOWS\system32\drivers\wstcodec.sys
2007-03-05 23:59 18,432 --a------ C:\WINDOWS\system32\dswave.dll
2007-03-05 23:59 16,896 --a------ C:\WINDOWS\system32\msyuv.dll
2007-03-05 23:59 16,896 --a------ C:\WINDOWS\system32\dpnsvr.exe
2007-03-05 23:59 16,384 --a------ C:\WINDOWS\system32\drivers\ccdecode.sys
2007-03-05 23:59 15,104 --a------ C:\WINDOWS\system32\drivers\mpe.sys
2007-03-05 23:59 14,976 --a------ C:\WINDOWS\system32\drivers\streamip.sys
2007-03-05 23:59 132,608 --a------ C:\WINDOWS\system32\devenum.dll
2007-03-05 23:59 130,304 --a------ C:\WINDOWS\system32\drivers\ks.sys
2007-03-05 23:59 13,312 --a------ C:\WINDOWS\system32\msdmo.dll
2007-03-05 23:59 122,880 --a------ C:\WINDOWS\system32\dmusic.dll
2007-03-05 23:59 112,128 --a------ C:\WINDOWS\system32\dpvvox.dll
2007-03-05 23:59 11,392 --a------ C:\WINDOWS\system32\drivers\bdasup.sys
2007-03-05 23:59 100,864 --a------ C:\WINDOWS\system32\dmsynth.dll
2007-03-05 23:59 10,880 --a------ C:\WINDOWS\system32\drivers\slip.sys
2007-03-05 23:59 10,496 --a------ C:\WINDOWS\system32\drivers\dxapi.sys
2007-03-05 23:59 10,112 --a------ C:\WINDOWS\system32\drivers\ndisip.sys
2007-03-05 23:59 1,962,496 --a------ C:\WINDOWS\system32\quartz.dll
2007-03-05 23:59 1,798,144 --a------ C:\WINDOWS\system32\qedit.dll
2007-03-05 23:59 1,769,472 --a------ C:\WINDOWS\system32\dxdiagn.dll
2007-03-05 23:59 1,703,936 --a------ C:\WINDOWS\system32\d3d9.dll
2007-03-05 23:59 1,294,336 --a------ C:\WINDOWS\system32\dsound3d.dll
2007-03-05 23:59 1,230,336 --a------ C:\WINDOWS\system32\msvidctl.dll
2007-03-05 23:59 1,201,152 --a------ C:\WINDOWS\system32\d3d8.dll
2007-03-05 23:59 1,189,888 --a------ C:\WINDOWS\system32\dx8vb.dll
2007-03-05 23:59 <DIR> d-------- C:\WINDOWS\LastGood
2007-03-05 23:31 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-03-05 22:43 <DIR> d-------- C:\DOCUME~1\Mark\APPLIC~1\Apple Computer
2007-03-05 22:41 <DIR> d-------- C:\Program Files\Apple Software Update
2007-03-05 22:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-03-05 12:13 1,198 --a------ C:\WINDOWS\system32\tmp.reg
2007-03-05 11:52 <DIR> d-------- C:\VundoFix Backups
2007-03-04 14:08 8,704 --a------ C:\WINDOWS\system32\sporder.dll
2007-03-04 14:07 3,750 --a------ C:\WINDOWS\system32\testeter.exe
2007-03-03 00:00 <DIR> d-------- C:\DOCUME~1\Mark\APPLIC~1\Google
2007-03-03 00:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-03-02 23:59 <DIR> d-------- C:\Program Files\Google
2007-03-02 20:21 561,152 -ra------ C:\WINDOWS\system32\hpotscl.dll
2007-03-02 20:21 274,432 -ra------ C:\WINDOWS\system32\hpgwiamd.dll
2007-03-02 20:21 14,208 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-03-02 20:21 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2007-03-02 17:51 182,880 --a------ C:\WINDOWS\system32\iuengine.dll
2007-03-02 16:40 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-03-02 16:30 3,968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys
2007-03-02 16:29 775,680 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2007-03-02 16:29 4,960 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys
2007-03-02 16:29 4,224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2007-03-02 16:29 27,776 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2007-03-02 16:29 19,392 --a------ C:\WINDOWS\system32\drivers\avgmfx86.sys
2007-03-02 16:29 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Grisoft
2007-03-02 16:03 981,504 --a------ C:\WINDOWS\system32\wmnetmgr.dll
2007-03-02 16:03 82,432 --a------ C:\WINDOWS\system32\drmstor.dll
2007-03-02 16:03 816,264 --a------ C:\WINDOWS\system32\wmvdmod.dll
2007-03-02 16:03 81,408 --a------ C:\WINDOWS\system32\logagent.exe
2007-03-02 16:03 760,968 --a------ C:\WINDOWS\system32\wmsdmod.dll
2007-03-02 16:03 678,912 --a------ C:\WINDOWS\system32\drmv2clt.dll
2007-03-02 16:03 670,208 --a------ C:\WINDOWS\system32\wmadmoe.dll
2007-03-02 16:03 6,656 --a------ C:\WINDOWS\system32\laprxy.dll
2007-03-02 16:03 410,248 --a------ C:\WINDOWS\system32\wmadmod.dll
2007-03-02 16:03 301,712 --a------ C:\WINDOWS\system32\drmclien.dll
2007-03-02 16:03 253,952 --a------ C:\WINDOWS\system32\msnetobj.dll
2007-03-02 16:03 241,664 --a------ C:\WINDOWS\system32\qasf.dll
2007-03-02 16:03 241,664 --a------ C:\WINDOWS\system32\mpg4dmod.dll
2007-03-02 16:03 232,960 --a------ C:\WINDOWS\system32\blackbox.dll
2007-03-02 16:03 218,112 --a------ C:\WINDOWS\system32\wmasf.dll
2007-03-02 16:03 <DIR> d-------- C:\Program Files\Common Files\FotoWire
2007-03-02 16:03 <DIR> d-------- C:\DOCUME~1\Mark\APPLIC~1\FotoWire
2007-03-02 16:02 447,052 --ahs---- C:\WINDOWS\system32\ihkmp.bak1
2007-03-02 15:37 <DIR> d-------- C:\WINDOWS\Prefetch
2007-03-02 15:31 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\APPLIC~1\DivX
2007-03-02 15:31 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\APPLIC~1\AVG7
2007-03-02 15:12 23,070 --a------ C:\WINDOWS\system32\drivers\RTL8139.sys
2007-03-02 15:09 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2007-03-02 15:09 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2007-02-22 11:14 445,588 --ahs---- C:\WINDOWS\system32\ddeeg.bak1
2007-02-22 10:57 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-02-22 10:43 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Help
2007-02-22 00:29 <DIR> dr-h----- C:\$VAULT$.AVG
2007-02-22 00:11 445,628 --ahs---- C:\WINDOWS\system32\dccdd.bak1
2007-02-21 05:34 4,660 --a------ C:\WINDOWS\is67160.exe
2007-02-20 01:06 <DIR> d-------- C:\Program Files\i-Fun Viewer
2007-02-19 00:17 52,224 --a------ C:\WINDOWS\system32\Crypserv.exe
2007-02-19 00:17 27,648 -ra------ C:\WINDOWS\Setup_ck.exe
2007-02-19 00:17 24,608 --a------ C:\WINDOWS\system32\Ckldrv.sys
2007-02-19 00:17 18,432 --a------ C:\WINDOWS\Setup_ck.dll
2007-02-19 00:17 165,888 --a------ C:\WINDOWS\Ckconfig.exe
2007-02-19 00:17 11,776 --a------ C:\WINDOWS\Ckrfresh.exe
2007-02-15 02:18 <DIR> d-------- C:\DOCUME~1\Mark\APPLIC~1\DivX
2007-02-14 21:51 36,624 --a------ C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-02-14 21:51 2,560 --a------ C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-02-14 21:51 2,432 --a------ C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-02-14 21:51 129,784 --a------ C:\WINDOWS\system32\pxafs.dll
2007-02-14 21:51 118,520 --a------ C:\WINDOWS\system32\pxinsi64.exe
2007-02-14 21:51 116,472 --a------ C:\WINDOWS\system32\pxcpyi64.exe
2007-02-14 21:50 <DIR> d-------- C:\Program Files\DivX
2007-02-14 21:09 <DIR> d-------- C:\DOCUME~1\Mark\APPLIC~1\River Past G4
2007-02-14 21:03 163,426 --a------ C:\WINDOWS\Video Cleaner Pro Uninstaller.exe
2007-02-14 21:03 <DIR> d-------- C:\Program Files\River Past
2007-02-14 21:03 <DIR> d-------- C:\Program Files\Common Files\River Past
2007-02-14 21:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\River Past G4
2007-02-14 00:55 <DIR> d-------- C:\Program Files\BitLord
2007-02-13 22:49 <DIR> d-------- C:\Program Files\Studio e.go!
2007-02-13 22:48 304,128 --a------ C:\WINDOWS\IsUn0411.exe
2007-02-13 22:20 <DIR> d-------- C:\Program Files\CCleaner
2007-02-11 16:04 <DIR> d-------- C:\Program Files\DAMN NFO Viewer
2007-02-09 09:15 481,729 --ahs---- C:\WINDOWS\system32\jlkkj.bak2
2007-02-09 02:23 <DIR> d-------- C:\Program Files\Combined Community Codec Pack
2007-02-08 08:48 463,427 --ahs---- C:\WINDOWS\system32\jlkkj.bak1


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-03-07 15:42 -------- d-------- C:\DOCUME~1\Mark\APPLIC~1\yahoo!
2007-03-07 00:27 -------- d-------- C:\Program Files\megauploadtoolbar
2007-03-05 23:58 -------- d-------- C:\Program Files\directx
2007-03-05 22:42 -------- d-------- C:\Program Files\quicktime
2007-03-04 11:39 -------- d-------- C:\DOCUME~1\Mark\APPLIC~1\adobeum
2007-03-03 17:10 84 ---h-c--- C:\WINDOWS\popcinfo.dat
2007-03-02 17:33 -------- d-------- C:\DOCUME~1\Mark\APPLIC~1\avg7
2007-03-02 16:29 -------- d---s---- C:\DOCUME~1\Mark\APPLIC~1\microsoft
2007-03-02 16:03 -------- d-------- C:\Program Files\logitech
2007-03-02 15:29 22776 --a--c--- C:\WINDOWS\system32\emptyregdb.dat
2007-02-19 00:48 -------- d-------- C:\Program Files\swishmax
2007-02-14 22:02 4368 --a--c--- C:\WINDOWS\mozver.dat
2007-02-14 00:54 -------- d-------- C:\Program Files\virtual villagers
2007-02-14 00:53 -------- d-------- C:\DOCUME~1\Mark\APPLIC~1\utorrent
2007-02-08 00:40 -------- d-------- C:\Program Files\Common Files\real
2007-02-07 22:21 -------- d-------- C:\Program Files\real
2007-02-07 18:32 -------- d-------- C:\Program Files\rm converter
2007-02-07 17:33 448709 --ahs---- C:\WINDOWS\system32\opqss.bak1
2007-02-07 10:35 164 --a------ C:\install.dat
2007-02-07 08:22 468661 --ahs---- C:\WINDOWS\system32\abeeg.bak2
2007-02-05 23:27 12800 --a------ C:\WINDOWS\system32\pfplgscn.dll
2007-02-05 17:08 -------- d-------- C:\Program Files\bullfrog
2007-02-05 06:54 448013 --ahs---- C:\WINDOWS\system32\abeeg.bak1
2007-02-04 04:43 4096 --a------ C:\WINDOWS\system32\pfplgtcp.dll
2007-02-03 01:36 -------- d-------- C:\Program Files\alcohol soft
2007-02-03 01:34 639224 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-01-31 20:56 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-01-31 20:56 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-01-31 20:56 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-01-31 20:56 639066 --a------ C:\WINDOWS\system32\divx.dll
2007-01-31 16:30 7680 --a------ C:\WINDOWS\system32\pfplgnfo.dll
2007-01-31 13:27 524288 --a------ C:\WINDOWS\system32\divxsm.exe
2007-01-30 15:15 118784 --a------ C:\WINDOWS\system32\divxcodecupdatechecker.exe
2007-01-29 21:03 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-01-29 21:03 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-01-29 21:03 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-01-29 20:56 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2007-01-29 20:56 593920 --a------ C:\WINDOWS\system32\dpugui11.dll
2007-01-29 20:56 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-01-29 20:56 53248 --a------ C:\WINDOWS\system32\dpugui10.dll
2007-01-29 20:56 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-01-29 20:56 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-01-29 20:56 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-01-29 20:56 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-01-29 19:31 11961713 --------- C:\AVG7QT.DAT
2007-01-27 21:50 -------- d-------- C:\DOCUME~1\Mark\APPLIC~1\swishvideo
2007-01-20 16:39 -------- d-------- C:\Program Files\limewire
2007-01-20 16:07 -------- d-------- C:\Program Files\popcap games
2007-01-17 22:13 -------- d-------- C:\Program Files\chikka messenger
2007-01-17 22:13 -------- d-------- C:\Program Files\chikka
2007-01-16 00:31 -------- d-------- C:\Program Files\Common Files\adobe
2007-01-16 00:30 -------- d--h----- C:\Program Files\installshield installation information
2007-01-16 00:30 -------- d-------- C:\DOCUME~1\Mark\APPLIC~1\megauploadtoolbar
2007-01-15 23:45 -------- d-------- C:\Program Files\crimsonland
2007-01-15 19:42 99965 --a------ C:\WINDOWS\uninstallfirefox.exe
2006-12-12 08:24 12288 --a------ C:\WINDOWS\system32\divxwmpexttype.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SoundMan"="SOUNDMAN.EXE"
"NeroFilterCheck"="C:\\WINDOWS\\System32\\NeroCheck.exe"
"LogitechVideoTray"="C:\\Program Files\\Logitech\\Video\\LogiTray.exe"
"LogitechGalleryRepair"="C:\\Program Files\\Logitech\\Video\\ISStart.exe"
"nwiz"="nwiz.exe /install"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{F6292B16-443E-4EF2-AFC0-01533A7ACD27}"=""
"{8E5A2506-A3B7-4219-8ED2-BCEB8FCA968E}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
"{DB083F90-A5CB-447B-913C-66BCEF8A1842}"=""

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"stack12"="C:\\WINDOWS\\system32\\mfee.exe"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"stack12"="C:\\WINDOWS\\system32\\mfee.exe"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableCMD"=dword:00000000
"Wallpaper"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoFolderOptions"=""

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoFolderOptions"=""

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer\run]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtrpnk
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mlljk

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1135973688.job
C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1158269651.job


********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-03-08 15:34:51


Logfile of HijackThis v1.99.1
Scan saved at 3:39:33 PM, on 3/8/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\ftp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\Analyse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1632B9BA-7F16-488B-9EEE-02E22B0239F7} - C:\WINDOWS\System32\mlljk.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-us\msntb.dll
O2 - BHO: (no name) - {DB083F90-A5CB-447B-913C-66BCEF8A1842} - C:\WINDOWS\System32\awtrpnk.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-us\msntb.dll/search.htm
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0000.1110\en-us\msntabres.dll/229?8c5083b46101428aace99c74ee61379
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0000.1110\en-us\msntabres.dll/230?8c5083b46101428aace99c74ee61379
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O20 - Winlogon Notify: awtrpnk - C:\WINDOWS\SYSTEM32\awtrpnk.dll
O20 - Winlogon Notify: mlljk - C:\WINDOWS\System32\mlljk.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:12 AM

Posted 08 March 2007 - 07:16 AM

Hi,

I see your Teatimer is still running. You really have to disable it though, because it will interfere with our fixes. Only enable it when I say your system is clean again, not before. So read my instructions again to disable teatimer.

Then, follow my steps in the right order..

I assume you still have Hidden files and folders shown, because you have to delete some files manually..

So browse to and delete next files:

C:\WINDOWS\system32\setup_25207.exe
C:\WINDOWS\system32\eraseme_06711.exe
C:\WINDOWS\system32\cvsys.exe
C:\WINDOWS\system32\setup_14047.exe
C:\WINDOWS\system32\kjllm.bak1
C:\VundoFix Backups <== folder, since we don't need the backups in this folder
C:\WINDOWS\system32\testeter.exe
C:\WINDOWS\system32\ihkmp.bak1
C:\WINDOWS\system32\ddeeg.bak1
C:\WINDOWS\system32\dccdd.bak1
C:\WINDOWS\system32\jlkkj.bak2
C:\WINDOWS\system32\jlkkj.bak1
C:\WINDOWS\system32\opqss.bak1
C:\WINDOWS\system32\abeeg.bak2
C:\WINDOWS\system32\pfplgscn.dll
C:\WINDOWS\system32\abeeg.bak1
C:\WINDOWS\system32\pfplgtcp.dll
C:\WINDOWS\system32\pfplgnfo.dll

Don't worry if you're not able to delete some.. we'll deal with them afterwards.

Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[-HKEY_CLASSES_ROOT\CLSID\{F6292B16-443E-4EF2-AFC0-01533A7ACD27}]

[-HKEY_CLASSES_ROOT\CLSID\{8E5A2506-A3B7-4219-8ED2-BCEB8FCA968E}]

[-HKEY_CLASSES_ROOT\CLSID\{DB083F90-A5CB-447B-913C-66BCEF8A1842}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{F6292B16-443E-4EF2-AFC0-01533A7ACD27}"=-
"{8E5A2506-A3B7-4219-8ED2-BCEB8FCA968E}"=-
"{DB083F90-A5CB-447B-913C-66BCEF8A1842}"=-

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"stack12"=-

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"stack12"=-

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableCMD"=-
"Wallpaper"=-

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"=-
"ForceActiveDesktopOn"=-

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoFolderOptions"=-

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoFolderOptions"=-

Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.
(In case you are unsure how to create a reg file, take a look here with screenshots.)

Then, you have to run combofix again, but in another way as you did before, so read my instructions very carefully.

Go to start > run and copy and paste next command in the field:

"C:\Documents and Settings\Mark\Desktop\ComboFix.exe" /v mlljk awtrpnk

Hit enter. This should start combofix again and then reboot your computer.
After reboot, it will open the Combofix-log which will be present on your C:\ with the name Combofix.txt.
I need that log later.

Then,

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

O2 - BHO: (no name) - {1632B9BA-7F16-488B-9EEE-02E22B0239F7} - C:\WINDOWS\System32\mlljk.dll
O2 - BHO: (no name) - {DB083F90-A5CB-447B-913C-66BCEF8A1842} - C:\WINDOWS\System32\awtrpnk.dll
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O20 - Winlogon Notify: awtrpnk - C:\WINDOWS\SYSTEM32\awtrpnk.dll
O20 - Winlogon Notify: mlljk - C:\WINDOWS\System32\mlljk.dll


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Post a new Hijackthislog in your next reply together with the new log from combofix.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 pasta

pasta
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:12 AM

Posted 10 March 2007 - 05:02 AM

HI!

sorry if i wasnt able to reply quickly, i got sidetracked by my work, hope youll still help me :flowers:

Logfile of HijackThis v1.99.1
Scan saved at 5:55:47 AM, on 3/11/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Softwin\BitDefender10\bdmcon.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\HijackThis\Analyse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-us\msntb.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-us\msntb.dll/search.htm
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0000.1110\en-us\msntabres.dll/229?8c5083b46101428aace99c74ee61379
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0000.1110\en-us\msntabres.dll/230?8c5083b46101428aace99c74ee61379
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender10\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)



"Mark" - 07-03-11 5:49:38 Service Pack 1
ComboFix 07-03-08 - Running from: "C:\Documents and Settings\Mark\Desktop"
Command switches used :: /v mlljk awtrpnk

((((((((((((((((((((((((((((((( Files Created from 2007-02-11 to 2007-03-11 ))))))))))))))))))))))))))))))))))


2007-03-10 13:46 0 --a------ C:\WINDOWS\system32\eraseme_65878.exe
2007-03-10 13:42 <DIR> d-------- C:\DOCUME~1\Mark\APPLIC~1\Bitdefender
2007-03-10 13:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\BitDefender
2007-03-10 13:06 155,411 --a------ C:\WINDOWS\system32\drivers\dump_wmimmc.sys
2007-03-10 13:05 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys
2007-03-10 12:43 <DIR> d-------- C:\Program Files\NetGames
2007-03-09 19:30 0 --a------ C:\WINDOWS\system32\setup_21740.exe
2007-03-09 18:50 0 --a------ C:\WINDOWS\system32\eraseme_65180.exe
2007-03-09 10:21 0 --a------ C:\WINDOWS\system32\setup_24566.exe
2007-03-09 10:21 0 --a------ C:\WINDOWS\system32\eraseme_11685.exe
2007-03-09 06:11 0 --a------ C:\WINDOWS\system32\eraseme_57077.exe
2007-03-09 05:32 0 --a------ C:\WINDOWS\system32\setup_33775.exe
2007-03-08 11:09 5,821,808 --a------ C:\drweb-cureit.exe
2007-03-08 08:50 464,292 --a------ C:\WINDOWS\system32\kjllm.ini.vir
2007-03-08 02:04 <DIR> d-------- C:\DOCUME~1\Mark\DoctorWeb
2007-03-06 00:00 68,888 --a------ C:\WINDOWS\system32\xinput1_3.dll
2007-03-06 00:00 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll
2007-03-06 00:00 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll
2007-03-06 00:00 255,848 --a------ C:\WINDOWS\system32\xactengine2_6.dll
2007-03-06 00:00 251,672 --a------ C:\WINDOWS\system32\xactengine2_5.dll
2007-03-06 00:00 237,848 --a------ C:\WINDOWS\system32\xactengine2_4.dll
2007-03-06 00:00 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll
2007-03-06 00:00 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2007-03-06 00:00 15,128 --a------ C:\WINDOWS\system32\x3daudio1_1.dll
2007-03-05 23:59 98,816 --a------ C:\WINDOWS\system32\dmstyle.dll
2007-03-05 23:59 974,848 --a------ C:\WINDOWS\system32\dxdiag.exe
2007-03-05 23:59 83,968 --a------ C:\WINDOWS\system32\drivers\nabtsfec.sys
2007-03-05 23:59 80,896 --a------ C:\WINDOWS\system32\dpvsetup.exe
2007-03-05 23:59 8,192 --a------ C:\WINDOWS\system32\d3d8thk.dll
2007-03-05 23:59 797,184 --a------ C:\WINDOWS\system32\d3dim700.dll
2007-03-05 23:59 79,360 --a------ C:\WINDOWS\system32\dpwsockx.dll
2007-03-05 23:59 77,824 --a------ C:\WINDOWS\system32\dpmodemx.dll
2007-03-05 23:59 76,800 --a------ C:\WINDOWS\system32\dmscript.dll
2007-03-05 23:59 733,184 --a------ C:\WINDOWS\system32\qedwipes.dll
2007-03-05 23:59 723,968 --a------ C:\WINDOWS\system32\dpnet.dll
2007-03-05 23:59 7,424 --a------ C:\WINDOWS\system32\drivers\mskssrv.sys
2007-03-05 23:59 68,096 --a------ C:\WINDOWS\system32\dpnhupnp.dll
2007-03-05 23:59 667,648 --a------ C:\WINDOWS\system32\dinput8.dll
2007-03-05 23:59 66,408 --a------ C:\WINDOWS\system32\dxdllreg.exe
2007-03-05 23:59 648,704 --a------ C:\WINDOWS\system32\dinput.dll
2007-03-05 23:59 64,512 --a------ C:\WINDOWS\system32\amstream.dll
2007-03-05 23:59 602,624 --a------ C:\WINDOWS\system32\dx7vb.dll
2007-03-05 23:59 590,336 --a------ C:\WINDOWS\system32\d3dramp.dll
2007-03-05 23:59 58,368 --a------ C:\WINDOWS\system32\dmcompos.dll
2007-03-05 23:59 52,096 --a------ C:\WINDOWS\system32\drivers\msdv.sys
2007-03-05 23:59 5,248 --a------ C:\WINDOWS\system32\drivers\mspclock.sys
2007-03-05 23:59 491,520 --a------ C:\WINDOWS\system32\dsdmoprp.dll
2007-03-05 23:59 48,512 --a------ C:\WINDOWS\system32\drivers\stream.sys
2007-03-05 23:59 470,528 --a------ C:\WINDOWS\system32\qdvd.dll
2007-03-05 23:59 47,616 --a------ C:\WINDOWS\system32\d3dxof.dll
2007-03-05 23:59 47,104 --a------ C:\WINDOWS\system32\wstdecod.dll
2007-03-05 23:59 467,968 --a------ C:\WINDOWS\system32\diactfrm.dll
2007-03-05 23:59 44,032 --a------ C:\WINDOWS\system32\dimap.dll
2007-03-05 23:59 436,224 --a------ C:\WINDOWS\system32\d3dim.dll
2007-03-05 23:59 4,608 --a------ C:\WINDOWS\system32\drivers\mspqm.sys
2007-03-05 23:59 4,096 --a------ C:\WINDOWS\system32\drivers\swenum.sys
2007-03-05 23:59 381,952 --a------ C:\WINDOWS\system32\dsound.dll
2007-03-05 23:59 381,952 --a------ C:\WINDOWS\system32\dpvoice.dll
2007-03-05 23:59 354,816 --a------ C:\WINDOWS\system32\psisdecd.dll
2007-03-05 23:59 350,208 --a------ C:\WINDOWS\system32\d3drm.dll
2007-03-05 23:59 34,816 --a------ C:\WINDOWS\system32\d3dpmesh.dll
2007-03-05 23:59 34,304 --a------ C:\WINDOWS\system32\mciqtz32.dll
2007-03-05 23:59 33,280 --a------ C:\WINDOWS\system32\dmloader.dll
2007-03-05 23:59 324,096 --a------ C:\WINDOWS\system32\mswebdvd.dll
2007-03-05 23:59 32,768 --a------ C:\WINDOWS\system32\dpnhpast.dll
2007-03-05 23:59 316,928 --a------ C:\WINDOWS\system32\qdv.dll
2007-03-05 23:59 31,744 --a------ C:\WINDOWS\system32\pid.dll
2007-03-05 23:59 3,072 --a------ C:\WINDOWS\system32\dpnlobby.dll
2007-03-05 23:59 3,072 --a------ C:\WINDOWS\system32\dpnaddr.dll
2007-03-05 23:59 292,864 --a------ C:\WINDOWS\system32\ddraw.dll
2007-03-05 23:59 28,160 --a------ C:\WINDOWS\system32\dplaysvr.exe
2007-03-05 23:59 27,136 --a------ C:\WINDOWS\system32\dmband.dll
2007-03-05 23:59 257,024 --a------ C:\WINDOWS\system32\qcap.dll
2007-03-05 23:59 24,064 --a------ C:\WINDOWS\system32\ddrawex.dll
2007-03-05 23:59 230,400 --a------ C:\WINDOWS\system32\dplayx.dll
2007-03-05 23:59 223,232 --a------ C:\WINDOWS\system32\gcdef.dll
2007-03-05 23:59 19,968 --a------ C:\WINDOWS\system32\dpvacm.dll
2007-03-05 23:59 186,880 --a------ C:\WINDOWS\system32\dsdmo.dll
2007-03-05 23:59 181,248 --a------ C:\WINDOWS\system32\dmime.dll
2007-03-05 23:59 18,944 --a------ C:\WINDOWS\system32\encapi.dll
2007-03-05 23:59 18,688 --a------ C:\WINDOWS\system32\drivers\wstcodec.sys
2007-03-05 23:59 18,432 --a------ C:\WINDOWS\system32\dswave.dll
2007-03-05 23:59 16,896 --a------ C:\WINDOWS\system32\msyuv.dll
2007-03-05 23:59 16,896 --a------ C:\WINDOWS\system32\dpnsvr.exe
2007-03-05 23:59 16,384 --a------ C:\WINDOWS\system32\drivers\ccdecode.sys
2007-03-05 23:59 15,104 --a------ C:\WINDOWS\system32\drivers\mpe.sys
2007-03-05 23:59 14,976 --a------ C:\WINDOWS\system32\drivers\streamip.sys
2007-03-05 23:59 132,608 --a------ C:\WINDOWS\system32\devenum.dll
2007-03-05 23:59 130,304 --a------ C:\WINDOWS\system32\drivers\ks.sys
2007-03-05 23:59 13,312 --a------ C:\WINDOWS\system32\msdmo.dll
2007-03-05 23:59 122,880 --a------ C:\WINDOWS\system32\dmusic.dll
2007-03-05 23:59 112,128 --a------ C:\WINDOWS\system32\dpvvox.dll
2007-03-05 23:59 11,392 --a------ C:\WINDOWS\system32\drivers\bdasup.sys
2007-03-05 23:59 100,864 --a------ C:\WINDOWS\system32\dmsynth.dll
2007-03-05 23:59 10,880 --a------ C:\WINDOWS\system32\drivers\slip.sys
2007-03-05 23:59 10,496 --a------ C:\WINDOWS\system32\drivers\dxapi.sys
2007-03-05 23:59 10,112 --a------ C:\WINDOWS\system32\drivers\ndisip.sys
2007-03-05 23:59 1,962,496 --a------ C:\WINDOWS\system32\quartz.dll
2007-03-05 23:59 1,798,144 --a------ C:\WINDOWS\system32\qedit.dll
2007-03-05 23:59 1,769,472 --a------ C:\WINDOWS\system32\dxdiagn.dll
2007-03-05 23:59 1,703,936 --a------ C:\WINDOWS\system32\d3d9.dll
2007-03-05 23:59 1,294,336 --a------ C:\WINDOWS\system32\dsound3d.dll
2007-03-05 23:59 1,230,336 --a------ C:\WINDOWS\system32\msvidctl.dll
2007-03-05 23:59 1,201,152 --a------ C:\WINDOWS\system32\d3d8.dll
2007-03-05 23:59 1,189,888 --a------ C:\WINDOWS\system32\dx8vb.dll
2007-03-05 23:59 <DIR> d-------- C:\WINDOWS\LastGood
2007-03-05 23:31 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-03-05 22:43 <DIR> d-------- C:\DOCUME~1\Mark\APPLIC~1\Apple Computer
2007-03-05 22:41 <DIR> d-------- C:\Program Files\Apple Software Update
2007-03-05 22:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-03-05 12:13 1,198 --a------ C:\WINDOWS\system32\tmp.reg
2007-03-04 14:08 8,704 --a------ C:\WINDOWS\system32\sporder.dll
2007-03-03 00:00 <DIR> d-------- C:\DOCUME~1\Mark\APPLIC~1\Google
2007-03-03 00:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-03-02 23:59 <DIR> d-------- C:\Program Files\Google
2007-03-02 20:21 561,152 -ra------ C:\WINDOWS\system32\hpotscl.dll
2007-03-02 20:21 274,432 -ra------ C:\WINDOWS\system32\hpgwiamd.dll
2007-03-02 20:21 14,208 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-03-02 20:21 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2007-03-02 17:51 182,880 --a------ C:\WINDOWS\system32\iuengine.dll
2007-03-02 16:03 981,504 --a------ C:\WINDOWS\system32\wmnetmgr.dll
2007-03-02 16:03 82,432 --a------ C:\WINDOWS\system32\drmstor.dll
2007-03-02 16:03 816,264 --a------ C:\WINDOWS\system32\wmvdmod.dll
2007-03-02 16:03 81,408 --a------ C:\WINDOWS\system32\logagent.exe
2007-03-02 16:03 760,968 --a------ C:\WINDOWS\system32\wmsdmod.dll
2007-03-02 16:03 678,912 --a------ C:\WINDOWS\system32\drmv2clt.dll
2007-03-02 16:03 670,208 --a------ C:\WINDOWS\system32\wmadmoe.dll
2007-03-02 16:03 6,656 --a------ C:\WINDOWS\system32\laprxy.dll
2007-03-02 16:03 410,248 --a------ C:\WINDOWS\system32\wmadmod.dll
2007-03-02 16:03 301,712 --a------ C:\WINDOWS\system32\drmclien.dll
2007-03-02 16:03 253,952 --a------ C:\WINDOWS\system32\msnetobj.dll
2007-03-02 16:03 241,664 --a------ C:\WINDOWS\system32\qasf.dll
2007-03-02 16:03 241,664 --a------ C:\WINDOWS\system32\mpg4dmod.dll
2007-03-02 16:03 232,960 --a------ C:\WINDOWS\system32\blackbox.dll
2007-03-02 16:03 218,112 --a------ C:\WINDOWS\system32\wmasf.dll
2007-03-02 16:03 <DIR> d-------- C:\Program Files\Common Files\FotoWire
2007-03-02 16:03 <DIR> d-------- C:\DOCUME~1\Mark\APPLIC~1\FotoWire
2007-03-02 15:37 <DIR> d-------- C:\WINDOWS\Prefetch
2007-03-02 15:31 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\APPLIC~1\DivX
2007-03-02 15:31 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\APPLIC~1\AVG7
2007-03-02 15:12 23,070 --a------ C:\WINDOWS\system32\drivers\RTL8139.sys
2007-03-02 15:09 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2007-03-02 15:09 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2007-02-22 10:57 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-02-22 10:43 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Help
2007-02-21 05:34 4,660 --a------ C:\WINDOWS\is67160.exe
2007-02-20 01:06 <DIR> d-------- C:\Program Files\i-Fun Viewer
2007-02-19 00:17 52,224 --a------ C:\WINDOWS\system32\Crypserv.exe
2007-02-19 00:17 27,648 -ra------ C:\WINDOWS\Setup_ck.exe
2007-02-19 00:17 24,608 --a------ C:\WINDOWS\system32\Ckldrv.sys
2007-02-19 00:17 18,432 --a------ C:\WINDOWS\Setup_ck.dll
2007-02-19 00:17 165,888 --a------ C:\WINDOWS\Ckconfig.exe
2007-02-19 00:17 11,776 --a------ C:\WINDOWS\Ckrfresh.exe
2007-02-15 02:18 <DIR> d-------- C:\DOCUME~1\Mark\APPLIC~1\DivX
2007-02-14 21:51 36,624 --a------ C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-02-14 21:51 2,560 --a------ C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-02-14 21:51 2,432 --a------ C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-02-14 21:51 129,784 --a------ C:\WINDOWS\system32\pxafs.dll
2007-02-14 21:51 118,520 --a------ C:\WINDOWS\system32\pxinsi64.exe
2007-02-14 21:51 116,472 --a------ C:\WINDOWS\system32\pxcpyi64.exe
2007-02-14 21:50 <DIR> d-------- C:\Program Files\DivX
2007-02-14 21:09 <DIR> d-------- C:\DOCUME~1\Mark\APPLIC~1\River Past G4
2007-02-14 21:03 163,426 --a------ C:\WINDOWS\Video Cleaner Pro Uninstaller.exe
2007-02-14 21:03 <DIR> d-------- C:\Program Files\River Past
2007-02-14 21:03 <DIR> d-------- C:\Program Files\Common Files\River Past
2007-02-14 21:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\River Past G4
2007-02-14 00:55 <DIR> d-------- C:\Program Files\BitLord
2007-02-13 22:49 <DIR> d-------- C:\Program Files\Studio e.go!
2007-02-13 22:48 304,128 --a------ C:\WINDOWS\IsUn0411.exe
2007-02-13 22:20 <DIR> d-------- C:\Program Files\CCleaner
2007-02-11 16:04 <DIR> d-------- C:\Program Files\DAMN NFO Viewer


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-03-11 01:57 -------- d--h----- C:\Program Files\installshield installation information
2007-03-11 01:57 -------- d-------- C:\Program Files\logitech
2007-03-10 13:13 -------- d---s---- C:\DOCUME~1\Mark\APPLIC~1\microsoft
2007-03-07 15:42 -------- d-------- C:\DOCUME~1\Mark\APPLIC~1\yahoo!
2007-03-07 00:27 -------- d-------- C:\Program Files\megauploadtoolbar
2007-03-05 23:58 -------- d-------- C:\Program Files\directx
2007-03-05 22:42 -------- d-------- C:\Program Files\quicktime
2007-03-04 11:39 -------- d-------- C:\DOCUME~1\Mark\APPLIC~1\adobeum
2007-03-03 17:10 84 ---h-c--- C:\WINDOWS\popcinfo.dat
2007-03-02 17:33 -------- d-------- C:\DOCUME~1\Mark\APPLIC~1\avg7
2007-03-02 15:29 22776 --a--c--- C:\WINDOWS\system32\emptyregdb.dat
2007-02-19 00:48 -------- d-------- C:\Program Files\swishmax
2007-02-14 22:02 4368 --a--c--- C:\WINDOWS\mozver.dat
2007-02-14 00:54 -------- d-------- C:\Program Files\virtual villagers
2007-02-14 00:53 -------- d-------- C:\DOCUME~1\Mark\APPLIC~1\utorrent
2007-02-09 02:23 -------- d-------- C:\Program Files\combined community codec pack
2007-02-08 00:40 -------- d-------- C:\Program Files\Common Files\real
2007-02-07 22:21 -------- d-------- C:\Program Files\real
2007-02-07 18:32 -------- d-------- C:\Program Files\rm converter
2007-02-07 10:35 164 --a------ C:\install.dat
2007-02-05 17:08 -------- d-------- C:\Program Files\bullfrog
2007-02-03 01:36 -------- d-------- C:\Program Files\alcohol soft
2007-02-03 01:34 639224 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-01-31 20:56 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-01-31 20:56 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-01-31 20:56 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-01-31 20:56 639066 --a------ C:\WINDOWS\system32\divx.dll
2007-01-31 13:27 524288 --a------ C:\WINDOWS\system32\divxsm.exe
2007-01-30 15:15 118784 --a------ C:\WINDOWS\system32\divxcodecupdatechecker.exe
2007-01-29 21:03 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-01-29 21:03 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-01-29 21:03 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-01-29 20:56 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2007-01-29 20:56 593920 --a------ C:\WINDOWS\system32\dpugui11.dll
2007-01-29 20:56 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-01-29 20:56 53248 --a------ C:\WINDOWS\system32\dpugui10.dll
2007-01-29 20:56 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-01-29 20:56 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-01-29 20:56 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-01-29 20:56 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-01-29 19:31 11961713 --------- C:\AVG7QT.DAT
2007-01-27 21:50 -------- d-------- C:\DOCUME~1\Mark\APPLIC~1\swishvideo
2007-01-20 16:39 -------- d-------- C:\Program Files\limewire
2007-01-20 16:07 -------- d-------- C:\Program Files\popcap games
2007-01-17 22:13 -------- d-------- C:\Program Files\chikka messenger
2007-01-17 22:13 -------- d-------- C:\Program Files\chikka
2007-01-16 00:31 -------- d-------- C:\Program Files\Common Files\adobe
2007-01-16 00:30 -------- d-------- C:\DOCUME~1\Mark\APPLIC~1\megauploadtoolbar
2007-01-15 23:45 -------- d-------- C:\Program Files\crimsonland
2007-01-15 19:42 99965 --a------ C:\WINDOWS\uninstallfirefox.exe
2006-12-12 08:24 12288 --a------ C:\WINDOWS\system32\divxwmpexttype.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SoundMan"="SOUNDMAN.EXE"
"NeroFilterCheck"="C:\\WINDOWS\\System32\\NeroCheck.exe"
"nwiz"="nwiz.exe /install"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"BDMCon"="\"C:\\Program Files\\Softwin\\BitDefender10\\bdmcon.exe\" /reg"
"BDAgent"="\"C:\\Program Files\\Softwin\\BitDefender10\\bdagent.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"="sockspy.dll"


[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1135973688.job
C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1158269651.job


********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-03-11 5:52:27
C:\ComboFix2.txt ... 07-03-08 15:34


everytime i try to clean my PC something always try to get in, damn the internet is a nasty place :thumbsup:

Again, thanks for taking the time to help me

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:12 AM

Posted 10 March 2007 - 07:56 AM

Hi,

Almost there..

Delete next files (they are 0 bytes anyway):

C:\WINDOWS\system32\eraseme_65878.exe
C:\WINDOWS\system32\setup_21740.exe
C:\WINDOWS\system32\eraseme_65180.exe
C:\WINDOWS\system32\setup_24566.exe
C:\WINDOWS\system32\eraseme_11685.exe
C:\WINDOWS\system32\eraseme_57077.exe
C:\WINDOWS\system32\setup_33775.exe
C:\WINDOWS\system32\kjllm.ini.vir

Your Hijackthislog looks clean again.

As a final cleanup..

* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click "Delete".
  • Click "Delete Files", "Delete cookies" and "Delete history"
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
Please download, install, and update AVG Anti-Spyware
  • Load AVG Anti-Spyware and then click the Update tab at the top. Under Manual Update click Start update.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Then click on the Scanner tab at the top. Click the "Settings" tab and then change the recommended action to Quarantine and click Automatically generate report after every scan. Click back to the "Scan" tab and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.
  • AVG Anti-Spyware will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVG Anti-Spyware will display "All actions have been applied" on the right hand side.
  • Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
  • Close AVG Anti-Spyware and reboot!!
  • Post the contents of the AVG Anti-Spyware log you saved in your next reply.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 pasta

pasta
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:12 AM

Posted 10 March 2007 - 08:24 AM

umm, i just uninstalled avg cos my friend suggested BitDefender plus v10, so i have that installed

is that gonna be a problem? :thumbsup:

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:12 AM

Posted 10 March 2007 - 08:27 AM

Hi,

I am talking about AVG Antispyware here. This won't interfere with another Antivirus present, since it's not AVG Antivirus, but AVG Antispyware, which is a difference :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 pasta

pasta
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:12 AM

Posted 11 March 2007 - 01:19 AM

here it is


---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 2:04:59 AM 3/12/2007

+ Scan result:



C:\SDFix\backups\backups.zip/backups/eraseme_18673.exe -> Backdoor.SdBot.aad : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/setup_05415.exe -> Backdoor.SdBot.aad : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/setup_06727.exe -> Backdoor.SdBot.aad : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/setup_08147.exe -> Backdoor.SdBot.aad : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/setup_14525.exe -> Backdoor.SdBot.aad : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/setup_34151.exe -> Backdoor.SdBot.aad : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/setup_36755.exe -> Backdoor.SdBot.aad : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/setup_38363.exe -> Backdoor.SdBot.aad : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/setup_64852.exe -> Backdoor.SdBot.aad : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/setup_68752.exe -> Backdoor.SdBot.aad : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/spoolvc.exe -> Backdoor.SdBot.aad : Cleaned with backup (quarantined).
C:\Documents and Settings\Mark\Cookies\mark@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Mark\Cookies\mark@paypal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Mark\Cookies\mark@advertising[1].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Mark\Cookies\mark@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Mark\Cookies\mark@www.burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Mark\Cookies\mark@ehg-dig.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Mark\Cookies\mark@hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Mark\Cookies\mark@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Mark\Cookies\mark@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Mark\Local Settings\Temp\XPKey.exe -> Trojan.Small.edz : Cleaned with backup (quarantined).


::Report end

#13 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:12 AM

Posted 11 March 2007 - 02:32 AM

Looking OK. How are things now?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 pasta

pasta
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:12 AM

Posted 11 March 2007 - 12:15 PM

:thumbsup:

well things are going fine now except for this thing that bitdefender keeps bolcking

Generic.Botget.F6DEE286

the last part keeps changing everytime its blocked
"Generic.Botget.********"

it always creates a file in "c:\windows\system32\i"

anyways thanks for your patience and help :flowers:

Edited by pasta, 11 March 2007 - 12:54 PM.


#15 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:12 AM

Posted 11 March 2007 - 01:29 PM

Hi,

Do next please...

Download and Save blacklight to your desktop.
F-Secure Blacklight: https://europe.f-secure.com/blacklight/try.shtml
Double-click blbeta.exe then accept the agreement.
click > scan then > next,
You'll see a list of all items found - if found, so don't worry it tells that there were no files found.
In case hidden files were found, Don't choose for rename yet! I want to see the log first, because legit items can also be present there...
There must be also a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)
I need that log later.

* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click "Delete".
  • Click "Delete Files", "Delete cookies" and "Delete history"
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
Then, after cleaning temp files etc...

Please perform this online scan: Kaspersky Webscan
1. Read the Requirements and Privacy statement, then select "Accept"
2. A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
3. Select "Install" to download the ActiveX controls that allows ActiveScan to run.
4. If running MSAS beta you may receive an alert that an IE ActiveX program requires your approval. Click "Allow"
5. When the download is complete it will say ready, click "Next"
6. Select a target to scan: Click on "My Computer"
7. When the scan is complete choose to save the results as "Save as Text"
8. Post the Kaspersky scan results in your next reply together with the log from Blacklight.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users