Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Popups And Other Problems.


  • Please log in to reply
7 replies to this topic

#1 Deadlyknight

Deadlyknight

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:06 AM

Posted 25 March 2007 - 11:33 PM

Hello,
Currently getting popups and other problems on computer. I have run several virus and spyware/adware programs but still continue to have problems.

Here is HiJackThis logfile.

Logfile of HijackThis v1.99.1
Scan saved at 10:17:56 PM, on 3/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\antispyware\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\Program Files\navapsvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
D:\Program Files\antispyware\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\SYSTEM32\spider.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Roadrunner
O2 - BHO: Shell Doc Object and Control Helper Class - {00009E9F-DDD7-AA59-AA7D-AA4B7D6BE000} - C:\WINDOWS\system32\shdocvs.dll (file missing)
O2 - BHO: Shell Event Object Class - {00534B55-3155-CA4F-B41D-0E922121D03C} - C:\WINDOWS\system32\cscentfy.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1001e8b1-41ba-4044-b628-967c63e89620} - C:\WINDOWS\system32\winise.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: (no name) - {890C7964-9320-4055-BE11-7D7B562A6417} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\antispyware\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/SU/ocx/15008/CTPID.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winise - C:\WINDOWS\SYSTEM32\winise.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\antispyware\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sansa Updater Service (SansaService) - Unknown owner - C:\Program Files\Sandisk\Sansa Updater\SansaSvr.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

Any help here would be greatly appreciated.

BC AdBot (Login to Remove)

 


#2 YounGun

YounGun

    The malware-fighting kid


  • Members
  • 244 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania, Bucharest
  • Local time:07:06 AM

Posted 26 March 2007 - 08:48 AM

Hi :thumbsup:

Please download and run http://www.thespykiller.co.uk/files/HJTsetup.exe

It will install hijackthis in C:\Program Files\Hijackthis
After installation, go into that folder and run hijackthis, do a new scan, save the log, and then post the new log here and do not cut it whatsoever.

I would like to see if any other startups are involved. To do this, I need to see another type of log please. Go here and download Silent Runners.vbs to a new folder on your Desktop (Clicking the the download link works if you use IE. If you use FireFox, rightclick on the link and choose "Save Link As") and run it. It generates a log too. It takes a minute or two and it will notify you with a popup when your log is ready (make sure you wait for the popups please) Please post the information back in this thread too (you may need to make a couple of posts). If your antivirus program queries the script, allow it to run. It's not malicious.

#3 Deadlyknight

Deadlyknight
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:06 AM

Posted 26 March 2007 - 06:29 PM

New HJK log:

Logfile of HijackThis v1.99.1
Scan saved at 4:48:41 PM, on 3/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\antispyware\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\Program Files\navapsvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
D:\Program Files\antispyware\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Roadrunner
O2 - BHO: Shell Doc Object and Control Helper Class - {00009E9F-DDD7-AA59-AA7D-AA4B7D6BE000} - C:\WINDOWS\system32\shdocvs.dll (file missing)
O2 - BHO: Shell Event Object Class - {00534B55-3155-CA4F-B41D-0E922121D03C} - C:\WINDOWS\system32\cscentfy.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1001e8b1-41ba-4044-b628-967c63e89620} - C:\WINDOWS\system32\winise.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINDOWS\system32\tmp19.tmp.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: (no name) - {890C7964-9320-4055-BE11-7D7B562A6417} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\antispyware\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\vtrrqn.dll",setvm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/SU/ocx/15008/CTPID.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winise - C:\WINDOWS\SYSTEM32\winise.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\antispyware\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sansa Updater Service (SansaService) - Unknown owner - C:\Program Files\Sandisk\Sansa Updater\SansaSvr.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe


Silent Runner Log:
Silent Runners.vbs", revision R50, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"!AVG Anti-Spyware" = ""D:\Program Files\antispyware\AVG Anti-Spyware 7.5\avgas.exe" /minimized" ["Anti-Malware Development a.s."]
"MSConfig" = "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto" [MS]
"SoundService" = "rundll32.exe "C:\WINDOWS\vtrrqn.dll",setvm" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{00009E9F-DDD7-AA59-AA7D-AA4B7D6BE000}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Shell Doc Object and Control Helper Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvs.dll" [file not found]
{00534B55-3155-CA4F-B41D-0E922121D03C}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Shell Event Object Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\cscentfy.dll" [MS]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{1001e8b1-41ba-4044-b628-967c63e89620}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\winise.dll" [null data]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{57E218E6-5A80-4f0c-AB25-83598F25D7E9}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\tmp19.tmp.dll" [null data]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll" ["Sun Microsystems, Inc."]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Helper"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar5.dll" ["Google Inc."]
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper"
-> {HKLM...CLSID} = "CNavExtBho Class"
\InProcServer32\(Default) = "D:\Program Files\NavShExt.dll" ["Symantec Corporation"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{BDEADF00-C265-11d0-BCED-00A0C90AB50F}" = "Web Folders"
-> {HKLM...CLSID} = "Web Folders"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL" [file not found]
"{5b4dae26-b807-11d0-9815-00c04fd91972}" = "Menu Band"
-> {HKLM...CLSID} = "Menu Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{8278F931-2A3E-11d2-838F-00C04FD918D0}" = "Tracking Shell Menu"
-> {HKLM...CLSID} = "Tracking Shell Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{E13EF4E4-D2F2-11d0-9816-00C04FD91972}" = "Menu Site"
-> {HKLM...CLSID} = "Menu Site"
\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{ECD4FC4F-521C-11D0-B792-00A0C90312E1}" = "Menu Desk Bar"
-> {HKLM...CLSID} = "Menu Desk Bar"
\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{D82BE2B0-5764-11D0-A96E-00C04FD705A2}" = "IShellFolderBand"
-> {HKLM...CLSID} = "IShellFolderBand"
\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{0E5CBF21-D15F-11d0-8301-00AA005B4383}" = "&Links"
-> {HKLM...CLSID} = "&Links"
\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{7487cd30-f71a-11d0-9ea7-00805f714772}" = "Thumbnail Image"
-> {HKLM...CLSID} = "Background Thumbnail Generator"
\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{8BEBB290-52D0-11D0-B7F4-00C04FD706EC}" = "Thumbnails"
-> {HKLM...CLSID} = "Thumbnails"
\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM32\THUMBVW.DLL" [file not found]
"{8DE56A0D-E58B-41FE-9F80-3563CDCB2C22}" = "Default Image Extrator for Properties"
-> {HKLM...CLSID} = "Default Image Extrator for Properties"
\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM32\THUMBVW.DLL" [file not found]
"{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension"
-> {HKLM...CLSID} = "SimpleShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll" [empty string]
"{07C45BB1-4A8C-4642-A1F5-237E7215FF66}" = "IE Microsoft BrowserBand"
-> {HKLM...CLSID} = "IE Microsoft BrowserBand"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [file not found]
"{1C1EDB47-CE22-4bbb-B608-77B48F83C823}" = "IE Fade Task"
-> {HKLM...CLSID} = "IE Fade Task"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [file not found]
"{205D7A97-F16D-4691-86EF-F3075DCCA57D}" = "IE Menu Desk Bar"
-> {HKLM...CLSID} = "IE Menu Desk Bar"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [file not found]
"{3028902F-6374-48b2-8DC6-9725E775B926}" = "IE AutoComplete"
-> {HKLM...CLSID} = "IE AutoComplete"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [file not found]
"{43886CD5-6529-41c4-A707-7B3C92C05E68}" = "IE Navigation Bar"
-> {HKLM...CLSID} = "IE Navigation Bar"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [file not found]
"{44C76ECD-F7FA-411c-9929-1B77BA77F524}" = "IE Menu Site"
-> {HKLM...CLSID} = "IE Menu Site"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [file not found]
"{4B78D326-D922-44f9-AF2A-07805C2A3560}" = "IE Menu Band"
-> {HKLM...CLSID} = "IE Menu Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [file not found]
"{6038EF75-ABFC-4e59-AB6F-12D397F6568D}" = "IE Microsoft History AutoComplete List"
-> {HKLM...CLSID} = "IE Microsoft History AutoComplete List"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [file not found]
"{6B4ECC4F-16D1-4474-94AB-5A763F2A54AE}" = "IE Tracking Shell Menu"
-> {HKLM...CLSID} = "IE Tracking Shell Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [file not found]
"{6CF48EF8-44CD-45d2-8832-A16EA016311B}" = "IE IShellFolderBand"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [file not found]
"{73CFD649-CD48-4fd8-A272-2070EA56526B}" = "IE BandProxy"
-> {HKLM...CLSID} = "IE BandProxy"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [file not found]
"{98FF6D4B-6387-4b0a-8FBD-C5C4BB17B4F8}" = "IE MRU AutoComplete List"
-> {HKLM...CLSID} = "IE MRU AutoComplete List"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [file not found]
"{9A096BB5-9DC3-4D1C-8526-C3CBF991EA4E}" = "IE RSS Feeder Folder"
-> {HKLM...CLSID} = "IE RSS Feeds Folder"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [file not found]
"{9D958C62-3954-4b44-8FAB-C4670C1DB4C2}" = "IE Microsoft Shell Folder AutoComplete List"
-> {HKLM...CLSID} = "IE Microsoft Shell Folder AutoComplete List"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [file not found]
"{B31C5FAE-961F-415b-BAF0-E697A5178B94}" = "IE Microsoft Multiple AutoComplete List Container"
-> {HKLM...CLSID} = "IE Microsoft Multiple AutoComplete List Container"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [file not found]
"{BC476F4C-D9D7-4100-8D4E-E043F6DEC409}" = "Microsoft Browser Architecture"
-> {HKLM...CLSID} = "Microsoft Browser Architecture"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [file not found]
"{BFAD62EE-9D54-4b2a-BF3B-76F90697BD2A}" = "IE Shell Rebar BandSite"
-> {HKLM...CLSID} = "IE Shell Rebar BandSite"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [file not found]
"{E6EE9AAC-F76B-4947-8260-A9F136138E11}" = "IE Shell Band Site Menu"
-> {HKLM...CLSID} = "IE Shell Band Site Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [file not found]
"{F2CF5485-4E02-4f68-819C-B92DE9277049}" = "&Links"
-> {HKLM...CLSID} = "&Links"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [file not found]
"{F83DAC1C-9BB9-4f2b-B619-09819DA81B0E}" = "IE Registry Tree Options Utility"
-> {HKLM...CLSID} = "IE Registry Tree Options Utility"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [file not found]
"{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75}" = "IE User Assist"
-> {HKLM...CLSID} = "IE User Assist"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [file not found]
"{FDE7673D-2E19-4145-8376-BBD58C4BC7BA}" = "IE Custom MRU AutoCompleted List"
-> {HKLM...CLSID} = "IE Custom MRU AutoCompleted List"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [file not found]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {HKLM...CLSID} = "AVG7 Find Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "D:\Program Files\antispyware\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["Anti-Malware Development a.s."]
HKLM\System\CurrentControlSet\Control\Session Manager\
<<!>> "BootExecute" = "autocheck autochk *"|"stera" [file not found]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
<<!>> winise\DLLName = "winise.dll" [null data]
HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "D:\Program Files\antispyware\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {HKLM...CLSID} = "IEContextMenu Class"
\InProcServer32\(Default) = "D:\Program Files\NavShExt.dll" ["Symantec Corporation"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "D:\Program Files\antispyware\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {HKLM...CLSID} = "IEContextMenu Class"
\InProcServer32\(Default) = "D:\Program Files\NavShExt.dll" ["Symantec Corporation"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

Group Policies {policy setting}:
--------------------------------
Note: detected settings may not have any effect.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
"NoRecentDocsHistory" = (REG_BINARY) hex:64 00 06 00
{unrecognized setting}
"CDRAutoRun" = (REG_BINARY) hex:00 00 00 00
{unrecognized setting}
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\
"DisableRegistryTools" = (REG_DWORD) hex:0x00000000
{Prevent access to registry editing tools}
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\
"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}
"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}

Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Maxie Sherrow\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Enabled Scheduled Tasks:
------------------------
"Tune-up Application Start" -> launches: "walign" [file not found]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]
"Norton AntiVirus - Scan my computer" -> launches: "D:\PROGRA~1\NAVW32.exe /task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca" ["Symantec Corporation"]

Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar5.dll" ["Google Inc."]
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}"
-> {HKLM...CLSID} = "Norton AntiVirus"
\InProcServer32\(Default) = "D:\Program Files\NavShExt.dll" ["Symantec Corporation"]
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus"
-> {HKLM...CLSID} = "Norton AntiVirus"
\InProcServer32\(Default) = "D:\Program Files\NavShExt.dll" ["Symantec Corporation"]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar5.dll" ["Google Inc."]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.5.0_10"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_10"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll" ["Sun Microsystems, Inc."]
{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "C:\Program Files\AIM\aim.exe" ["America Online, Inc."]
{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

Miscellaneous IE Hijack Points
------------------------------
HKLM\Software\Microsoft\Internet Explorer\AboutURLs\
<<H>> "PostNotCached" = "res://ieframe.dll/repost.htm" [file not found]
<<H>> "NoAdd-ons" = "res://ieframe.dll/noaddon.htm" [file not found]
<<H>> "NoAdd-onsInfo" = "res://ieframe.dll/noaddoninfo.htm" [file not found]
<<H>> "SecurityRisk" = "res://ieframe.dll/securityatrisk.htm" [file not found]
<<H>> "Tabs" = "res://ieframe.dll/tabswelcome.htm" [file not found]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "D:\Program Files\antispyware\AVG Anti-Spyware 7.5\guard.exe" ["Anti-Malware Development a.s."]
AVG E-mail Scanner, AVGEMS, "C:\PROGRA~1\Grisoft\AVG7\avgemc.exe" ["GRISOFT, s.r.o."]
AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe" ["GRISOFT, s.r.o."]
Norton AntiVirus Auto Protect Service, navapsvc, "D:\Program Files\navapsvc.exe" ["Symantec Corporation"]
Pml Driver HPZ12, Pml Driver HPZ12, "C:\WINDOWS\system32\HPZipm12.exe" ["HP"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]

Print Monitors:
---------------
HKLM\System\CurrentControlSet\Control\Print\Monitors\
PCL Language Monitor\Driver = "hpz3l3xu.dll" ["Hewlett-Packard Company"]

----------
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 458 seconds, including 18 seconds for message boxes)

Thank you again for your time.

#4 YounGun

YounGun

    The malware-fighting kid


  • Members
  • 244 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania, Bucharest
  • Local time:07:06 AM

Posted 27 March 2007 - 06:34 AM

Hi :thumbsup:

Please download
VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files,
    click YES
  • Once you click yes, your desktop will go blank as it starts removing
    Vundo.
  • When completed, it will prompt that it will shutdown your computer,
    click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt and a new
    HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not
remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


Please run a free online scan with Kaspersky AntiVirus (works only with MS Internet Explorer 5.0 or higher).
Go to http://www.kaspersky.com/virusscanner and click the "Kaspersky Online Scanner" button (NOT "Kaspersky File Scanner").
  • In the new window that opens, click the "Accept" button to accept the user agreement, install the ActiveX control, and download the program.
  • When you get the Windows dialog asking if you want to install this software, click the "Install" button.
  • When the "Update progress" line changes to "Ready" and the "NEXT ->" button lights up with a green arrow, click it.
  • Click on the "Scan Settings" button, and in the next window select the "extended" database, and click Ok.
  • Under "Please select a target to scan:", click My Computer to start the scan.
When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window, and post the text in kavscan.txt in your next reply.

#5 Deadlyknight

Deadlyknight
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:06 AM

Posted 30 March 2007 - 09:33 AM

Vundofix Log:
VundoFix V6.3.17
Checking Java version...
Java version is 1.5.0.8
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Scan started at 10:38:19 PM 3/29/2007
Listing files found while scanning....
No infected files were found.

Beginning removal...


New HiJackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 11:18:55 PM, on 3/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\antispyware\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\Program Files\navapsvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
D:\Program Files\antispyware\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Roadrunner
O2 - BHO: Shell Event Object Class - {00534B55-3155-CA4F-B41D-0E922121D03C} - C:\WINDOWS\system32\cscentfy.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1001e8b1-41ba-4044-b628-967c63e89620} - C:\WINDOWS\system32\winise.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINDOWS\system32\tmp3.tmp.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: (no name) - {890C7964-9320-4055-BE11-7D7B562A6417} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\antispyware\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\urrpno.dll",setvm
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/SU/ocx/15008/CTPID.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winise - C:\WINDOWS\SYSTEM32\winise.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\antispyware\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sansa Updater Service (SansaService) - Unknown owner - C:\Program Files\Sandisk\Sansa Updater\SansaSvr.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe


Kapersky log:
Friday, March 30, 2007 8:23:35 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 30/03/2007
Kaspersky Anti-Virus database records: 288936


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\

Scan Statistics
Total number of scanned objects 49176
Number of viruses found 7
Number of infected objects 104 / 0
Number of suspicious objects 0
Duration of the scan process 01:30:05

Infected Object Name Virus Name Last Action
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\SYSTEM32\config\system.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\config\software.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\config\default.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\config\ACEEvent.evt Object is locked skipped

C:\WINDOWS\SYSTEM32\config\Internet.evt Object is locked skipped

C:\WINDOWS\SYSTEM32\config\DEFAULT Object is locked skipped

C:\WINDOWS\SYSTEM32\config\SECURITY Object is locked skipped

C:\WINDOWS\SYSTEM32\config\SOFTWARE Object is locked skipped

C:\WINDOWS\SYSTEM32\config\SYSTEM Object is locked skipped

C:\WINDOWS\SYSTEM32\config\SAM Object is locked skipped

C:\WINDOWS\SYSTEM32\ipv6monl.dll Object is locked skipped

C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\SYSTEM32\h323log.txt Object is locked skipped

C:\WINDOWS\yaxyvw.dll Infected: Trojan.Win32.Agent.agv skipped

C:\WINDOWS\vtrrqq.dll Infected: Trojan.Win32.Agent.agv skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{7FBA8BBC-8B4E-4A6B-9E95-6C4484AD553A}.bin Object is locked skipped

C:\WINDOWS\gedcyv.dll Infected: Trojan.Win32.Agent.agv skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\__delete_on_reboot__t_u_v_u_u_s_._d_l_l_ Infected: Trojan.Win32.Agent.agv skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Maxie Sherrow\ntuser.dat Object is locked skipped

C:\Documents and Settings\Maxie Sherrow\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Maxie Sherrow\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Maxie Sherrow\Local Settings\History\History.IE5\MSHist012007033020070331\index.dat Object is locked skipped

C:\Documents and Settings\Maxie Sherrow\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Maxie Sherrow\Local Settings\Temporary Internet Files\Content.IE5\4P2N0HEF\lientnstaller15_02[1].srf Infected: Trojan-Downloader.Win32.Agent.bjk skipped

C:\Documents and Settings\Maxie Sherrow\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Maxie Sherrow\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Maxie Sherrow\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Maxie Sherrow\Application Data\Aim\yfinfyre\IThankYouMyChild\cert8.db Object is locked skipped

C:\Documents and Settings\Maxie Sherrow\Application Data\Aim\yfinfyre\IThankYouMyChild\key3.db Object is locked skipped

C:\Documents and Settings\Maxie Sherrow\.housecall6.6\Quarantine\tmp9.tmp.dll.bac_a02540 Infected: Trojan.Win32.Agent.agv skipped

C:\Documents and Settings\Maxie Sherrow\.housecall6.6\Quarantine\nnnollk.dll.bac_a02540 Infected: Trojan-Downloader.Win32.ConHook.ah skipped

C:\Documents and Settings\Maxie Sherrow\.housecall6.6\Quarantine\tmp8.tmp.exe.bac_a02540 Infected: Trojan-Downloader.Win32.Agent.bjk skipped

C:\Documents and Settings\Maxie Sherrow\.housecall6.6\Quarantine\tmp9.tmp.exe.bac_a02540 Infected: Trojan.Win32.Agent.agv skipped

C:\Documents and Settings\Maxie Sherrow\.housecall6.6\Quarantine\tmp4.tmp.exe.bac_a02540 Infected: Trojan-Downloader.Win32.Agent.bjk skipped

C:\Documents and Settings\Maxie Sherrow\.housecall6.6\Quarantine\tmp5.tmp.exe.bac_a02540 Infected: Trojan.Win32.Agent.agv skipped

C:\Documents and Settings\Maxie Sherrow\.housecall6.6\Quarantine\lientnstaller15_02[1].aspx.bac_a02540 Infected: Trojan-Downloader.Win32.Agent.bjk skipped

C:\Documents and Settings\Maxie Sherrow\.housecall6.6\Quarantine\bleep[1].bac_a02540 Infected: Trojan.Win32.Agent.agv skipped

C:\Documents and Settings\Maxie Sherrow\.housecall6.6\Quarantine\A0009234.dll.bac_a02540 Infected: Trojan.Win32.Agent.agv skipped

C:\System Volume Information\_restore{8ECA4FF2-8214-4D15-859D-F70F59A8D3D2}\RP6\A0001283.dll Infected: Trojan.Win32.Agent.agv skipped

C:\System Volume Information\_restore{8ECA4FF2-8214-4D15-859D-F70F59A8D3D2}\RP6\A0001306.dll Infected: not-a-virus:FraudTool.Win32.WinAntiVirus.2006 skipped

C:\System Volume Information\_restore{8ECA4FF2-8214-4D15-859D-F70F59A8D3D2}\RP8\A0002356.dll Object is locked skipped

C:\System Volume Information\_restore{8ECA4FF2-8214-4D15-859D-F70F59A8D3D2}\RP9\A0002403.dll Infected: Trojan.Win32.Agent.agv skipped

C:\System Volume Information\_restore{8ECA4FF2-8214-4D15-859D-F70F59A8D3D2}\RP10\A0002446.dll Infected: Trojan.Win32.Agent.agv skipped

C:\System Volume Information\_restore{8ECA4FF2-8214-4D15-859D-F70F59A8D3D2}\RP12\A0002509.dll Infected: Trojan.Win32.Agent.agv skipped

C:\System Volume Information\_restore{8ECA4FF2-8214-4D15-859D-F70F59A8D3D2}\RP12\change.log Object is locked skipped

D:\Program Files\Quarantine\42F20065.exe Infected: Packed.Win32.Tibs.e skipped

D:\Program Files\Quarantine\43B9018A.exe Infected: Packed.Win32.Tibs.e skipped

D:\Program Files\Quarantine\21F868F7.exe Infected: Packed.Win32.Tibs.e skipped

D:\Program Files\Quarantine\221562D7.dll Infected: Trojan-Proxy.Win32.Lager.aq skipped

D:\Program Files\Quarantine\223606B3.exe Infected: Packed.Win32.Tibs.e skipped

D:\Program Files\Quarantine\2249029E.dll Infected: Trojan-Proxy.Win32.Lager.aq skipped

D:\Program Files\Quarantine\22530093.dll Infected: Trojan-Proxy.Win32.Lager.aq skipped

D:\Program Files\Quarantine\22A1703C.dll Infected: Trojan-Proxy.Win32.Lager.aq skipped

D:\Program Files\Quarantine\22BC4020.dll Infected: Trojan-Proxy.Win32.Lager.aq skipped

D:\Program Files\Quarantine\22CC120E.dll Infected: Trojan-Proxy.Win32.Lager.aq skipped

D:\Program Files\Quarantine\22D26607.dll Infected: Trojan-Proxy.Win32.Lager.aq skipped

D:\Program Files\Quarantine\22F05FE6.dll Infected: Trojan-Proxy.Win32.Lager.aq skipped

D:\Program Files\Quarantine\230705CD.dll Infected: Trojan-Proxy.Win32.Lager.aq skipped

D:\Program Files\Quarantine\23142DBF.dll Infected: Trojan-Proxy.Win32.Lager.aq skipped

D:\Program Files\Quarantine\23247FAD.exe Infected: Packed.Win32.Tibs.e skipped

D:\Program Files\Quarantine\233B2594.exe Infected: Packed.Win32.Tibs.e skipped

D:\Program Files\Quarantine\235C4970.exe Infected: Packed.Win32.Tibs.e skipped

D:\Program Files\Quarantine\26036684.dll Infected: Trojan-Proxy.Win32.Lager.aq skipped

D:\Program Files\Quarantine\269647E2.exe Infected: Packed.Win32.Tibs.e skipped

D:\Program Files\Quarantine\27607304.exe Infected: Packed.Win32.Tibs.e skipped

D:\Program Files\Quarantine\2F59743E.exe Infected: Packed.Win32.Tibs.e skipped

D:\Program Files\Quarantine\302D1D54.exe Infected: Packed.Win32.Tibs.e skipped

D:\Program Files\Quarantine\31BF499A.exe Infected: Packed.Win32.Tibs.e skipped

D:\Program Files\Quarantine\36744E6C.exe Infected: Packed.Win32.Tibs.e skipped

D:\Program Files\Quarantine\38067AB2.exe Infected: Packed.Win32.Tibs.e skipped

D:\Program Files\Quarantine\38CD7BD7.exe Infected: Packed.Win32.Tibs.e skipped

D:\Program Files\Quarantine\38F149AF.exe Infected: Packed.Win32.Tibs.e skipped

D:\Program Files\Quarantine\3A657C16.exe Infected: Packed.Win32.Tibs.e skipped

D:\Program Files\Quarantine\3E537FC3.exe Infected: Packed.Win32.Tibs.e skipped

D:\Program Files\Quarantine\3F142CEF.exe Infected: Packed.Win32.Tibs.e skipped

D:\Program Files\Quarantine\3FE1020C.exe Infected: Packed.Win32.Tibs.e skipped

D:\Program Files\Quarantine\40A90331.exe Infected: Packed.Win32.Tibs.e skipped

D:\Program Files\Quarantine\41732E52.exe Infected: Packed.Win32.Tibs.e skipped

D:\Program Files\Quarantine\43C931C1.exe Infected: Packed.Win32.Tibs.e skipped

D:\Program Files\Quarantine\46F60842.exe Infected: Packed.Win32.Tibs.e skipped

D:\Program Files\Quarantine\47BD0967.exe Infected: Packed.Win32.Tibs.e skipped

D:\Program Files\Quarantine\494F35AD.exe Infected: Packed.Win32.Tibs.e skipped

D:\Program Files\Quarantine\5B7941AF.exe Infected: Packed.Win32.Tibs.e skipped

D:\Program Files\Quarantine\56FB260E.exe Infected: Packed.Win32.Tibs.e skipped

D:\Program Files\Quarantine\570F21F8.exe Infected: Packed.Win32.Tibs.e skipped

D:\Program Files\Quarantine\05016368.exe Infected: Packed.Win32.Tibs.e skipped

D:\Program Files\Quarantine\107954C9.exe Infected: Packed.Win32.Tibs.e skipped

D:\Program Files\Quarantine\4A075573.exe Infected: Packed.Win32.Tibs.e skipped

D:\Program Files\Quarantine\61070A24.exe Infected: Packed.Win32.Tibs.e skipped

D:\Program Files\Quarantine\77FD40DF.exe Infected: Packed.Win32.Tibs.e skipped

D:\Program Files\Quarantine\625041DE.exe Infected: Packed.Win32.Tibs.e skipped

D:\Program Files\Quarantine\766A3BBF.exe Infected: Packed.Win32.Tibs.e skipped

D:\Program Files\Quarantine\01EC2B15.exe Infected: Packed.Win32.Tibs.e skipped

D:\Program Files\Quarantine\2FEF3E73.exe Infected: Packed.Win32.Tibs.e skipped

D:\Program Files\Quarantine\44240837.exe Infected: Packed.Win32.Tibs.e skipped

D:\Program Files\Quarantine\46F21D20.exe Infected: Packed.Win32.Tibs.e skipped

D:\Program Files\Quarantine\52845E65.exe Infected: Packed.Win32.Tibs.e skipped

D:\Program Files\Quarantine\75262648.exe Infected: Packed.Win32.Tibs.e skipped

D:\Program Files\Quarantine\0A5366FB.exe Infected: Packed.Win32.Tibs.e skipped

D:\Program Files\Quarantine\17732A89.exe Infected: Packed.Win32.Tibs.e skipped

D:\Program Files\Quarantine\2E663748.exe Infected: Packed.Win32.Tibs.e skipped

D:\Program Files\Quarantine\3A221A5E.exe Infected: Packed.Win32.Tibs.e skipped

D:\Program Files\Quarantine\2D5C1591.exe Infected: Packed.Win32.Tibs.e skipped

D:\Program Files\Quarantine\7AC41EF3.exe Infected: Packed.Win32.Tibs.e skipped

D:\Program Files\Quarantine\7ACE1CE8.exe Infected: Packed.Win32.Tibs.e skipped

D:\Program Files\Quarantine\7B30087D.exe Infected: Packed.Win32.Tibs.e skipped

D:\Program Files\Quarantine\7B3D306E.exe Infected: Packed.Win32.Tibs.e skipped

D:\Program Files\Quarantine\7B4A5860.exe Infected: Packed.Win32.Tibs.e skipped

D:\Program Files\Quarantine\7B535655.exe Infected: Packed.Win32.Tibs.e skipped

D:\Program Files\Quarantine\7B5A2A4E.exe Infected: Packed.Win32.Tibs.e skipped

D:\Program Files\Quarantine\7C287F6B.exe Infected: Packed.Win32.Tibs.e skipped

D:\Program Files\Quarantine\7C694724.exe Infected: Packed.Win32.Tibs.e skipped

D:\Program Files\Quarantine\7C734519.exe Infected: Packed.Win32.Tibs.e skipped

D:\Program Files\Quarantine\7CFC2882.exe Infected: Packed.Win32.Tibs.e skipped

D:\Program Files\Quarantine\7D65680F.exe Infected: Packed.Win32.Tibs.e skipped

D:\Program Files\Quarantine\7DAC03C0.exe Infected: Packed.Win32.Tibs.e skipped

D:\Program Files\Quarantine\7E323D2C.exe Infected: Packed.Win32.Tibs.e skipped

D:\Program Files\Quarantine\7E3C3B22.exe Infected: Packed.Win32.Tibs.e skipped

D:\Program Files\Quarantine\7E430F1B.exe Infected: Packed.Win32.Tibs.e skipped

D:\Program Files\Quarantine\7E496313.exe Infected: Packed.Win32.Tibs.e skipped

D:\Program Files\Quarantine\7E9428C1.exe Infected: Packed.Win32.Tibs.e skipped

D:\Program Files\Quarantine\7EE3186A.exe Infected: Packed.Win32.Tibs.e skipped

D:\Program Files\Quarantine\7EE96C63.exe Infected: Packed.Win32.Tibs.e skipped

D:\Program Files\Quarantine\7F0D3A3C.exe Infected: Packed.Win32.Tibs.e skipped

D:\Program Files\Quarantine\7F2A341B.exe Infected: Packed.Win32.Tibs.e skipped

D:\Program Files\Quarantine\7F3E3006.exe Infected: Packed.Win32.Tibs.e skipped

D:\Program Files\Quarantine\7F8975B3.exe Infected: Packed.Win32.Tibs.e skipped

D:\Program Files\Quarantine\7FDE3956.exe Infected: Packed.Win32.Tibs.e skipped

D:\Program Files\Quarantine\004D4CDC.exe Infected: Packed.Win32.Tibs.e skipped

D:\Program Files\Quarantine\01913DFA.qav Infected: Trojan-Clicker.Win32.Small.js skipped

D:\System Volume Information\_restore{8ECA4FF2-8214-4D15-859D-F70F59A8D3D2}\RP12\change.log Object is locked skipped

#6 YounGun

YounGun

    The malware-fighting kid


  • Members
  • 244 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania, Bucharest
  • Local time:07:06 AM

Posted 31 March 2007 - 10:19 AM

Download and unzip Avenger to your desktop.

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens, copy,then paste all the text in the quote box below.

Files to delete:
C:\WINDOWS\vtrrqn.dll
C:\WINDOWS\system32\winise.dll
C:\WINDOWS\system32\tmp19.tmp.dll


Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Note: This script is for this topic only and should not be used for any other

Download Combofix.exe from here.

Doubleclick on combofix.exe and follow the prompts. A window will open with a warning. Type "1" (and Enter) to start the fix. When the scan completes, Disk Cleanup will run and then a text window with your log will open. Please copy and paste that log back here.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Download "FindAWF" from: http://noahdfear.geekstogo.com/FindAWF.exe

Save to desktop and run, it will generate a log file named: awf.txt

Please paste in your reply the avenger log, the combofix log and the awf.txt

#7 Deadlyknight

Deadlyknight
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:06 AM

Posted 31 March 2007 - 06:36 PM

Avenger Log:

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\WINDOWS\vtrrqn.dll not found!
Deletion of file C:\WINDOWS\vtrrqn.dll failed!

Could not process line:
C:\WINDOWS\vtrrqn.dll
Status: 0xc0000034

File C:\WINDOWS\system32\winise.dll deleted successfully.


Could not open file C:WINDOWS\system32\tmp19.tmp.dll for deletion
Deletion of file C:WINDOWS\system32\tmp19.tmp.dll failed!

Could not process line:
C:WINDOWS\system32\tmp19.tmp.dll
Status: 0xc000003a


Completed script processing.

*******************

Finished! Terminate.


Combofix Log:

"Maxie Sherrow" - 07-03-31 17:15:10 Service Pack 2
ComboFix 07-03-27.4.2 - Running from: "C:\Documents and Settings\Maxie Sherrow\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\tmp9.tmp.dll
C:\WINDOWS\system32\tmp19.tmp.dll
C:\WINDOWS\system32\tmp6.tmp.dll
C:\WINDOWS\system32\tmpC.tmp.dll
C:\WINDOWS\system32\tmp3.tmp.dll
C:\WINDOWS\system32\tmpE2E.tmp.dll
C:\WINDOWS\system32\ipv6monl.dll
C:\WINDOWS\start.exe
C:\WINDOWS\system32\dsuiexq.dll

((((((((((((((((((((((((((((((( Files Created from 2007-02-28 to 2007-03-31 ))))))))))))))))))))))))))))))))))

2007-03-31 17:08 <DIR> d-------- C:\avenger
2007-03-29 23:26 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-03-29 17:19 <DIR> d-------- C:\DOCUME~1\STEVES~1\APPLIC~1\Sun
2007-03-27 23:46 106,539 --a------ C:\WINDOWS\gedcyv.dll
2007-03-26 17:35 106,539 --a------ C:\WINDOWS\yaxyvw.dll
2007-03-26 16:44 488,144 --a------ C:\Program Files\HJTsetup.exe
2007-03-25 22:48 76,560 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2007-03-25 21:34 <DIR> d-------- C:\VundoFix Backups
2007-03-23 08:56 106,539 --a------ C:\WINDOWS\vtrrqq.dll
2007-03-21 22:28 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-03-21 12:48 <DIR> d-------- C:\WINDOWS\Sun
2007-03-21 12:48 <DIR> d-------- C:\DOCUME~1\MAXIES~1\APPLIC~1\Sun
2007-03-20 23:54 5 --a------ C:\WINDOWS\SYSTEM32\fontqxet.dll
2007-03-20 17:25 8 --a------ C:\WINDOWS\SYSTEM32\sdfinacs.dll
2007-03-20 17:25 13 --a------ C:\WINDOWS\SYSTEM32\rasqervy.dll
2007-03-20 17:24 23,040 --a------ C:\WINDOWS\SYSTEM32\cscentfy.dll
2007-03-20 17:24 115 --a------ C:\WINDOWS\SYSTEM32\wuasirvy.dll
2007-03-20 17:24 1,422 --a------ C:\WINDOWS\SYSTEM32\comcs32c.dll
2007-03-20 01:00 <DIR> d-------- C:\DOCUME~1\MAXIES~1\.housecall6.6
2007-03-19 19:43 <DIR> d-------- C:\DOCUME~1\MAXIES~1\APPLIC~1\DriveCleaner Free
2007-03-19 19:21 <DIR> d-------- C:\Program Files\Common Files\DriveCleaner Free
2007-03-18 11:23 <DIR> d--hs---- C:\UWA7P
2007-03-17 23:23 <DIR> d-------- C:\Program Files\Common Files\Companion Wizard
2007-03-17 23:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007
2007-03-16 15:51 27,339 --a------ C:\WINDOWS\SYSTEM32\awtus.exe
2007-03-15 12:52 <DIR> d-------- C:\WINDOWS\SYSTEM32\bak


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-02-19 16:15 22720 --a------ C:\WINDOWS\SYSTEM32\emptyregdb.dat


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"!AVG Anti-Spyware"="\"D:\\Program Files\\antispyware\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"SoundService"="rundll32.exe \"C:\\WINDOWS\\tuvuus.dll\",setvm"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Reminder"="C:\\Program Files\\Microsoft Money\\System\\reminder.exe"
"AIM"="C:\\PROGRAM FILES\\AIM\\aim.exe -cnetwait.odl"
"Weather"="C:\\PROGRAM FILES\\AWS\\WEATHERBUG\\WEATHER.EXE 1"
"msnmsgr"="\"C:\\PROGRAM FILES\\MSN MESSENGER\\MSNMSGR.EXE\" /background"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"WildTangent CDA"="RUNDLL32.exe C:\\PROGRA~1\\WILDTA~1\\APPS\\CDA\\CDAENG~1.DLL,cdaEngineMain"
"CriticalUpdate"="C:\\WINDOWS\\SYSTEM32\\WUCRTUPD.EXE -startup"
"ViewMgr"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"
"LoadQM"="loadqm.exe"
"QuickTime Task"="\"C:\\WINDOWS\\SYSTEM32\\qttask.exe\" -atboottime"
"HP Software Update"="D:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"Adware.Srv32"="C:\\WINDOWS\\system32\\runsrv32.exe"
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay"
"FLMOFFICE4DMOUSE"="D:\\\\mouse32a.exe"
"Transponder"="C:\\WINDOWS\\system32\\susp.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"SchedulingAgent"="mstask.exe"
"ATIPOLL"="ati2evxx.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ WinCinema Manager.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\ WinCinema Manager.lnk"
"backup"="C:\\WINDOWS\\pss\\ WinCinema Manager.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Sandisk\\Common\\Bin\\WINCIN~1.EXE "
"item"=" WinCinema Manager"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk.disabled]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk.disabled"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnk.disabledCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk.disabled"
"item"="Adobe Reader Speed Launch.lnk"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\HP Digital Imaging Monitor.lnk"
"backup"="C:\\WINDOWS\\pss\\HP Digital Imaging Monitor.lnkCommon Startup"
"location"="Common Startup"
"command"="D:\\PROGRA~1\\HP\\DIGITA~1\\bin\\hpqtra08.exe "
"item"="HP Digital Imaging Monitor"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk.disabled]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\HP Digital Imaging Monitor.lnk.disabled"
"backup"="C:\\WINDOWS\\pss\\HP Digital Imaging Monitor.lnk.disabledCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\HP Digital Imaging Monitor.lnk.disabled"
"item"="HP Digital Imaging Monitor.lnk"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\HP Image Zone Fast Start.lnk"
"backup"="C:\\WINDOWS\\pss\\HP Image Zone Fast Start.lnkCommon Startup"
"location"="Common Startup"
"command"="D:\\PROGRA~1\\HP\\DIGITA~1\\bin\\hpqthb08.exe -s"
"item"="HP Image Zone Fast Start"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk.disabled]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\HP Image Zone Fast Start.lnk.disabled"
"backup"="C:\\WINDOWS\\pss\\HP Image Zone Fast Start.lnk.disabledCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\HP Image Zone Fast Start.lnk.disabled"
"item"="HP Image Zone Fast Start.lnk"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Find Fast.lnk.disabled]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Find Fast.lnk.disabled"
"backup"="C:\\WINDOWS\\pss\\Microsoft Find Fast.lnk.disabledCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Find Fast.lnk.disabled"
"item"="Microsoft Find Fast.lnk"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Office Startup.lnk.disabled]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Office Startup.lnk.disabled"
"backup"="C:\\WINDOWS\\pss\\Office Startup.lnk.disabledCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Office Startup.lnk.disabled"
"item"="Office Startup.lnk"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\2chkdsk]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dddcaa"
"hkey"="HKLM"
"command"="rundll32.exe \"C:\\WINDOWS\\dddcaa.dll\",setvm"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="avgcc"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\ctfmon.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dcsm]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dcsm"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\DriveCleaner Free\\dcsm.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DriveCleaner Free]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="UDC"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\DriveCleaner Free\\UDC.exe\" /min"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="HPWuSchd2"
"hkey"="HKLM"
"command"="D:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mav_startupmon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mav_startupmon"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\WinAntiVirus Pro 2007\\mav_startupmon.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Money Express"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Microsoft Money\\System\\Money Express.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msnmsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UDC6cw]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="UDC6cw"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\DriveCleaner Free\\UDC6cw.exe\" -c"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Weather"
"hkey"="HKCU"
"command"="C:\\PROGRA~1\\AWS\\WEATHE~1\\Weather.exe 1"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MoneyAgent"="\"C:\\Program Files\\Microsoft Money\\System\\Money Express.exe\""
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsHistory"=hex:64,00,06,00
"CDRAutoRun"=hex:00,00,00,00
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsHistory"=hex:64,00,06,00
"CDRAutoRun"=hex:00,00,00,00
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\run]
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsHistory"=hex:64,00,06,00
"CDRAutoRun"=hex:00,00,00,00
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer\run]
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source REG_SZ http://65.54.175.250/cgi-bin/getmsg/Loki1....7a3f513ad9091ba
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winise
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Tune-up Application Start.job
C:\WINDOWS\tasks\Symantec NetDetect.job
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job

********************************************************************
catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net
scanning hidden processes ...
scanning hidden services ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
********************************************************************
Completion time: 07-03-31 17:20:17


AWF Log:

Find AWF report by noahdfear 2006


bak folders found
~~~~~~~~~~~


Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 12:00 PM 15,360 ctfmon.exe
1 File(s) 15,360 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

12/25/2006 10:26 AM 155,648 qttask.exe
1 File(s) 155,648 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~1\121128~1.546\BAK

02/19/2007 11:31 PM 171,448 GoogleToolbarNotifier.exe
1 File(s) 171,448 bytes

Directory of D:\PROGRA~1\BAK

08/16/2001 05:52 PM 74,832 navapw32.exe
1 File(s) 74,832 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

15360 Aug 4 2004 "C:\WINDOWS\SYSTEM32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\SYSTEM32\bak\ctfmon.exe"
155648 Dec 25 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
463552 Sep 6 2004 "C:\Program Files\GoogleToolbarInstaller.exe"
52272 Feb 19 2007 "C:\Program Files\Google\googletoolbar5user.exe"
558240 Sep 25 2005 "C:\Documents and Settings\Maxie Sherrow\Desktop\GoogleToolbarInstaller.exe"
138168 Feb 19 2007 "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
171448 Feb 19 2007 "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe"
74832 Aug 16 2001 "D:\Program Files\bak\navapw32.exe"


end of report

#8 YounGun

YounGun

    The malware-fighting kid


  • Members
  • 244 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania, Bucharest
  • Local time:07:06 AM

Posted 01 April 2007 - 09:38 AM

Hi :thumbsup:

Download this file to your desktop. Right click it and select the Merge option.

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens, copy,then paste all the text in the quote box below.

Files to delete:
C:\WINDOWS\gedcyv.dll
C:\WINDOWS\yaxyvw.dll
C:\WINDOWS\vtrrqq.dll
C:\WINDOWS\SYSTEM32\rasqervy.dll
C:\WINDOWS\SYSTEM32\fontqxet.dll
C:\WINDOWS\SYSTEM32\sdfinacs.dll
C:\WINDOWS\dddcaa.dll

Folders to delete:
C:\Program Files\Common Files\WinAntiVirus Pro 2007\


Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Note: This script is for this topic only and should not be used for any other

Download and scan with AVG Anti-Spyware v7.5
(This is Ewido 4.0 renamed. If you already have Ewido installed, please update to AVG Anti-Spyware which has a special "clean driver" for removing persistent malware.)
1. After download, double click on the file to launch the install process.
2. Choose a language, click "OK" and then click "Next".
3. Read the "License Agreement" and click "I Agree".
4. Accept default installation path: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5, click "Next", then click "Install".
5. After setup completes, click "Finish" to start the program automatically or launch AVG Anti-Spyware by double-clicking its icon on your desktop or in the system tray.
6. The main "Status" menu will appear. Select "Change state" to inactivate 'Resident Shield' and 'Automatic Updates'.
7. Then right click on AVG Anti-Spyware in the system tray and uncheck "Start with Windows".
8. Go to Start > Run and type: services.msc
  • Press "OK".
  • Click the "Extended tab" and scroll down the list to find AVG Anti-Spyware guard.
  • When you find the guard service, double-click on it.
  • In the Properties Window > General Tab that opens, click the "Stop" button.
  • From the drop-down menu next to "Startup Type", click on "Manual".
  • Now click "Apply", then "OK" and close the Services window.
9. Select the "Update" button and click "Start update". Wait until you see the "Update succesfull message. If you are having problems with the updater, manually update with the AVG Anti-Spyware Full database installer from here.

Once the updates are installed do the following:
1. Click on the "Scanner" button and choose the "Settings" tab.
  • Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.
  • Under "How to Scan?", "Possibly unwanted software", and What to Scan?" leave all the default settings.
  • Under "Reports" select "Automatically generate report after every scan" and UNcheck "Only if threats were found".
2. Click the "Scan" tab to return to scanning options.
3. Click "Complete System Scan" to start.
4. When the scan has finished you will be presented with a list of infected objects found. Click "Apply all actions" to place the files in Quarantine.

IMPORTANT! Do not save the report before you have clicked the Apply all actions button. If you do, the log that is created will indicate "No action taken", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button?

5. Click on "Save Report" to view all completed scans. Click on the most recent scan you just performed and select "Save report as" - the default file name will be in date/time format as follows: Report-Scan-20060620-142816.txt. Save to your desktop. A copy of each report will also be saved in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports\
6. Exit AVG Anti-Spyware when done and submit the log report in your next response.

Note: Close all open windows, programs, and DO NOT USE the computer while AVG Anti-Spyware is scanning. Doing so may hamper AVG Anti-Spyware's ability to clean properly and may result in reinfection.

AVG Anti-Spyware is free for 30 days and all the extensions of the full version will be activated. After the 30 day trial, active protection extensions will be deactivated and the program will turn into a feature-limited freeware version that you can can continue to use as an on-demand scanner or you may purchase a license to use the full version.


After reboot post a new silentrunners's log, the AVG log and the avenger log.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users