Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected By Trojan-downloader.win32.delf.pa (trojan.stwoyle), Avkiller.c And More


  • This topic is locked This topic is locked
11 replies to this topic

#1 dantes

dantes

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:17 AM

Posted 01 April 2007 - 07:42 PM

hello,

i've read most of the manuals here, and tried my best to scan and recover my pc. problem is, since i got infected by those trojans, i cannot use my antivirus/antispyware programs. they are instatnly closed as i open them. so i can't use AVG, Hijackthis, and others. i m not able to open websites that are connected to antivirus programs, with some exceptios.
though i cant download and install them on my pc, even on safe mode - i managed to scan the pc online using Panda Active scan and bit defender. those have found hundreds of trojans and spywares on my computer. i have also used Search & Destroy ( with lil effect) and AdAware, but they weren't as effective as Panda and Bit Defender.
although they have deleted quite a few, i stll cant access AVG , Hijackthis, and certain websites, including some of the forums here like HijackThis log Analysis (typical AVkiller.C work...).
im writing this post from another computer, since i cannot enter the forum from mine.

please advise me on how to clean my computer, and get rid once and for all of those pests.
i've added some examples of the viruses found during the scan : (some could not be deleted)

Panda's Active scan found:

Virus:Trj/Downloader.MOW Disinfected
C:\WINDOWS\system32\bxjoqoiabbjn.dll

Bit Defender has discovered, but could not clean :

C:\WINDOWS\system32\vpxyofsugazx.dll
Suspected of: BehavesLike:Trojan.WinlogonHook

C:\WINDOWS\system32\vpxyofsugazx.dll
Disinfection failed

C:\WINDOWS\system32\vpxyofsugazx.dll
Delete failed

C:\WINDOWS\system32\urlnxqkxrfww.dll
Suspected of: BehavesLike:Trojan.WinlogonHook

C:\WINDOWS\system32\urlnxqkxrfww.dll
Disinfection failed

C:\WINDOWS\system32\urlnxqkxrfww.dll
Delete failed

C:\WINDOWS\system32\hjthis101.dll
Infected with: Trojan.AVKiller.Agent.C

C:\WINDOWS\system32\hjthis101.dll
Disinfection failed

C:\WINDOWS\system32\hjthis101.dll
Delete failed
C:\WINDOWS\system32\ipmnipmqsxye.dll
Infected with: Trojan.Downloader.Delf.AMB

C:\WINDOWS\system32\ipmnipmqsxye.dll
Disinfection failed

C:\WINDOWS\system32\ipmnipmqsxye.dll
Delete failed

there were literally hundreds more - but they were deleted by the scanning program. those above are still causing trouble.
i'd appreciate your suggestions and help.
thanks
Dan

BC AdBot (Login to Remove)

 


#2 dantes

dantes
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:17 AM

Posted 02 April 2007 - 03:26 AM

i was directed to this forum by fozzie :

[img]
You have a nasty infection on hand Trojan-Downloader.Win32.Delf.pa (Trojan.Stwoyle) You will not be able to run HiJackThis unless a special tool will be utlised. Please post the panda report in the HiJackThis forum here and they will help you. This is a sophisticated tool which needs expertise


what is this tool he is speaking of, and how can i utilise it?

thank u for ur time.

Edited by dantes, 02 April 2007 - 03:27 AM.


#3 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:17 PM

Posted 03 April 2007 - 07:48 AM

Hello and welcome to BC. :thumbsup:

Download win32delfkil
Save it on your desktop.
Double click on win32delfkil.exe and install it. This creates a new folder on your desktop: win32delfkil
Close all windows, open the win32delfkil folder and double click on fix.bat.

The computer will reboot automatically.

Next, et's see if you can run this tool:

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  • Close all applications and windows.
  • Double-click on dss.exe to run it, and follow the prompts.
  • When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt in your next reply.
Please post the contents of the logfile c:\windelf.txt, along with the main.txt and the extra.txt

#4 dantes

dantes
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:17 AM

Posted 07 April 2007 - 08:55 AM

hello again,

sorry for the delayed response. i have great news : Avast antivirus has tackled the main problem and im now able again to use HJT, and access ur forum from my computer, unlike before.
knowing the viruses name by heart now i tried to fix through HJt, but 2 viruses kept coming back after each fix (winlogon related ).

i tried D/L Win32DelfKill but it kept crushing my computer, so no luck there.
i did however ran a scan with Deckard's and HJt so here are the results :

this is the latest HJT scan ( previous had soft_d.exe files there as well ) :

Logfile of HijackThis v1.99.1
Scan saved at 16:25:29, on 07/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\UPSMON\UPSMON.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Softwin\BitDefender8\bdmcon.exe
C:\Program Files\Softwin\BitDefender8\bdnagent.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Hijackthis\hijackthis\HijackThis.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\PROGRA~1\MESSEN~1\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\UPSMON\UPSMON_Service.Exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\UPSMON\UPSInt2.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\wscntfy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.walla.co.il/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 ME\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UPSMON] C:\Program Files\UPSMON\UPSMON.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender8\bdmcon.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender8\bdnagent.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files\Hijackthis\hijackthis\HijackThis.exe /startupscan
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRA~1\MESSEN~1\msmsgs.exe" /background
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D79B6F43-F214-4E7A-9ECB-CCC8771F2416} (LauncherV1 Class) - http://www.tapuz.co.il/irc/main/launcher.cab
O16 - DPF: {F59AB0C4-3443-4551-A78F-C101F9DE0215} (LauncherV1 Class) - http://irc.tapuz.co.il/ChatTV/launcher.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A46CD0BC-F299-4DF8-84F5-E0B13E758957}: NameServer = 212.117.129.3,212.117.128.6
O17 - HKLM\System\CCS\Services\Tcpip\..\{E5E52089-8502-418B-BE9E-5D4ACBE998EF}: NameServer = 192.168.0.100
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: urlnxqkxrfww - C:\WINDOWS\system32\urlnxqkxrfww.dll
O20 - Winlogon Notify: vpxyofsugazx - C:\WINDOWS\system32\vpxyofsugazx.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AZJON - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Itai\LOCALS~1\Temp\AZJON.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Task Manager service (RTM) - Unknown owner - C:\Program Files\Remote Task Manager\RTMService.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: UPSMONService - Unknown owner - C:\Program Files\UPSMON\UPSMON_Service.Exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

Deckard's Main.txt :

Deckard's System Scanner v20070328.36
Run by Itai on 2007-04-07 at 16:31:20
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2007-04-07 14:31:24 UTC - RP1 - System Checkpoint


Backed up registry hives.

Performed disk cleanup.


-- HijackThis (run as Itai.exe) ------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 16:32:46, on 07/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\UPSMON\UPSMON.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Softwin\BitDefender8\bdmcon.exe
C:\Program Files\Softwin\BitDefender8\bdnagent.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\PROGRA~1\MESSEN~1\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\UPSMON\UPSMON_Service.Exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\UPSMON\UPSInt2.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Itai\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\HIJACK~1\Itai.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.walla.co.il/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 ME\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UPSMON] C:\Program Files\UPSMON\UPSMON.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender8\bdmcon.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender8\bdnagent.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files\Hijackthis\hijackthis\HijackThis.exe /startupscan
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRA~1\MESSEN~1\msmsgs.exe" /background
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D79B6F43-F214-4E7A-9ECB-CCC8771F2416} (LauncherV1 Class) - http://www.tapuz.co.il/irc/main/launcher.cab
O16 - DPF: {F59AB0C4-3443-4551-A78F-C101F9DE0215} (LauncherV1 Class) - http://irc.tapuz.co.il/ChatTV/launcher.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A46CD0BC-F299-4DF8-84F5-E0B13E758957}: NameServer = 212.117.129.3,212.117.128.6
O17 - HKLM\System\CCS\Services\Tcpip\..\{E5E52089-8502-418B-BE9E-5D4ACBE998EF}: NameServer = 192.168.0.100
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: urlnxqkxrfww - C:\WINDOWS\system32\urlnxqkxrfww.dll
O20 - Winlogon Notify: vpxyofsugazx - C:\WINDOWS\system32\vpxyofsugazx.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AZJON - Unknown owner - C:\DOCUME~1\Itai\LOCALS~1\Temp\AZJON.exe (file missing)
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Task Manager service (RTM) - Unknown owner - C:\Program Files\Remote Task Manager\RTMService.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: UPSMONService - Unknown owner - C:\Program Files\UPSMON\UPSMON_Service.Exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)


-- HijackThis Fixed Entries (C:\PROGRA~1\HIJACK~1\HIJACK~1\backups\) -----------

backup-20061118-044621-100 O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00303} - C:\WINDOWS\system32\adsldpby.dll (file missing)
backup-20061118-044621-132 O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00306} - C:\WINDOWS\compstuib.dll (file missing)
backup-20061118-044621-139 O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00402} - C:\WINDOWS\system32\fontextb.dll (file missing)
backup-20061118-044621-147 O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
backup-20061118-044621-270 O2 - BHO: (no name) - {0B5F7FDF-0717-45BF-B49D-695F3168C7FE} - C:\WINDOWS\admparsek.dll (file missing)
backup-20061118-044621-309 O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00305} - C:\WINDOWS\compstuia.dll (file missing)
backup-20061118-044621-338 O16 - DPF: {037B3D58-D14A-4C41-BDFD-BD779B0B97BA} -
backup-20061118-044621-385 O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00401} - C:\WINDOWS\system32\fontexta.dll (file missing)
backup-20061118-044621-391 O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00320} - C:\WINDOWS\compstuif.dll (file missing)
backup-20061118-044621-436 O2 - BHO: (no name) - {11111111-2222-408A-9842-CDBE1C6D37EB} - C:\WINDOWS\podpis.dll
backup-20061118-044621-494 O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
backup-20061118-044621-495 O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00304} - C:\WINDOWS\adsldpbz.dll (file missing)
backup-20061118-044621-524 O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00309} - C:\WINDOWS\system32\compstuid.dll (file missing)
backup-20061118-044621-577 O2 - BHO: (no name) - {B9D6B3C2-09AD-464A-8162-8C55114C808A} - (no file)
backup-20061118-044621-723 O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00311} - C:\WINDOWS\compstuig.dll (file missing)
backup-20061118-044621-737 O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
backup-20061118-044621-819 O2 - BHO: (no name) - {DF00FFA0-AEA9-4EA8-A10F-8BB9A7F8508C} - C:\WINDOWS\system32\adsldpbm.dll (file missing)
backup-20061118-044621-876 O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00403} - C:\WINDOWS\system32\fontextc.dll
backup-20061118-044621-889 O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
backup-20061118-044622-180 O20 - Winlogon Notify: browsela - C:\WINDOWS\system32\browsela.dll (file missing)
backup-20061118-044622-377 O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
backup-20061203-012444-117 O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00404} - C:\WINDOWS\system32\fontextd.dll (file missing)
backup-20061203-012444-541 O20 - Winlogon Notify: cfgmngr32 - C:\WINDOWS\system32\cfgmngr32.dll
backup-20061203-012536-855 O20 - Winlogon Notify: cfgmngr32 - C:\WINDOWS\system32\cfgmngr32.dll
backup-20061203-012554-907 O20 - Winlogon Notify: cfgmngr32 - C:\WINDOWS\system32\cfgmngr32.dll
backup-20061206-031159-706 O20 - Winlogon Notify: cfgmngr32 - C:\WINDOWS\system32\cfgmngr32.dll
backup-20061206-031607-839 O20 - Winlogon Notify: cfgmngr32 - C:\WINDOWS\system32\cfgmngr32.dll
backup-20061217-001602-570 O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00405} - C:\WINDOWS\system32\fontexte.dll
backup-20061217-001603-104 O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
backup-20061217-001603-218 O4 - HKLM\..\Run: [gwiz] C:\WINDOWS\system32\ntsystem.exe
backup-20061217-001603-306 O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
backup-20061217-001603-374 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
backup-20061217-001603-998 O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
backup-20061217-001604-762 O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
backup-20061217-001604-902 O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
backup-20061225-230557-361 O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00405} - C:\WINDOWS\fontexte.dll (file missing)
backup-20061225-230557-934 O20 - Winlogon Notify: cfgmngr32 - C:\WINDOWS\
backup-20070121-213327-261 O4 - HKLM\..\Run: [ICQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize
backup-20070127-191832-151 O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
backup-20070127-191832-640 O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
backup-20070127-191832-930 O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
backup-20070127-191833-645 O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
backup-20070127-191833-784 O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
backup-20070127-191833-837 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
backup-20070127-191833-898 O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
backup-20070407-161946-105 O20 - Winlogon Notify: bxjoqoiabbjn - C:\WINDOWS\system32\bxjoqoiabbjn.dll (file missing)
backup-20070407-161946-136 O4 - HKLM\..\Run: [RPSC] C:\WINDOWS\system32\soft_d.exe
backup-20070407-161946-271 O20 - Winlogon Notify: vpxyofsugazx - C:\WINDOWS\system32\vpxyofsugazx.dll
backup-20070407-161946-679 O20 - Winlogon Notify: ipmnipmqsxye - C:\WINDOWS\system32\ipmnipmqsxye.dll (file missing)
backup-20070407-161946-745 O20 - Winlogon Notify: urlnxqkxrfww - C:\WINDOWS\system32\urlnxqkxrfww.dll
backup-20070407-161946-969 O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
backup-20070407-162041-665 O20 - Winlogon Notify: vpxyofsugazx - C:\WINDOWS\system32\vpxyofsugazx.dll
backup-20070407-162041-806 O20 - Winlogon Notify: urlnxqkxrfww - C:\WINDOWS\system32\urlnxqkxrfww.dll

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 sfdrv01 (StarForce Protection Environment Driver (version 1.x)) - c:\windows\system32\drivers\sfdrv01.sys
R0 sfhlp02 (StarForce Protection Helper Driver (version 2.x)) - c:\windows\system32\drivers\sfhlp02.sys
R0 sfsync02 (StarForce Protection Synchronization Driver (version 2.x)) - c:\windows\system32\drivers\sfsync02.sys
R0 sfvfs02 (StarForce Protection VFS Driver (version 2.x)) - c:\windows\system32\drivers\sfvfs02.sys
R1 AFS2K - c:\windows\system32\drivers\afs2k.sys
R3 msloop (Microsoft Loopback Adapter Driver) - c:\windows\system32\drivers\loop.sys

S3 npkcrypt - c:\games\lineage ii\system\npkcrypt.sys (file missing)
S3 QCMerced (Logitech QuickCam Communicate) - c:\windows\system32\drivers\lvcm.sys
S3 SYMIDSCO - c:\progra~1\common~1\symant~1\symcdata\ids-di~1\20070124.002\symidsco.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 UPSMONService - "c:\program files\upsmon\upsmon_service.exe"

S2 MSSQL$SQLEXPRESS (SQL Server (SQLEXPRESS)) - "c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe" -ssqlexpress
S2 RTM (Remote Task Manager service) - c:\program files\remote task manager\rtmservice.exe (file missing)
S3 AZJON - c:\docume~1\itai\locals~1\temp\azjon.exe (file missing)
S3 usprserv (User Privilege Service) - c:\windows\system32\svchost.exe -k netsvcs
S4 msvsmon80 (Visual Studio 2005 Remote Debugger) - "c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe" /service msvsmon80 (file missing)
S4 SQLBrowser (SQL Browser) - "c:\program files\microsoft sql server\90\shared\sqlbrowser.exe"


-- Scheduled Tasks -------------------------------------------------------------

2007-04-07 15:53:29 362 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job<SYMANT~1.JOB>
2007-04-07 06:10:00 360 --a------ C:\WINDOWS\Tasks\XoftSpySE.job<XOFTSP~1.JOB>


-- Files created between 2007-03-07 and 2007-04-07 -----------------------------

2007-04-07 10:49:03 14 --a------ C:\Documents and Settings\Itai\getfile.dat
2007-04-07 10:49:02 2957 --a------ C:\Documents and Settings\Itai\x_dtrace_log<X_DTRA~1>
2007-04-07 08:13:59 258048 --a------ C:\WINDOWS\system32\soft_d.exe
2007-04-07 07:48:52 23352 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-04-07 07:48:51 43176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-04-07 07:48:51 31560 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-04-07 07:48:48 94424 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-04-07 07:48:48 85952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-04-07 07:48:44 90112 --a------ C:\WINDOWS\system32\AVASTSS.scr
2007-04-07 07:48:44 689280 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-04-07 07:48:40 0 d-------- C:\Program Files\Alwil Software<ALWILS~1>
2007-04-07 07:42:37 14 --a------ C:\WINDOWS\system32\getfile.dat
2007-04-07 07:42:35 2957 --a------ C:\WINDOWS\system32\x_dtrace_log<X_DTRA~1>
2007-04-02 11:44:40 0 d-------- C:\Program Files\rootkitrevealer<ROOTKI~1>
2007-04-01 22:53:11 1822 --a------ C:\WINDOWS\system32\tmp.reg
2007-04-01 13:29:07 0 d-------- C:\WINDOWS\BDOSCAN8
2007-03-28 17:51:08 0 d-------- C:\WINDOWS\system32\vkbfumkh
2007-03-26 11:09:17 71223 --ah----- C:\WINDOWS\system32\vpxyofsugazx.dll<VPXYOF~1.DLL>
2007-03-26 11:09:15 71223 -----n--- C:\WINDOWS\system32\urlnxqkxrfww.dll<URLNXQ~1.DLL>
2007-03-12 20:36:14 13824 --a------ C:\WINDOWS\system32\eoudaklm.exe
2007-03-09 13:47:39 106496 -ra------ C:\WINDOWS\system32\lvcoinst.dll
2007-03-09 13:47:39 22016 -ra------ C:\WINDOWS\system32\drivers\LVUSBSta.sys
2007-03-09 13:47:38 372736 -ra------ C:\WINDOWS\system32\LVUI2RC.dll
2007-03-09 13:47:38 204800 -ra------ C:\WINDOWS\system32\LVUI2.dll
2007-03-09 13:47:38 204800 -ra------ C:\WINDOWS\system32\lvcodec2.dll
2007-03-09 13:47:37 2180096 -ra------ C:\WINDOWS\system32\drivers\lvsvf2.sys
2007-03-09 13:47:36 1317152 -ra------ C:\WINDOWS\system32\drivers\lvcm.sys
2007-03-09 13:47:34 53760 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2007-03-09 13:45:37 0 d-------- C:\Documents and Settings\Itai\Application Data\FotoWire
2007-03-09 13:45:36 0 d-------- C:\Program Files\Common Files\FotoWire
2007-03-09 13:44:41 53248 -ra------ C:\WINDOWS\system32\InstMed.exe
2007-03-09 13:44:09 0 d-------- C:\Program Files\Common Files\Logitech
2007-03-09 13:43:55 215552 --a------ C:\WINDOWS\system32\Lvkrn12n.dll
2007-03-09 13:43:55 462848 --a------ C:\WINDOWS\system32\LCamCpl.dll
2007-03-09 13:43:53 49152 --a------ C:\WINDOWS\system32\MFC71KOR.DLL
2007-03-09 13:43:52 49152 --a------ C:\WINDOWS\system32\MFC71JPN.DLL
2007-03-09 13:43:52 61440 --a------ C:\WINDOWS\system32\MFC71ITA.DLL
2007-03-09 13:43:52 61440 --a------ C:\WINDOWS\system32\MFC71ESP.DLL
2007-03-09 13:43:52 57344 --a------ C:\WINDOWS\system32\MFC71ENU.DLL
2007-03-09 13:43:52 65536 --a------ C:\WINDOWS\system32\MFC71DEU.DLL
2007-03-09 13:43:52 45056 --a------ C:\WINDOWS\system32\MFC71CHT.DLL
2007-03-09 13:43:52 40960 --a------ C:\WINDOWS\system32\MFC71CHS.DLL
2007-03-09 13:43:48 466944 --a------ C:\WINDOWS\system32\QCUI2.dll
2007-03-09 13:43:47 856064 --a------ C:\WINDOWS\system32\Ltwvc12n.dll
2007-03-09 13:43:47 406016 --a------ C:\WINDOWS\system32\ltkrn12n.dll
2007-03-09 13:43:47 164864 --a------ C:\WINDOWS\system32\ltimg12n.dll
2007-03-09 13:43:47 131072 --a------ C:\WINDOWS\system32\ltfil12n.DLL
2007-03-09 13:43:47 207872 --a------ C:\WINDOWS\system32\ltefx12n.dll
2007-03-09 13:43:46 259072 --a------ C:\WINDOWS\system32\LTDIS12n.dll
2007-03-09 13:43:46 141312 --a------ C:\WINDOWS\system32\lftif12n.dll
2007-03-09 13:43:46 78336 --a------ C:\WINDOWS\system32\lffax12n.dll
2007-03-09 13:43:46 328704 --a------ C:\WINDOWS\system32\LFCMP12n.DLL
2007-03-09 13:43:46 30720 --a------ C:\WINDOWS\system32\lfbmp12n.dll
2007-03-09 13:43:44 90112 --a------ C:\WINDOWS\system32\LQCUI2.dll
2007-03-09 13:43:27 0 d-------- C:\Program Files\Logitech
2007-03-09 13:24:58 59264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys
2007-03-08 18:37:03 0 d-------- C:\Documents and Settings\Itai\Contacts
2007-03-08 18:35:01 0 d------c- C:\WINDOWS\system32\DRVSTORE


-- Find3M Report ---------------------------------------------------------------

2007-04-07 16:12:21 0 d-------- C:\Documents and Settings\Itai\Application Data\Skype
2007-04-07 07:46:46 0 d-------- C:\Program Files\Common Files\Symantec Shared<SYMANT~1>
2007-04-07 07:46:43 0 d-------- C:\Program Files\Norton AntiVirus<NORTON~1>
2007-04-07 06:59:23 0 d-------- C:\Program Files\a-squared Free<A-SQUA~1>
2007-04-06 17:47:43 0 d-------- C:\Documents and Settings\Itai\Application Data\Azureus
2007-04-01 19:40:17 0 d-------- C:\Program Files\UPSMON
2007-04-01 19:37:54 0 d-------- C:\Program Files\NetLimiter<NETLIM~1>
2007-04-01 19:37:47 0 d-------- C:\Program Files\MSN Messenger<MSNMES~1>
2007-04-01 19:33:41 0 d-------- C:\Program Files\Messenger<MESSEN~1>
2007-04-01 19:14:38 0 d---s---- C:\Documents and Settings\Itai\Application Data\Microsoft<MICROS~1>
2007-04-01 15:44:23 0 d-------- C:\Program Files\The All-Seeing Eye<THEALL~1>
2007-03-29 16:57:49 0 d-------- C:\Program Files\XoftSpySE<XOFTSP~1>
2007-03-29 15:16:36 0 d-------- C:\Program Files\Azureus
2007-03-09 13:43:41 0 d--h----- C:\Program Files\InstallShield Installation Information<INSTAL~1>
2007-03-08 17:36:28 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 17:36:28 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 17:36:28 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 15:47:48 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-01-19 12:53:04 51056 --a------ C:\WINDOWS\system32\sirenacm.dll
2007-01-13 23:32:54 796672 --a------ C:\WINDOWS\GPInstall.exe<GPINST~1.EXE>


-- Registry Dump ---------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"HijackThis startup scan"="C:\\Program Files\\Hijackthis\\hijackthis\\HijackThis.exe /startupscan"
"LogitechSoftwareUpdate"="\"C:\\Program Files\\Logitech\\Video\\ManifestEngine.exe\" boot"
"MSMSGS"="\"C:\\PROGRA~1\\MESSEN~1\\msmsgs.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"UPSMON"="C:\\Program Files\\UPSMON\\UPSMON.exe"
"LVCOMSX"="C:\\WINDOWS\\system32\\LVCOMSX.EXE"
"LogitechVideoRepair"="C:\\Program Files\\Logitech\\Video\\ISStart.exe "
"LogitechVideoTray"="C:\\Program Files\\Logitech\\Video\\LogiTray.exe"
"BDMCon"="\"C:\\Program Files\\Softwin\\BitDefender8\\bdmcon.exe\""
"BDNewsAgent"="\"C:\\Program Files\\Softwin\\BitDefender8\\bdnagent.exe\""
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{B29BE267-3A64-4F7E-8A57-75FB5E900506}"="Windows Updater"
"{A4F94C0C-54A7-4DB1-9AF3-B22E63D00401}"="z"
"{A4F94C0C-54A7-4DB1-9AF3-B22E63D00402}"="z"
"{A4F94C0C-54A7-4DB1-9AF3-B22E63D00403}"="z"
"{CEDE2188-484C-B239-A68E-DC1B84001001}"="vpxyofsugazx"
"{B0099233-1FF5-4326-A3E8-24AE1DF18D57}"="google service"
"{2188CEDE-B239-484C-8EA6-B84DC1001001}"="urlnxqkxrfww"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"ALUAlert"="C:\\Program Files\\Symantec\\LiveUpdate\\ALUNotify.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urlnxqkxrfww
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vpxyofsugazx

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F]
Shell\AutoRun\command F:\Install.exe


-- Hosts -----------------------------------------------------------------------

127.0.0.1 update.nprotect.net


-- End of Deckard's System Scanner: finished at 2007-04-07 at 16:33:21 ---------

this is Deckard's Extra.txt

Deckard's System Scanner v20070328.36
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ XP 2500+
Percentage of Memory in Use: 71%
Physical Memory (total/avail): 511.49 MiB / 147.49 MiB
Pagefile Memory (total/avail): 1246.82 MiB / 956.98 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1996.25 MiB

A: is Removable (Unformatted)
C: is Fixed (NTFS) - 74.52 GiB total, 1.45 GiB free.
E: is CDROM (CDFS)
F: is CDROM (UDF)
G: is CDROM (No Media)
H: is Fixed (NTFS) - 74.53 GiB total, 6.72 GiB free.


-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.
Windows Internal Firewall is enabled.

AV: avast! antivirus 4.7.942 [VPS 000731-0] v4.7.942 (ALWIL Software)


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Itai\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=ELDAD
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Itai
lib=c:\Program Files\SQLXML 4.0\bin\
LOGONSERVER=\\ELDAD
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\Internet Explorer;;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel;c:\Program Files\Microsoft SQL Server\90\Tools\binn\;C:\MATLAB7\bin\win32;
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 10 Stepping 0, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0a00
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Itai\LOCALS~1\Temp
TMP=C:\DOCUME~1\Itai\LOCALS~1\Temp
USERDOMAIN=ELDAD
USERNAME=Itai
USERPROFILE=C:\Documents and Settings\Itai
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI


-- User Profiles ---------------------------------------------------------------

אלדד (admin)
Itai (admin)
Ben (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
##CAMERADRIVERNAME## --> "C:\Program Files\Common Files\Logitech\QCDRV\BIN\SETUP.EXE" UNINSTALL REMOVEPROMPT
3D Live Pool --> "C:\Program Files\3D Live Pool\unins000.exe"
a-squared Free 2.1 --> "C:\Program Files\a-squared Free\unins000.exe"
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Reader 6.0 ME --> MsiExec.exe /I{AC76BA86-7AD7-1037-7646-6E0000000001}
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\System32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
ATI DVD Decoder 2.2.0.0 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{D3661269-10B6-495F-B4EE-539ABE3F9AA9} /l1033
ATI HYDRAVISION --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3EA9D975-BFDC-4E8E-B88B-0446FBC8CA66}\setup.exe"
ATI RADEON 9700 Bacteria Screen Saver v1.1 --> MsiExec.exe /X{CF110019-D640-4252-9DD7-99C7CB684E9F}
AutoIt v3.1.1 --> C:\Program Files\AutoIt3\Uninstall.exe
avast! Antivirus --> rundll32 C:\PROGRA~1\ALWILS~1\Avast4\Setup\setiface.dll,RunSetup
Azureus --> C:\Program Files\Azureus\Uninstall.exe
Babylon --> C:\Program Files\Babylon\Utils\uninstbb.exe
Battlefield Vietnam™ --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E35B3C63-E958-4E31-A178-95D22024109A}\setup.exe" -l0x9
BitDefender 8 Free Edition --> MsiExec.exe /I{8BFFDBAB-FD81-4137-A98E-A769C828080C}
BoringCQ 1.1 --> "C:\Program Files\BoringCQ\unins000.exe"
Cheating-Death 4.23.4 --> C:\Program Files\Cheating-Death\UninstCD.exe
DivX Codec --> C:\WINDOWS\unvise32.exe C:\Program Files\DivX\DivX Bundle.log
DivX Player 2.1 --> C:\Program Files\DivX\DivX Player 2.1\uninstall.bat
DVD Decrypter (Remove Only) --> "C:\Program Files\DVD Decrypter\uninstall.exe"
DVD Region Killer --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Elaborate Bytes\DVD Region Killer\Uninst.isu"
DVD Shrink 3.1.3 --> "C:\Program Files\DVD Shrink\unins000.exe"
ElFerProxy - Autokill --> "C:\Program Files\ElFerProxy - Autokill\uninstall.exe"
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
GTA San Andreas --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D417C96A-FCC7-4590-A1BB-FAF73F5BC98E}\setup.exe" -l0x9 -removeonly
HijackThis 1.99.1 --> C:\DOCUME~1\Itai\LOCALS~1\Temp\Rar$EX34.7563\HijackThis.exe /uninstall
HP PSC & OfficeJet 3.0 --> "C:\Program Files\HP\Digital Imaging\{F38FA38A-7E5A-4209-88ED-4DE21CD20EEF}\setup\hpzscr01.exe" -datfile hposcr03.dat
ICQ 5.1 --> C:\Program Files\ICQLite\ICQLiteUninstall.EXE
Java 2 Runtime Environment, SE v1.4.2_04 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142040}
LiveUpdate 2.6 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Logitech Desktop Messenger --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{900B1197-53F5-4F46-A882-2CFFFE2EEDCB}\Setup.exe" -l0x9 UNINSTALL
Logitech Print Service --> C:\PROGRA~1\Logitech\PRINTS~1\UNWISE.EXE C:\PROGRA~1\Logitech\PRINTS~1\INSTALL.LOG
Logitech QuickCam Software --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C43048A9-742C-4DAD-90D2-E3B53C9DB825}\setup.exe" -l0x9
MATLAB Family of Products Release 14 --> C:\MATLAB7\uninstall\uninstall.exe C:\MATLAB7\
Memories Disc Creator 2.0 --> MsiExec.exe /X{2E132061-C78A-48D4-A899-1D13B9D189FA}
Micro DVD Player --> C:\Program Files\Micro DVD Player\uninstall.exe
Microsoft .NET Compact Framework 1.0 SP3 Developer Beta 2 --> MsiExec.exe /I{20F5DF77-CA79-4A07-8200-3BBF0B6BBAFB}
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Office XP Professional עם FrontPage --> MsiExec.exe /I{9028040D-6000-11D3-8CFE-0050048383C9}
Microsoft SQL Native Client --> MsiExec.exe /I{C1ACE268-14E1-4AF7-B639-050D1A3F4B8F}
Microsoft SQL Server 2005 Express Edition CTP (SQLEXPRESS) --> "c:\Program Files\Microsoft SQL Server\90\Setup Bootstrap\setup.exe" /resumesetup /productcode {2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F} /X {2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F} SCCCHECKLEVEL=iisDep:0;PerfMon:0
Microsoft SQL Server 2005 Express Edition CTP (SQLEXPRESS) --> MsiExec.exe /I{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}
Microsoft SQL Server 2005 Mobile [ENU] Beta 3 Developer Tools --> MsiExec.exe /X{DEEF86EA-279A-4B96-BE8F-E148CD758F10}
Microsoft SQL Server 2005 Tools Express Edition CTP --> "c:\Program Files\Microsoft SQL Server\90\Setup Bootstrap\setup.exe" /resumesetup /productcode {2750B389-A2D2-4953-99CA-27C1F2A8E6FD} /X {2750B389-A2D2-4953-99CA-27C1F2A8E6FD} SCCCHECKLEVEL=iisDep:0;PerfMon:0
Microsoft SQL Server 2005 Tools Express Edition CTP --> MsiExec.exe /I{2750B389-A2D2-4953-99CA-27C1F2A8E6FD}
Microsoft SQL Server Setup Support Files (English) --> MsiExec.exe /X{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}
Microsoft Text-to-Speech Engine 4.0 (English) --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msTTSf22.inf, Uninstall
Microsoft Visual Studio 6.0 Enterprise Edition --> "C:\Program Files\Microsoft Visual Studio\Common\Setup\1033\Setup.exe"
Microsoft Web Publishing Wizard 1.53 --> RunDll32 ADVPACK.DLL,LaunchINFSection C:\WINDOWS\INF\wpie3x86.inf,WebPostUninstall
mIRC --> "C:\Program Files\mIRC\mirc.exe" -uninstall
MSXML 6.0 Parser (KB927977) --> MsiExec.exe /I{5A710547-B58E-488B-828D-CA9A25A0533C}
Mu --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F57CEB84-3D22-4657-8EDA-F8CD5217B83E}\Setup.exe" -l0x9 UNINSTALL
My Internals Code Sample --> MsiExec.exe /I{BB2CDF12-6940-4184-AF94-270DAC12B182}
NeoLite Version 2.0 Evaluation --> C:\PROGRA~1\BO2K\NeoLite\UNWISE.EXE C:\PROGRA~1\BO2K\NeoLite\INSTALL.LOG
Nero 6 Ultra Edition --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
NetLimiter 1.29 (remove only) --> "C:\Program Files\NetLimiter\nluninst.exe"
Norton WMI Update --> MsiExec.exe /X{1526D87C-A955-4FAB-BF18-697BA457E352}
NVIDIA Drivers --> C:\WINDOWS\system32\nvuaudio.exe UninstallGUI
NVIDIA Windows 2000/XP nForce Drivers --> rundll32.exe C:\WINDOWS\System32\NVNFINST.DLL,NvUninstallCrush
Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
Panda spyXposer --> C:\WINDOWS\system32\ASUninst.exe Panda spyXposer
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\System32\QuickTime\Uninstall.log
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Skype 2.5 --> "C:\Program Files\Skype\Phone\unins000.exe"
SonicStage Simple Burner 1.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2A0E8EB8-85C9-461A-B0C1-0DB7C21FA89A}\setup.exe" -l0x9 /UNINSTALL
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SQLXML 4.0 --> MsiExec.exe /I{7547D3B6-7C5B-4F16-A5E6-E841F107BA58}
Steam --> C:\PROGRA~1\Steam\UNWISE.EXE C:\PROGRA~1\Steam\INSTALL.LOG
TeamSpeak 2 RC2 --> "C:\Program Files\teamspeak2_RC2\unins000.exe"
UPSMON Plus for Windows --> C:\WINDOWS\GPInstall.exe "/UNINST=C:\Program Files\UPSMON\UnInst.log" "/APPNAME=UPSMON Plus for Windows"
WinAce Archiver --> C:\Program Files\WinAce\SXUNINST.EXE C:\Program Files\WinAce\SXUNINST.INI
Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Live Messenger --> MsiExec.exe /I{426382FB-4792-44BA-8C6A-CB7C77F61F53}
Windows Media Encoder 9 Series --> msiexec.exe /I {E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows Media Encoder 9 Series --> MsiExec.exe /I{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
XoftSpySE --> C:\Program Files\XoftSpySE\uninstall.exe


-- End of Deckard's System Scanner: finished at 2007-04-07 at 16:33:21 ---------

hope u can help me get clean those viruses,

many thanks!

#5 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:17 PM

Posted 07 April 2007 - 06:28 PM

Hi,

hope u can help me get clean those viruses,

I'll do my best.

It may be a good idea to print these instructions so that you can have access to them at all times.

It appears that your resident antivirus application is AVAST but you still have some remnants of Symantec. Please use the instructions on this page to completely uninstall your Norton Products.

=====================================

Now, run HijackThis. Close all windows and browsers except HijackThis.
Click on Open Misc Tools
Click on Delete a File On Reboot
Click once on the file below to select it:

C:\WINDOWS\system32\urlnxqkxrfww.dll

do the same for this one if listed

C:\WINDOWS\system32\vpxyofsugazx.dll

Click on the Back button to exit Process Manager

Now, back at the main screen of HijackThis, click on Scan and put a check in front of the following

O20 - Winlogon Notify: urlnxqkxrfww - C:\WINDOWS\system32\urlnxqkxrfww.dll
O20 - Winlogon Notify: vpxyofsugazx - C:\WINDOWS\system32\vpxyofsugazx.dll


Do you know anything about this service? I cannot find any info and it's running from a temporary directory. Unless you know it, I would suggest you fix it with HijackThis.

O23 - Service: AZJON - Unknown owner - C:\DOCUME~1\Itai\LOCALS~1\Temp\AZJON.exe (file missing)

Exit HijackThis.

=====================================

If you have fixed the above service with HijackThis, do the following before you proceed with the next step:

Go to Start > Run. Copy/Paste or type:

1) sc stop AZJON and then click OK
2) sc delete AZJON and then click OK

=====================================

Backup Your Registry with ERUNT
  • Please use the following link and scroll down to ERUNT and download it.

    http://aumha.org/freeware/freeware.php
  • For version with the Installer:

    Use the setup program to install ERUNT on your computer
  • For the zipped version:

    Unzip all the files into a folder of your choice.
  • Click Erunt.exe to backup your registry to the folder of your choice.
---------------

Open notepad. It must be notepad, not wordpad.
Copy and paste the text inside the code box below into notepad, including the blank line at the end. Make sure that wordwrap is turned off in notepad - click the format menu and uncheck wordwrap.
Choose file save as and set file type to all files.
Type "fixreg.reg" in the file name and save it to your desktop. Make sure to save it with the quotes

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{A4F94C0C-54A7-4DB1-9AF3-B22E63D00401}"=-
"{A4F94C0C-54A7-4DB1-9AF3-B22E63D00402}"=-
"{A4F94C0C-54A7-4DB1-9AF3-B22E63D00403}"=-
"{CEDE2188-484C-B239-A68E-DC1B84001001}"=-
"{B0099233-1FF5-4326-A3E8-24AE1DF18D57}"="-
"{2188CEDE-B239-484C-8EA6-B84DC1001001}"=-

[-HKEY_CLASSES_ROOT\CLSID\{B0099233-1FF5-4326-A3E8-24AE1DF18D57}]

[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{B0099233-1FF5-4326-A3E8-24AE1DF18D57}]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urlnxqkxrfww]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vpxyofsugazx]


Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.

Close notepad. Make sure that all windows are closed.

Find the fixreg.reg file on your desktop.
Double click it.
It will then ask if you want the file merged to your registry.
Answer yes.

======================================

Reboot your computer.

======================================

Scan with Bitdefender again and post the log along with a fresh HijackThis log please.

#6 dantes

dantes
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:17 AM

Posted 08 April 2007 - 05:05 PM

Thank you very much your time,

those processes you have mentioned were the ones i could not erase before just by fixing it through HJT.
but after downloading (again) and reinstalling bit defender i have managed to get rid of them after selecting the files and fixing.

i have followed ur instructions through, and must see it all looks better now. but hey, have a look for yourself :

HJT scan log ( after rebooting and applying the recommended actions )

Logfile of HijackThis v1.99.1
Scan saved at 16:40:15, on 08/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\UPSMON\UPSMON_Service.Exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\UPSMON\UPSInt2.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\UPSMON\UPSMON.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Softwin\BitDefender10\bdmcon.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Hijackthis\hijackthis\HijackThis.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\usnsvc.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.walla.co.il/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 ME\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UPSMON] C:\Program Files\UPSMON\UPSMON.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files\Hijackthis\hijackthis\HijackThis.exe /startupscan
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D79B6F43-F214-4E7A-9ECB-CCC8771F2416} (LauncherV1 Class) - http://www.tapuz.co.il/irc/main/launcher.cab
O16 - DPF: {F59AB0C4-3443-4551-A78F-C101F9DE0215} (LauncherV1 Class) - http://irc.tapuz.co.il/ChatTV/launcher.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A46CD0BC-F299-4DF8-84F5-E0B13E758957}: NameServer = 212.117.129.3,212.117.128.6
O17 - HKLM\System\CCS\Services\Tcpip\..\{E5E52089-8502-418B-BE9E-5D4ACBE998EF}: NameServer = 192.168.0.100
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Task Manager service (RTM) - Unknown owner - C:\Program Files\Remote Task Manager\RTMService.exe (file missing)
O23 - Service: UPSMONService - Unknown owner - C:\Program Files\UPSMON\UPSMON_Service.Exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender10\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

Bit Defender scan log :


//-----------------------------------------------------------------
//
// Product BitDefender Antivirus Plus v10
// Product 10.2
//
// Created on: 08/04/2007 16:47:54
//
//-----------------------------------------------------------------


Virus Statistics

Scan path : C:\
H:\
Folders : 18294
Files : 100112
Memory processes scanned : 14
Archives : 7
Runtime packers : 9710
Identified viruses : 1
Infected files : 1
Memory processes infected : 0
Suspect files : 0
Warnings : 0
Disinfected files : 0
Deleted files : 0
Moved files : 1
I/O errors : 39
Scan time : 07:44:03
Scan speed (files/sec) : 3

Spyware Statistics

Registry keys scanned : 1839
Registry keys infected : 0
Cookies scanned : 855
Cookies infected : 0
Spyware files infected : 0
Spyware threats detected : 0


Virus definitions : 529133
Scan plugins : 16
Archive plugins : 41
Unpack plugins : 6
Mail plugins : 6
System plugins : 5

Virus scan options

Detection
[X] Scan boot sectors
[X] Memory Processes
[ ] Scan archives
[X] Scan runtime packers
[X] Scan email

File mask
[X] Programs
[ ] All files
[ ] User defined extensions:
[ ] Exclude extensions: ;

Action

Infected objects
[ ] Ignore
[X] Disinfect
[ ] Delete
[ ] Move to quarantine
[ ] Prompt user

Second action
[ ] Ignore
[ ] Delete
[X] Move to quarantine
[ ] Prompt user

Virus scan options
[X] Enable warnings
[ ] Enable heuristics
[ ] Show all files in log
[X] Report file: C:\Documents and Settings\All Users\Application Data\Bitdefender\Desktop\Profiles\Logs\full_scan\1176043674.log

Spyware scan options

[X] Scan for riskware
[ ] Skip dial and applications from scan
[X] Registry keys
[X] Cookies


Summary:

C:\itai\DigiWiz miniPE v2k5.01.22-XT\miniPE.v2k5.01.xx-XT\Programs\ERDcmd2003\common.dll Infected: Backdoor.Pcclient.GV
C:\itai\DigiWiz miniPE v2k5.01.22-XT\miniPE.v2k5.01.xx-XT\Programs\ERDcmd2003\common.dll Disinfection failed
C:\itai\DigiWiz miniPE v2k5.01.22-XT\miniPE.v2k5.01.xx-XT\Programs\ERDcmd2003\common.dll Moved



appreciate any comments or suggestions.

#7 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:17 PM

Posted 08 April 2007 - 05:17 PM

Yes, it looks very good. Are you still having any problems?

#8 dantes

dantes
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:17 AM

Posted 09 April 2007 - 05:45 PM

Hey,

i don't have any troubles now. computer works well, and i think it's safe to say we got over the problems.

one thing that bothers me is hidden files. i've found some on my last scan with Bit Defender, and i don't know if they are harmful or not. files are :

C:\WINDOWS\system32\zw0er_!.dat Hiddenfile
C:\WINDOWS\system32\zw0er_!g.sys Hiddenfile
C:\WINDOWS\zw0er_!.txt Hiddenfile

they were discovered as i did a rootkit scan. can u advise me how to handle them ?

thanks.

#9 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:17 PM

Posted 09 April 2007 - 07:58 PM

Hi,

one thing that bothers me is hidden files. i've found some on my last scan with Bit Defender, and i don't know if they are harmful or not. files are :

C:WINDOWSsystem32zw0er_!.dat Hiddenfile
C:WINDOWSsystem32zw0er_!g.sys Hiddenfile
C:WINDOWSzw0er_!.txt Hiddenfile

they were discovered as i did a rootkit scan. can u advise me how to handle them ?

Yes, they are bad. When did you run the scan, today? Bitdefender scan didn't find them yesterday.

======================================

Please download the OTMoveIt by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:WINDOWSsystem32zw0er_!.dat
    C:WINDOWSsystem32zw0er_!g.sys
    C:WINDOWSzw0er_!.txt
  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
*If a file or folder cannot be moved immediately, you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine, choose Yes.
  • Close OTMoveIt
**If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
C:_OTMoveItMovedFiles********_******.log
(where "********_******" is the "date_time")


========================================

Download WinPFind3U.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.
  • Close ALL OTHER PROGRAMS.
  • Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
  • Now click the Run Scan button on the toolbar.
  • The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts.



=========================================

  • Please download ComboFix

    Note: It is important that it is saved directly to your desktop.

    Close all browsers. [list]
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log for you. Post that log in your next reply
  • Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
======================================

Please post back the OTMoveIT log, Combofix text and the WinPFind log.

Edited by amateur, 09 April 2007 - 08:49 PM.


#10 dantes

dantes
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:17 AM

Posted 10 April 2007 - 05:08 PM

hi,

the scan found the hidden files on the 9/04 and on the 10/4, but only as i did a rootkit scan.
they were discovered as well by RootkitRevealer, during the past week.
/-----------------------------------------------------------------
//
// Product BitDefender Antivirus Plus v10
// Product 10.2
//
// Created on: 10/04/2007 05:09:17
//
//-----------------------------------------------------------------

Virus scan options

Detection
[X] Scan boot sectors
[X] Memory Processes
[X] Scan archives
[X] Scan runtime packers
[X] Scan email

File mask
[X] Programs
[ ] All files
[ ] User defined extensions:
[ ] Exclude extensions: ;

Action

Infected objects
[X] Ignore
[ ] Disinfect
[ ] Delete
[ ] Move to quarantine
[ ] Prompt user

Second action
[X] Ignore
[ ] Delete
[ ] Move to quarantine
[ ] Prompt user

Virus scan options
[ ] Enable warnings
[X] Enable heuristics
[ ] Show all files in log
[X] Report file: C:\Documents and Settings\All Users\Application Data\Bitdefender\Desktop\Profiles\Logs\rootkit_scan\1176174557.log

Spyware scan options

[ ] Scan for riskware
[ ] Registry keys
[ ] Cookies


Summary:

C:\WINDOWS\system32\zw0er_!.dat Hiddenfile
C:\WINDOWS\system32\zw0er_!g.sys Hiddenfile
C:\WINDOWS\zw0er_!.txt Hiddenfile

========================================================
i tried to use MoveIT to move the files. this is what i got:

File/Folder C:\WINDOWS\system32\zw0er_!.dat not found.
File/Folder C:\WINDOWS\system32\zw0er_!g.sys not found.
File/Folder C:\WINDOWS\zw0er_!.txt not found.

Created on 04/10/2007 05:08:01

=============then i used winPFind. this is the log :=============================
WinPFind3 logfile created on: 10/04/2007 14:01:47
WinPFind3U by OldTimer - Version 1.0.34 Folder = C:\Program Files\winpfind3u\WinPFind3u\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 6.0.2900.2180)

511.49 Mb Total Physical Memory | 219.80 Mb Available Physical Memory | 42.97% Memory free
1.22 Gb Paging File | 0.95 Gb Available in Paging File | 77.82% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 1.61 Gb Free Space | 2.16% Space Free
D: Drive not present or media not loaded
Drive E: | 659.29 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free
Drive F: | 3.94 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free

Computer Name: ELDAD
Current User Name: Itai
Logged in as Administrator.
Current Boot Mode: Normal


[Processes - Non-Microsoft Only]
ashdisp.exe -> %ProgramFiles%\Alwil Software\Avast4\ashDisp.exe -> [Ver = 4, 7, 936, 0 | Size = 108160 bytes | Modified Date = 15/01/2007 19:28:58 | Attr = ]
ashserv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashServ.exe -> [Ver = 4, 7, 936, 0 | Size = 132736 bytes | Modified Date = 15/01/2007 19:28:52 | Attr = ]
aswupdsv.exe -> %ProgramFiles%\Alwil Software\Avast4\aswUpdSv.exe -> [Ver = | Size = 59008 bytes | Modified Date = 15/01/2007 19:18:24 | Attr = ]
ati2evxx.exe -> %System32%\ati2evxx.exe -> [Ver = | Size = 385024 bytes | Modified Date = 02/12/2003 21:55:06 | Attr = ]
ati2evxx.exe -> %System32%\ati2evxx.exe -> [Ver = | Size = 385024 bytes | Modified Date = 02/12/2003 21:55:06 | Attr = ]
babylon.exe -> %ProgramFiles%\Babylon\Babylon.exe -> Babylon Ltd. [Ver = 5.0.5.7 | Size = 2183168 bytes | Modified Date = 23/01/2005 13:51:02 | Attr = ]
bdagent.exe -> %ProgramFiles%\Softwin\BitDefender10\bdagent.exe -> SOFTWIN S.R.L. [Ver = 10, 0, 0, 4 | Size = 49152 bytes | Modified Date = 11/10/2006 17:22:18 | Attr = ]
bdmcon.exe -> %ProgramFiles%\Softwin\BitDefender10\bdmcon.exe -> SOFTWIN S.R.L. [Ver = 10, 0, 0, 2 | Size = 282624 bytes | Modified Date = 19/10/2006 21:43:24 | Attr = ]
bdss.exe -> %CommonProgramFiles%\Softwin\BitDefender Scan Server\bdss.exe -> [Ver = | Size = 81920 bytes | Modified Date = 08/04/2007 04:13:44 | Attr = ]
fxsvr2.exe -> %ProgramFiles%\Logitech\Video\FxSvr2.exe -> Logitech Inc. [Ver = 8.4.7.1034 | Size = 192512 bytes | Modified Date = 08/06/2005 14:44:56 | Attr = ]
livesrv.exe -> %CommonProgramFiles%\Softwin\BitDefender Update Service\livesrv.exe -> SOFTWIN S.R.L. [Ver = 10, 0, 0, 5 | Size = 233472 bytes | Modified Date = 09/01/2007 14:17:26 | Attr = ]
logitray.exe -> %ProgramFiles%\Logitech\Video\LogiTray.exe -> Logitech Inc. [Ver = 8.4.7.1034 | Size = 217088 bytes | Modified Date = 08/06/2005 15:14:44 | Attr = ]
lvcomsx.exe -> %System32%\LVCOMSX.EXE -> Logitech Inc. [Ver = 8.4.7.1036 | Size = 221184 bytes | Modified Date = 19/07/2005 17:32:18 | Attr = ]
upsmon.exe -> %ProgramFiles%\UPSMON\UPSMON.exe -> [Ver = | Size = 429568 bytes | Modified Date = 30/03/2005 16:13:24 | Attr = ]
upsmon_service.exe -> %ProgramFiles%\UPSMON\UPSMON_Service.Exe -> [Ver = | Size = 368128 bytes | Modified Date = 22/03/2005 15:31:40 | Attr = ]
vsserv.exe -> %ProgramFiles%\Softwin\BitDefender10\vsserv.exe -> SOFTWIN S.R.L. [Ver = 10, 0, 0, 40 | Size = 389120 bytes | Modified Date = 23/11/2006 11:24:40 | Attr = ]
winpfind3u.exe -> %ProgramFiles%\winpfind3u\WinPFind3u\WinPFind3U.exe -> OldTimer Tools [Ver = 1.0.34.0 | Size = 318976 bytes | Modified Date = 08/04/2007 19:02:38 | Attr = ]
xcommsvr.exe -> %CommonProgramFiles%\Softwin\BitDefender Communicator\xcommsvr.exe -> SOFTWIN S.R.L [Ver = 1, 8, 11, 0 | Size = 86016 bytes | Modified Date = 09/11/2006 12:33:04 | Attr = ]

[Win32 Services - Non-Microsoft Only]
(aswUpdSv) avast! iAVS4 Control Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Alwil Software\Avast4\aswUpdSv.exe -> [Ver = | Size = 59008 bytes | Modified Date = 15/01/2007 19:18:24 | Attr = ]
(Ati HotKey Poller) Ati HotKey Poller [Win32_Own | Auto | Running] -> %System32%\ati2evxx.exe -> [Ver = | Size = 385024 bytes | Modified Date = 02/12/2003 21:55:06 | Attr = ]
(ATI Smart) ATI Smart [Win32_Own | Auto | Stopped] -> %System32%\ati2sgag.exe -> [Ver = 5.13.0013 | Size = 516096 bytes | Modified Date = 02/12/2003 21:10:00 | Attr = ]
(avast! Antivirus) avast! Antivirus [Win32_Own | Auto | Running] -> %ProgramFiles%\Alwil Software\Avast4\ashServ.exe -> [Ver = 4, 7, 936, 0 | Size = 132736 bytes | Modified Date = 15/01/2007 19:28:52 | Attr = ]
(avast! Mail Scanner) avast! Mail Scanner [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Alwil Software\Avast4\ashMaiSv.exe -> ALWIL Software [Ver = 4, 7, 936, 0 | Size = 255616 bytes | Modified Date = 15/01/2007 19:28:32 | Attr = ]
(avast! Web Scanner) avast! Web Scanner [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Alwil Software\Avast4\ashWebSv.exe -> ALWIL Software [Ver = 4, 7, 936, 0 | Size = 370304 bytes | Modified Date = 15/01/2007 19:27:52 | Attr = ]
(bdss) BitDefender Scan Server [Win32_Own | Auto | Running] -> %CommonProgramFiles%\Softwin\BitDefender Scan Server\bdss.exe -> [Ver = | Size = 81920 bytes | Modified Date = 08/04/2007 04:13:44 | Attr = ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 224768 bytes | Modified Date = 04/08/2004 09:56:48 | Attr = ]
(LIVESRV) BitDefender Desktop Update Service [Win32_Own | Auto | Running] -> %CommonProgramFiles%\Softwin\BitDefender Update Service\livesrv.exe -> SOFTWIN S.R.L. [Ver = 10, 0, 0, 5 | Size = 233472 bytes | Modified Date = 09/01/2007 14:17:26 | Attr = ]
(msvsmon80) Visual Studio 2005 Remote Debugger [Win32_Own | Disabled | Stopped] -> %ProgramFiles%\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe -> File not found
(Pml Driver HPZ12) Pml Driver HPZ12 [Win32_Own | On_Demand | Stopped] -> %System32%\HPZipm12.exe -> HP [Ver = 7, 0, 0, 0 | Size = 65795 bytes | Modified Date = 11/08/2003 11:25:42 | Attr = R ]
(RTM) Remote Task Manager service [Win32_Own | Auto | Stopped] -> %ProgramFiles%\Remote Task Manager\RTMService.exe -> File not found
(UPSMONService) UPSMONService [Win32_Own | Auto | Running] -> %ProgramFiles%\UPSMON\UPSMON_Service.Exe -> [Ver = | Size = 368128 bytes | Modified Date = 22/03/2005 15:31:40 | Attr = ]
(VSSERV) BitDefender Virus Shield [Win32_Own | Auto | Running] -> %ProgramFiles%\Softwin\BitDefender10\vsserv.exe -> SOFTWIN S.R.L. [Ver = 10, 0, 0, 40 | Size = 389120 bytes | Modified Date = 23/11/2006 11:24:40 | Attr = ]
(XCOMM) BitDefender Communicator [Win32_Own | Auto | Running] -> %CommonProgramFiles%\Softwin\BitDefender Communicator\xcommsvr.exe -> SOFTWIN S.R.L [Ver = 1, 8, 11, 0 | Size = 86016 bytes | Modified Date = 09/11/2006 12:33:04 | Attr = ]

[Registry - Non-Microsoft Only]
< Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
avast! -> %ProgramFiles%\Alwil Software\Avast4\ashDisp.exe -> [Ver = 4, 7, 936, 0 | Size = 108160 bytes | Modified Date = 15/01/2007 19:28:58 | Attr = ]
BDAgent -> %ProgramFiles%\Softwin\BitDefender10\bdagent.exe -> SOFTWIN S.R.L. [Ver = 10, 0, 0, 4 | Size = 49152 bytes | Modified Date = 11/10/2006 17:22:18 | Attr = ]
BDMCon -> %ProgramFiles%\Softwin\BitDefender10\bdmcon.exe -> SOFTWIN S.R.L. [Ver = 10, 0, 0, 2 | Size = 282624 bytes | Modified Date = 19/10/2006 21:43:24 | Attr = ]
LogitechVideoRepair -> %ProgramFiles%\Logitech\Video\ISStart.exe -> Logitech Inc. [Ver = 8.4.7.1034 | Size = 458752 bytes | Modified Date = 08/06/2005 15:24:32 | Attr = ]
LogitechVideoTray -> %ProgramFiles%\Logitech\Video\LogiTray.exe -> Logitech Inc. [Ver = 8.4.7.1034 | Size = 217088 bytes | Modified Date = 08/06/2005 15:14:44 | Attr = ]
LVCOMSX -> %System32%\LVCOMSX.EXE -> Logitech Inc. [Ver = 8.4.7.1036 | Size = 221184 bytes | Modified Date = 19/07/2005 17:32:18 | Attr = ]
QuickTime Task -> %ProgramFiles%\QuickTime\qttask.exe -> Apple Computer, Inc. [Ver = 6.5 | Size = 98304 bytes | Modified Date = 10/04/2004 10:31:40 | Attr = ]
UPSMON -> %ProgramFiles%\UPSMON\UPSMON.exe -> [Ver = | Size = 429568 bytes | Modified Date = 30/03/2005 16:13:24 | Attr = ]
< OptionalComponents [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\
IMAIL -> Installed = 1 ->
MAPI -> Installed = 1 ->
MSFS -> Installed = 1 ->
< Run [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HijackThis startup scan -> %ProgramFiles%\Hijackthis\hijackthis\HijackThis.exe -> Soeperman Enterprises Ltd. [Ver = 1.99.0001 | Size = 218112 bytes | Modified Date = 16/02/2005 11:06:16 | Attr = ]
LogitechSoftwareUpdate -> %ProgramFiles%\Logitech\Video\ManifestEngine.exe -> Logitech Inc. [Ver = 8.4.7.1034 | Size = 196608 bytes | Modified Date = 08/06/2005 14:44:14 | Attr = ]
Skype -> %ProgramFiles%\Skype\Phone\Skype.exe -> [Ver = | Size = 20058152 bytes | Modified Date = 13/10/2006 17:20:08 | Attr = ]
< Common Startup > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup
%AllUsersStartup%\Logitech Desktop Messenger.lnk -> %ProgramFiles%\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe -> Logitech [Ver = 1.4.50 | Size = 450560 bytes | Modified Date = 09/03/2007 13:43:36 | Attr = ]
< AppInit_DLLs [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
*AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls ->
sockspy.dll -> %System32%\sockspy.dll -> [Ver = | Size = 73728 bytes | Modified Date = 26/01/2006 19:19:52 | Attr = ]
< SharedTaskScheduler [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
{B0099233-1FF5-4326-A3E8-24AE1DF18D57} [HKLM] -> Reg Data - Key not found [google service] -> File not found
{B29BE267-3A64-4F7E-8A57-75FB5E900506} [HKLM] -> Reg Data - Key not found [Windows Updater] -> File not found
< SecurityProviders [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders
*SecurityProviders* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders ->
ntoskrnl.dll -> ntoskrnl.dll -> File not found
< Winlogon settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
< Winlogon settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
< Winlogon\Notify settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
AtiExtEvent -> %System32%\ati2evxx.dll -> [Ver = | Size = 86016 bytes | Modified Date = 02/12/2003 21:55:12 | Attr = ]
< HOSTS File > (682 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts
127.0.0.1 update.nprotect.net -> ->
< Internet Explorer Settings > ->
HKLM: Default_Page_URL -> http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome ->
HKLM: Main\\Default_Search_URL -> http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch ->
HKLM: Local Page -> C:\windows\system32\blank.htm ->
HKLM: Search Page -> http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch ->
HKLM: Start Page -> http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home ->
HKLM: CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm ->
HKLM: Search\\Default_Search_URL -> http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch ->
HKLM: SearchAssistant -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm ->
HKCU: Default_Search_URL -> http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch ->
HKCU: Local Page -> C:\windows\system32\blank.htm ->
HKCU: Search Page -> http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch ->
HKCU: Start Page -> http://www.walla.co.il/ ->
HKCU: ProxyEnable -> 0 ->
< Trusted Sites > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
msn.com [ - ] -> ->
< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 6.0 ME\Reader\ActiveX\AcroIEHelper.dll [AcroIEHlprObj Class] -> Adobe Systems Incorporated [Ver = 6.0.0.2003051200 | Size = 50376 bytes | Modified Date = 11/05/2003 23:47:20 | Attr = ]
{53707962-6F74-2D53-2644-206D7942484F} [HKLM] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [] -> Safer Networking Limited [Ver = 1, 4, 0, 0 | Size = 853672 bytes | Modified Date = 31/05/2005 01:04:00 | Attr = ]
< Internet Explorer Bars [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
{32683183-48a0-441b-a342-7c2a440a9478} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
< Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
< Internet Explorer Menu Extensions [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\
&יצא ל- Microsoft Excel -> -> File not found
הורד באמצעות פלאש-גט -> Reg Data - Value does not exist -> File not found
הורד הכל באמצעות פלאש-גט -> Reg Data - Value does not exist -> File not found
< User Agent Post Platform [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
SV1 -> ->
< DNS Name Servers [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\
{851ABA2D-12DF-4865-B4E0-453853592B6B} -> () ->
{A46CD0BC-F299-4DF8-84F5-E0B13E758957} -> 212.117.129.3,212.117.128.6 (NVIDIA nForce MCP Networking Adapter) ->
{E5E52089-8502-418B-BE9E-5D4ACBE998EF} -> 192.168.0.100 (Microsoft Loopback Adapter) ->
< Winsock2 Catalogs [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\
Protocol_Catalog9\Catalog_Entries\000000000001 -> %ProgramFiles%\NetLimiter\nl_lsp.dll -> [Ver = | Size = 81920 bytes | Modified Date = 20/01/2004 17:18:06 | Attr = ]
Protocol_Catalog9\Catalog_Entries\000000000002 -> %ProgramFiles%\NetLimiter\nl_lsp.dll -> [Ver = | Size = 81920 bytes | Modified Date = 20/01/2004 17:18:06 | Attr = ]
Protocol_Catalog9\Catalog_Entries\000000000003 -> %ProgramFiles%\NetLimiter\nl_lsp.dll -> [Ver = | Size = 81920 bytes | Modified Date = 20/01/2004 17:18:06 | Attr = ]
Protocol_Catalog9\Catalog_Entries\000000000004 -> %ProgramFiles%\NetLimiter\nl_lsp.dll -> [Ver = | Size = 81920 bytes | Modified Date = 20/01/2004 17:18:06 | Attr = ]
Protocol_Catalog9\Catalog_Entries\000000000005 -> %ProgramFiles%\NetLimiter\nl_lsp.dll -> [Ver = | Size = 81920 bytes | Modified Date = 20/01/2004 17:18:06 | Attr = ]
Protocol_Catalog9\Catalog_Entries\000000000011 -> %ProgramFiles%\NetLimiter\nl_lsp.dll -> [Ver = | Size = 81920 bytes | Modified Date = 20/01/2004 17:18:06 | Attr = ]
< Protocol Handlers [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\
ipp -> Reg Data - Key not found -> File not found
msdaipp -> Reg Data - Key not found -> File not found
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
{02BCC737-B171-4746-94C9-0D8A0B2C0089} -> Microsoft Office Template and Media Control - CodeBase = http://office.microsoft.com/templates/ieawsdc.cab ->
{215B8138-A3CF-44C5-803F-8226143CFC0A} -> Trend Micro ActiveX Scan Agent 6.6 - CodeBase = http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab ->
{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} -> BDSCANONLINE Control - CodeBase = http://download.bitdefender.com/resources/scan8/oscan8.cab ->
{8AD9C840-044E-11D1-B3E9-00805F499D93} -> Java Plug-in 1.4.2_04 - CodeBase = http://java.sun.com/products/plugin/autodl...indows-i586.cab ->
{9F1C11AA-197B-4942-BA54-47A8489BB47F} -> - CodeBase = http://v4.windowsupdate.microsoft.com/CAB/...7987.6478587963 ->
{A4639D2F-774E-11D3-A490-00C04F6843FB} -> IEAnimBehaviorFactory Class - CodeBase = http://download.microsoft.com/download/Pow...N-US/msorun.cab ->
{CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA} -> Java Plug-in 1.4.2_04 - CodeBase = http://java.sun.com/products/plugin/autodl...indows-i586.cab ->
{D27CDB6E-AE6D-11CF-96B8-444553540000} -> - CodeBase = http://download.macromedia.com/pub/shockwa...ash/swflash.cab ->
Microsoft XML Parser for Java -> - CodeBase = file://C:\WINDOWS\Java\classes\xmldso.cab ->


[Files/Folders - Created Within 30 days]
Deckard -> %SystemDrive%\Deckard -> [Folder | Created Date = 07/04/2007 16:31:20 | Attr = ]
kav -> %SystemDrive%\kav -> [Folder | Created Date = 07/04/2007 21:43:52 | Attr = ]
$NtUninstallKB925902$ -> %SystemRoot%\$NtUninstallKB925902$ -> [Folder | Created Date = 04/04/2007 10:01:23 | Attr = H ]
$NtUninstallKB929338$ -> %SystemRoot%\$NtUninstallKB929338$ -> [Folder | Created Date = 30/03/2007 10:12:03 | Attr = H ]
BDOSCAN8 -> %SystemRoot%\BDOSCAN8 -> [Folder | Created Date = 01/04/2007 13:29:07 | Attr = ]
ERDNT -> %SystemRoot%\ERDNT -> [Folder | Created Date = 07/04/2007 16:31:34 | Attr = ]
QTFont.for -> %SystemRoot%\QTFont.for -> [Ver = | Size = 1409 bytes | Created Date = 07/04/2007 05:31:28 | Attr = ]
QTFont.qfn -> %SystemRoot%\QTFont.qfn -> [Ver = | Size = 54156 bytes | Created Date = 07/04/2007 05:31:28 | Attr = H ]
actskin4.ocx -> %System32%\actskin4.ocx -> [Ver = 4, 2, 7, 3 | Size = 380928 bytes | Created Date = 07/04/2007 07:48:44 | Attr = ]
aswBoot.exe -> %System32%\aswBoot.exe -> [Ver = 4, 7, 936, 0 | Size = 689280 bytes | Created Date = 07/04/2007 07:48:44 | Attr = ]
AVASTSS.scr -> %System32%\AVASTSS.scr -> ALWIL Software [Ver = 4, 7, 936, 0 | Size = 90112 bytes | Created Date = 07/04/2007 07:48:44 | Attr = ]
bdod.bin -> %System32%\bdod.bin -> [Ver = | Size = 81984 bytes | Created Date = 08/04/2007 03:13:42 | Attr = ]
getfile.dat -> %System32%\getfile.dat -> [Ver = | Size = 14 bytes | Created Date = 07/04/2007 07:42:37 | Attr = ]
pavas.ico -> %System32%\pavas.ico -> [Ver = | Size = 30590 bytes | Created Date = 01/04/2007 17:59:48 | Attr = ]
tmp.reg -> %System32%\tmp.reg -> [Ver = | Size = 1822 bytes | Created Date = 01/04/2007 22:53:11 | Attr = ]
vkbfumkh -> %System32%\vkbfumkh -> [Folder | Created Date = 28/03/2007 17:51:08 | Attr = ]
aavmker4.sys -> %System32%\drivers\aavmker4.sys -> ALWIL Software [Ver = 4.7.892.0 | Size = 31560 bytes | Created Date = 07/04/2007 07:48:51 | Attr = ]
aswmon.sys -> %System32%\drivers\aswmon.sys -> ALWIL Software [Ver = 4.7.892.0 | Size = 85952 bytes | Created Date = 07/04/2007 07:48:48 | Attr = ]
aswmon2.sys -> %System32%\drivers\aswmon2.sys -> ALWIL Software [Ver = 4.7.892.0 | Size = 94424 bytes | Created Date = 07/04/2007 07:48:48 | Attr = ]
aswRdr.sys -> %System32%\drivers\aswRdr.sys -> ALWIL Software [Ver = 4.7.936.0 | Size = 23352 bytes | Created Date = 07/04/2007 07:48:52 | Attr = ]
aswTdi.sys -> %System32%\drivers\aswTdi.sys -> ALWIL Software [Ver = 4.7.936.0 | Size = 43176 bytes | Created Date = 07/04/2007 07:48:51 | Attr = ]
hosts.tmp -> %System32%\drivers\etc\hosts.tmp -> [Ver = | Size = 680 bytes | Created Date = 12/03/2007 20:36:16 | Attr = R ]

[Files/Folders - Modified Within 30 days]
Config.Msi -> %SystemDrive%\Config.Msi -> [Folder | Modified Date = 08/04/2007 03:43:54 | Attr = HS]
Deckard -> %SystemDrive%\Deckard -> [Folder | Modified Date = 07/04/2007 16:31:22 | Attr = ]
Eldad -> %SystemDrive%\Eldad -> [Folder | Modified Date = 24/03/2007 06:21:38 | Attr = ]
Emails -> %SystemDrive%\Emails -> [Folder | Modified Date = 25/03/2007 02:28:32 | Attr = ]
Games -> %SystemDrive%\Games -> [Folder | Modified Date = 09/04/2007 10:11:56 | Attr = ]
kav -> %SystemDrive%\kav -> [Folder | Modified Date = 07/04/2007 21:43:54 | Attr = ]
My Music -> %SystemDrive%\My Music -> [Folder | Modified Date = 09/04/2007 21:14:10 | Attr = ]
Program Files -> %ProgramFiles% -> [Folder | Modified Date = 10/04/2007 05:23:20 | Attr = ]
System Volume Information -> %SystemDrive%\System Volume Information -> [Folder | Modified Date = 07/04/2007 21:22:18 | Attr = HS]
WINDOWS -> %SystemRoot% -> [Folder | Modified Date = 10/04/2007 01:05:10 | Attr = ]
$hf_mig$ -> %SystemRoot%\$hf_mig$ -> [Folder | Modified Date = 04/04/2007 10:00:08 | Attr = H ]
$NtUninstallKB824141$ -> %SystemRoot%\$NtUninstallKB824141$ -> [Folder | Modified Date = 09/04/2007 17:14:44 | Attr = H ]
$NtUninstallKB824141_RTM$ -> %SystemRoot%\$NtUninstallKB824141_RTM$ -> [Folder | Modified Date = 09/04/2007 17:14:46 | Attr = H ]
$NtUninstallKB828028$ -> %SystemRoot%\$NtUninstallKB828028$ -> [Folder | Modified Date = 09/04/2007 17:14:46 | Attr = H ]
$NtUninstallKB828035$ -> %SystemRoot%\$NtUninstallKB828035$ -> [Folder | Modified Date = 09/04/2007 17:14:48 | Attr = H ]
$NtUninstallKB828035_RTM$ -> %SystemRoot%\$NtUninstallKB828035_RTM$ -> [Folder | Modified Date = 09/04/2007 17:14:48 | Attr = H ]
$NtUninstallKB925902$ -> %SystemRoot%\$NtUninstallKB925902$ -> [Folder | Modified Date = 04/04/2007 10:01:26 | Attr = H ]
$NtUninstallKB929338$ -> %SystemRoot%\$NtUninstallKB929338$ -> [Folder | Modified Date = 30/03/2007 10:12:06 | Attr = H ]
$NtUninstallQ309521$ -> %SystemRoot%\$NtUninstallQ309521$ -> [Folder | Modified Date = 09/04/2007 17:15:54 | Attr = H ]
$NtUninstallQ314862$ -> %SystemRoot%\$NtUninstallQ314862$ -> [Folder | Modified Date = 09/04/2007 17:15:56 | Attr = H ]
$NtUninstallQ315000$ -> %SystemRoot%\$NtUninstallQ315000$ -> [Folder | Modified Date = 09/04/2007 17:15:56 | Attr = H ]
$NtUninstallQ323172$ -> %SystemRoot%\$NtUninstallQ323172$ -> [Folder | Modified Date = 09/04/2007 17:16:00 | Attr = H ]
$NtUninstallQ328940$ -> %SystemRoot%\$NtUninstallQ328940$ -> [Folder | Modified Date = 09/04/2007 17:16:04 | Attr = H ]
$NtUninstallQ329048$ -> %SystemRoot%\$NtUninstallQ329048$ -> [Folder | Modified Date = 09/04/2007 17:16:04 | Attr = H ]
$NtUninstallQ329390$ -> %SystemRoot%\$NtUninstallQ329390$ -> [Folder | Modified Date = 09/04/2007 17:16:04 | Attr = H ]
$NtUninstallQ828026$ -> %SystemRoot%\$NtUninstallQ828026$ -> [Folder | Modified Date = 09/04/2007 17:16:12 | Attr = H ]
AppPatch -> %SystemRoot%\AppPatch -> [Folder | Modified Date = 09/04/2007 17:16:30 | Attr = ]
BDOSCAN8 -> %SystemRoot%\BDOSCAN8 -> [Folder | Modified Date = 01/04/2007 20:13:12 | Attr = ]
bootstat.dat -> %SystemRoot%\bootstat.dat -> [Ver = | Size = 2048 bytes | Modified Date = 10/04/2007 01:04:40 | Attr = S]
cdplayer.ini -> %SystemRoot%\cdplayer.ini -> [Ver = | Size = 1040 bytes | Modified Date = 18/03/2007 21:06:08 | Attr = ]
Downloaded Program Files -> %SystemRoot%\Downloaded Program Files -> [Folder | Modified Date = 09/04/2007 17:17:14 | Attr = S]
ERDNT -> %SystemRoot%\ERDNT -> [Folder | Modified Date = 08/04/2007 16:32:10 | Attr = ]
imsins.BAK -> %SystemRoot%\imsins.BAK -> [Ver = | Size = 1374 bytes | Modified Date = 30/03/2007 10:12:18 | Attr = ]
inf -> %SystemRoot%\inf -> [Folder | Modified Date = 09/04/2007 07:11:00 | Attr = H ]
Installer -> %SystemRoot%\Installer -> [Folder | Modified Date = 08/04/2007 12:53:28 | Attr = HS]
matlab.ini -> %SystemRoot%\matlab.ini -> [Ver = | Size = 156 bytes | Modified Date = 21/03/2007 03:34:02 | Attr = ]
NeroDigital.ini -> %SystemRoot%\NeroDigital.ini -> [Ver = | Size = 49 bytes | Modified Date = 09/04/2007 06:58:30 | Attr = ]
Prefetch -> %SystemRoot%\Prefetch -> [Folder | Modified Date = 10/04/2007 13:59:24 | Attr = ]
QTFont.for -> %SystemRoot%\QTFont.for -> [Ver = | Size = 1409 bytes | Modified Date = 07/04/2007 05:31:30 | Attr = ]
QTFont.qfn -> %SystemRoot%\QTFont.qfn -> [Ver = | Size = 54156 bytes | Modified Date = 07/04/2007 05:31:30 | Attr = H ]
SoftwareDistribution -> %SystemRoot%\SoftwareDistribution -> [Folder | Modified Date = 09/04/2007 17:25:04 | Attr = ]
speech -> %SystemRoot%\speech -> [Folder | Modified Date = 09/04/2007 17:25:06 | Attr = ]
SYSTEM.INI -> %SystemRoot%\SYSTEM.INI -> [Ver = | Size = 227 bytes | Modified Date = 01/04/2007 18:07:30 | Attr = ]
system32 -> %System32% -> [Folder | Modified Date = 10/04/2007 01:37:28 | Attr = ]
Tasks -> %SystemRoot%\Tasks -> [Folder | Modified Date = 08/04/2007 12:50:06 | Attr = S]
Temp -> %SystemRoot%\Temp -> [Folder | Modified Date = 10/04/2007 13:23:10 | Attr = ]
win.ini -> %SystemRoot%\win.ini -> [Ver = | Size = 956 bytes | Modified Date = 08/04/2007 03:09:20 | Attr = ]
winamp.ini -> %SystemRoot%\winamp.ini -> [Ver = | Size = 1125 bytes | Modified Date = 10/04/2007 05:07:02 | Attr = ]
SA.DAT -> %SystemRoot%\tasks\SA.DAT -> [Ver = | Size = 6 bytes | Modified Date = 10/04/2007 01:04:44 | Attr = H ]
XoftSpySE.job -> %SystemRoot%\tasks\XoftSpySE.job -> [Ver = | Size = 360 bytes | Modified Date = 10/04/2007 06:10:02 | Attr = ]
ActiveScan -> %System32%\ActiveScan -> [Folder | Modified Date = 09/04/2007 17:25:14 | Attr = ]
bdod.bin -> %System32%\bdod.bin -> [Ver = | Size = 81984 bytes | Modified Date = 10/04/2007 13:22:58 | Attr = ]
CatRoot2 -> %System32%\CatRoot2 -> [Folder | Modified Date = 09/04/2007 17:25:38 | Attr = ]
config -> %System32%\config -> [Folder | Modified Date = 09/04/2007 17:26:46 | Attr = ]
CONFIG.NT -> %System32%\CONFIG.NT -> [Ver = | Size = 2626 bytes | Modified Date = 07/04/2007 07:48:52 | Attr = ]
dllcache -> %System32%\dllcache -> [Folder | Modified Date = 04/04/2007 10:01:28 | Attr = RHS]
drivers -> %System32%\drivers -> [Folder | Modified Date = 10/04/2007 01:28:50 | Attr = ]
FNTCACHE.DAT -> %System32%\FNTCACHE.DAT -> [Ver = | Size = 221632 bytes | Modified Date = 04/04/2007 10:21:30 | Attr = ]
getfile.dat -> %System32%\getfile.dat -> [Ver = | Size = 14 bytes | Modified Date = 07/04/2007 07:42:38 | Attr = ]
Help.ico -> %System32%\Help.ico -> [Ver = | Size = 1406 bytes | Modified Date = 09/04/2007 07:11:08 | Attr = ]
pavas.ico -> %System32%\pavas.ico -> [Ver = | Size = 30590 bytes | Modified Date = 09/04/2007 07:11:08 | Attr = ]
Restore -> %System32%\Restore -> [Folder | Modified Date = 07/04/2007 21:22:18 | Attr = ]
tmp.reg -> %System32%\tmp.reg -> [Ver = | Size = 1822 bytes | Modified Date = 01/04/2007 23:11:00 | Attr = ]
Uninstall.ico -> %System32%\Uninstall.ico -> [Ver = | Size = 2550 bytes | Modified Date = 09/04/2007 07:11:08 | Attr = ]
vkbfumkh -> %System32%\vkbfumkh -> [Folder | Modified Date = 07/04/2007 16:12:40 | Attr = ]
wbem -> %System32%\wbem -> [Folder | Modified Date = 09/04/2007 17:30:30 | Attr = ]
wpa.dbl -> %System32%\wpa.dbl -> [Ver = | Size = 2206 bytes | Modified Date = 10/04/2007 01:04:40 | Attr = ]
etc -> %System32%\drivers\etc -> [Folder | Modified Date = 12/03/2007 20:36:18 | Attr = ]

[File String Scan - Non-Microsoft Only]
@Alternate Data Stream - 26 bytes -> %SystemDrive%\210905_1916_עותק_של_תשסו_לוח_מבחנים_רבעו.xls:Zone.Identifier ->
@Alternate Data Stream - 26 bytes -> %SystemDrive%\aawsepersonal.exe:Zone.Identifier ->
@Alternate Data Stream - 26 bytes -> %SystemDrive%\daemon400.exe:Zone.Identifier ->
@Alternate Data Stream - 26 bytes -> %SystemDrive%\daemon401-64.exe:Zone.Identifier ->
@Alternate Data Stream - 26 bytes -> %SystemDrive%\EytnTree.zip:Zone.Identifier ->
@Alternate Data Stream - 26 bytes -> %SystemDrive%\hijackthis.zip:Zone.Identifier ->
@Alternate Data Stream - 26 bytes -> %SystemDrive%\L2extreme.C4.exe:Zone.Identifier ->
@Alternate Data Stream - 26 bytes -> %SystemDrive%\POP The Two Thrones - SF3 Mini mdf-Image.rar:Zone.Identifier ->
@Alternate Data Stream - 26 bytes -> %SystemDrive%\PRINCE.OF.PERSIA.TTT.ALL.KEELMAN.BACKUPCD.ZIP:Zone.Identifier ->
@Alternate Data Stream - 26 bytes -> %SystemDrive%\Prison[1].Break.S02E07.rar:Zone.Identifier ->
@Alternate Data Stream - 26 bytes -> %SystemDrive%\Safedisc2Cleaner_v120.zip:Zone.Identifier ->
@Alternate Data Stream - 26 bytes -> %SystemDrive%\sfn.rar:Zone.Identifier ->
@Alternate Data Stream - 26 bytes -> %SystemDrive%\spybotsd14.exe:Zone.Identifier ->
UPX! , UPX0 , -> %SystemRoot%\cpblpbc19.log -> [Ver = | Size = 71168 bytes | Modified Date = 25/05/2006 22:34:36 | Attr = ]
UPX! , UPX0 , -> %SystemRoot%\cpblpbc20.log -> [Ver = | Size = 71168 bytes | Modified Date = 25/05/2006 21:57:12 | Attr = ]
UPX! , UPX0 , -> %SystemRoot%\cpblpbc21.log -> [Ver = | Size = 69632 bytes | Modified Date = 13/05/2006 16:11:08 | Attr = ]
UPX! , UPX0 , -> %SystemRoot%\cpblpbc22.log -> [Ver = | Size = 69632 bytes | Modified Date = 19/05/2006 12:43:04 | Attr = ]
UPX! , UPX0 , -> %System32%\aswBoot.exe -> [Ver = 4, 7, 936, 0 | Size = 689280 bytes | Modified Date = 15/01/2007 19:32:08 | Attr = ]
UPX! , UPX0 , -> %System32%\cmbkpatl.exe -> [Ver = | Size = 87552 bytes | Modified Date = 24/05/2006 22:25:22 | Attr = ]
PEC2 , -> %System32%\dfrg.msc -> [Ver = | Size = 41397 bytes | Modified Date = 23/08/2001 14:00:00 | Attr = ]
UPX! , UPX0 , -> %System32%\jhvlqirm.exe -> [Ver = | Size = 86016 bytes | Modified Date = 28/09/2006 12:39:14 | Attr = ]
PEC2 , -> %System32%\MFC42.PDB -> [Ver = | Size = 8015872 bytes | Modified Date = 17/06/1998 | Attr = ]
PEC2 , -> %System32%\MFC42D.PDB -> [Ver = | Size = 3944448 bytes | Modified Date = 17/06/1998 | Attr = ]
PEC2 , -> %System32%\MFCD42D.PDB -> [Ver = | Size = 2052096 bytes | Modified Date = 17/06/1998 | Attr = ]
PEC2 , -> %System32%\MFCN42D.PDB -> [Ver = | Size = 1454080 bytes | Modified Date = 17/06/1998 | Attr = ]
PEC2 , -> %System32%\MFCO42D.PDB -> [Ver = | Size = 4395008 bytes | Modified Date = 17/06/1998 | Attr = ]
UPX! , UPX0 , -> %System32%\moghtpvq.exe -> [Ver = | Size = 87552 bytes | Modified Date = 05/05/2006 15:37:46 | Attr = ]
winsync , -> %System32%\wbdbase.deu -> [Ver = | Size = 1309184 bytes | Modified Date = 23/08/2001 14:00:00 | Attr = ]
WSUD , UPX0 , -> %System32%\dllcache\hwxjpn.dll -> [Ver = | Size = 13463552 bytes | Modified Date = 23/08/2001 14:00:00 | Attr = ]
PTech , -> %System32%\drivers\mtlstrm.sys -> Smart Link [Ver = 3.80.01MC15 | Size = 1309184 bytes | Modified Date = 04/08/2004 07:41:38 | Attr = ]

< End of report >

======= Finally the ComboFix log =====================================
"Itai" - 07-04-11 0:02:10 Service Pack 2
ComboFix 07-04-05 - Running from: "C:\Documents and Settings\Itai\Desktop"


((((((((((((((((((((((((((((((( Files Created from 2007-03-11 to 2007-04-11 ))))))))))))))))))))))))))))))))))


2007-04-10 05:23 <DIR> d-------- C:\Program Files\winpfind3u
2007-04-09 07:08 <DIR> d-------- C:\DOCUME~1\Itai\.housecall6.6
2007-04-08 03:38 <DIR> d-------- C:\DOCUME~1\Itai\APPLIC~1\Bitdefender
2007-04-08 03:13 81,984 --a------ C:\WINDOWS\system32\bdod.bin
2007-04-08 03:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\BitDefender
2007-04-08 03:04 <DIR> d-------- C:\Program Files\bitdefender
2007-04-08 02:44 <DIR> d-------- C:\Program Files\McAfee_stinger
2007-04-07 21:43 <DIR> d-------- C:\kav
2007-04-07 21:37 <DIR> d-------- C:\Program Files\kaspersky
2007-04-07 16:31 <DIR> d-------- C:\Deckard
2007-04-07 10:49 14 --a------ C:\DOCUME~1\Itai\getfile.dat
2007-04-07 07:48 94,424 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-04-07 07:48 90,112 --a------ C:\WINDOWS\system32\AVASTSS.scr
2007-04-07 07:48 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-04-07 07:48 689,280 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-04-07 07:48 43,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-04-07 07:48 31,560 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-04-07 07:48 23,352 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-04-07 07:48 <DIR> d-------- C:\Program Files\Alwil Software
2007-04-07 07:42 14 --a------ C:\WINDOWS\system32\getfile.dat
2007-04-02 11:44 <DIR> d-------- C:\Program Files\rootkitrevealer
2007-04-01 22:53 1,822 --a------ C:\WINDOWS\system32\tmp.reg
2007-04-01 13:29 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-03-28 17:51 <DIR> d-------- C:\WINDOWS\system32\vkbfumkh


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-10 23:59 -------- d-------- C:\DOCUME~1\Itai\APPLIC~1\skype
2007-04-10 15:28 913408 --a------ C:\WINDOWS\system32\xreglib.dll
2007-04-09 16:25 -------- d-------- C:\Program Files\upsmon
2007-04-09 16:20 -------- d-------- C:\Program Files\netlimiter
2007-04-09 16:20 -------- d-------- C:\Program Files\msn messenger
2007-04-09 16:14 -------- d-------- C:\Program Files\icqlite
2007-04-09 16:07 -------- d-------- C:\Program Files\babylon
2007-04-08 12:51 -------- d-------- C:\Program Files\symantec
2007-04-08 12:51 -------- d-------- C:\Program Files\Common Files\symantec shared
2007-04-08 03:32 -------- d-------- C:\Program Files\nmap-3.81
2007-04-07 07:46 -------- d-------- C:\Program Files\norton antivirus
2007-04-01 19:33 -------- d-------- C:\Program Files\messenger
2007-04-01 15:44 -------- d-------- C:\Program Files\the all-seeing eye
2007-03-29 16:57 -------- d-------- C:\Program Files\xoftspyse
2007-03-29 15:16 -------- d-------- C:\Program Files\azureus
2007-03-09 13:45 -------- d-------- C:\Program Files\logitech
2007-03-09 13:45 -------- d-------- C:\DOCUME~1\Itai\APPLIC~1\fotowire
2007-03-09 13:43 81920 -r------- C:\WINDOWS\bwunin-6.1.4.68-8876480l.exe
2007-03-09 13:43 -------- d--h----- C:\Program Files\installshield installation information
2007-03-08 17:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 17:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 17:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 15:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-01-19 12:53 51056 --a------ C:\WINDOWS\system32\sirenacm.dll
2007-01-13 23:32 796672 --a------ C:\WINDOWS\gpinstall.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"HijackThis startup scan"="C:\\Program Files\\Hijackthis\\hijackthis\\HijackThis.exe /startupscan"
"LogitechSoftwareUpdate"="\"C:\\Program Files\\Logitech\\Video\\ManifestEngine.exe\" boot"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"UPSMON"="C:\\Program Files\\UPSMON\\UPSMON.exe"
"LVCOMSX"="C:\\WINDOWS\\system32\\LVCOMSX.EXE"
"LogitechVideoRepair"="C:\\Program Files\\Logitech\\Video\\ISStart.exe "
"LogitechVideoTray"="C:\\Program Files\\Logitech\\Video\\LogiTray.exe"
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"BDMCon"="\"C:\\Program Files\\Softwin\\BitDefender10\\bdmcon.exe\" /reg"
"BDAgent"="\"C:\\Program Files\\Softwin\\BitDefender10\\bdagent.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"="sockspy.dll"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{B29BE267-3A64-4F7E-8A57-75FB5E900506}"="Windows Updater"
"{B0099233-1FF5-4326-A3E8-24AE1DF18D57}"="google service"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"="C:\\Program Files\\Symantec\\LiveUpdate\\ALUNotify.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F]
Shell\AutoRun\command F:\Install.exe


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\XoftSpySE.job


********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-04-11 0:20:00
C:\ComboFix-quarantined-files.txt ... 07-04-11 00:20

--- Seems like none of the programs discovered the hidden files. what is ur recommended action i should take?

thank you for your time and patience.

#11 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:17 PM

Posted 10 April 2007 - 09:20 PM

Hi Dantes,

I noticed that you are using Azureus. The program is clean at the moment but...I think the nature of P2P filesharing is so that even if one is using a "clean" program, many of the files downloaded from non-documented sources have the potential of being infected. So, regardless of whether one is using a "clean" program, one may still be prone to infection by malware. I would recommend that you remove it from Add Remove Programs in Control Panel.

You might like to print these instructions so that you'll have access to them at all times, especially when you're in Safe Mode later.

You're right, none of the scans show those files.

Download Registry Search by Bobbi Flekman

http://www.xs4all.nl/~fstaal01/regsearch-us.html
http://www.bleepingcomputer.com/files/regsearch.php

Create a folder named C:\RegSearch for it and unzip into that folder.

==================================
Make sure that you can see hidden files
Click Start
Open My Computer
Select the Tools menu and click Folder Options
Select the View Tab
Under the Hidden files and folders heading select Show hidden files and folders
Uncheck the Hide protected operating system files (recommended) option
Click Yes to confirm
Click OK

===================================

Reboot your computer in Safe Mode.
If the computer is running, shut down Windows, and then turn off the power.
Wait 30 seconds, and then turn the computer on.
Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Ensure that the Safe Mode option is selected.
Press Enter. The computer then begins to start in Safe mode.
______________________________

While in Safe Mode, right click on Start and then click on Explore to bring up Windows Explorer. Then locate the following file and delete it when found:

C:\WINDOWS\gpinstall.exe

====================================

Still in Safe Mode, double-click the icon for RegSearch.exe in the C:\reg folder to launch the program.
Copy / Paste the following line into the Search Box:

zw0er_!

Then hit Ok

After completion Notepad will be opened with all the found instances of the strings. The resulting file is saved in the same location as RegSearch.exe. Please post the results back here.

=================================

Restart your computer in Normal Mode.

=================================

Start WinPFind3U. Copy/Paste the information inside the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Registry - Non-Microsoft Only]
< SharedTaskScheduler [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
YN -> {B0099233-1FF5-4326-A3E8-24AE1DF18D57} [HKLM] -> Reg Data - Key not found [google service]
YN -> {B29BE267-3A64-4F7E-8A57-75FB5E900506} [HKLM] -> Reg Data - Key not found [Windows Updater]
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
YN -> {8AD9C840-044E-11D1-B3E9-00805F499D93} -> Java Plug-in 1.4.2_04 - CodeBase = http://java.sun.com/products/plugin/autodl...indows-i586.cab
YN -> {CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA} -> Java Plug-in 1.4.2_04 - CodeBase = http://java.sun.com/products/plugin/autodl...indows-i586.cab
[Files/Folders - Created Within 30 days]
NY -> vkbfumkh -> %System32%\vkbfumkh
[Files/Folders - Modified Within 30 days]
NY -> vkbfumkh -> %System32%\vkbfumkh
[File String Scan - Non-Microsoft Only]
NY -> UPX! , UPX0 , -> %SystemRoot%\cpblpbc19.log
NY -> UPX! , UPX0 , -> %SystemRoot%\cpblpbc20.log
NY -> UPX! , UPX0 , -> %SystemRoot%\cpblpbc21.log
NY -> UPX! , UPX0 , -> %SystemRoot%\cpblpbc22.log
NY -> UPX! , UPX0 , -> %System32%\cmbkpatl.exe
NY -> UPX! , UPX0 , -> %System32%\jhvlqirm.exe
NY -> UPX! , UPX0 , -> %System32%\moghtpvq.exe


The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new WinPFind3u scan.

====================================

Download Rootkit Revealer. Make sure that you are logged in as an Administrator to the computer for this scan.
  • Create a folder Rootkit Revealer in the following location C:\
  • Unzip to this folder.
  • Close ALL other open programmes, files and folders and disconnect from the internet. Close down all scheduling/updating + running background tasks, etc. Physically unplug the cable from PC to the internet connection..
  • Click on RootkitRevealer.exe to launch the programme.
  • Click Scan, and allow it to scan your computer.
You may get a warning from your protection systems that a new service is being installed, this will have a random name, and is generated by Rootkit revealer, allow it please.

IMPORTANT: other than to allow the above event, do not touch your computer while the scan is running, as this will generate false reports.

When the scan is finished, click File > Save, and save RootkitRevealer.txt to your C:\Rootkit Revealer folder.

Copy the log to your next post please.

=====================================

Download and Save Blacklight to your desktop (choose "I ACCEPT" then click "DOWNLOAD" on the website).

Double-click fsbl.exe then accept the agreement, click > "Scan" then > "Next".

You'll see a list of all items found. There will also be a log on your desktop with the name "fsbl.xxxxxxxxxxxxxx.log" (the xxxxxxxxxxxxxx stand for numbers).

Copy and paste this log in your next reply.
=====================================

Please post back the Registry search results, WinPFind log, Rootkit Revealer log, fsblxxxxxxx.log, and a fresh HijackThis log.

#12 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:17 PM

Posted 18 April 2007 - 05:41 PM

Due to lack of response, this thread will now be closed. If you need this topic reopened, please PM me with the address of the thread.and we will reopen it for you. This applies only to the original topic starter. Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users