Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help ! Computer With Spyware On It


  • This topic is locked This topic is locked
26 replies to this topic

#1 brute force

brute force

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 15 April 2007 - 07:50 PM

thanks guys. here is my hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 9:27:40 PM, on 4/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\spoolcs.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\svchosts.exe
C:\WINDOWS\system32\mdm.exe
C:\WINDOWS\system32\mbti.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\gsvpm.exe
C:\WINDOWS\system32\tcpipmon.exe
C:\WINDOWS\system32\tcpipmon.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rsbmsc.exe
C:\Frank Bruno\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.transworldmotocross.com/mx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\mbti.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mbti.exe
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{38061~2\Bar888.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Norton] C:\WINDOWS\system32\avjwfi.exe
O4 - HKLM\..\Run: [dior4f43616321] C:\WINDOWS\system32\dior4f43616321.exe
O4 - HKLM\..\Run: [sklrr7y3700473] C:\WINDOWS\system32\sklrr7y3700473.exe
O4 - HKLM\..\Run: [Microsoft ® Windows Network Latency Controller] C:\WINDOWS\system32\mbti.exe
O4 - HKLM\..\Run: [dior4f42413611] C:\WINDOWS\system32\dior4f42413611.exe
O4 - HKLM\..\Run: [mlsdf8h6312224] C:\WINDOWS\system32\mlsdf8h6312224.exe
O4 - HKLM\..\Run: [nlkfev78307652] C:\WINDOWS\system32\nlkfev78307652.exe
O4 - HKLM\..\Run: [cjnr4r49213825] C:\WINDOWS\system32\cjnr4r49213825.exe
O4 - HKLM\..\Run: [sklrr7y7488423] C:\WINDOWS\system32\sklrr7y7488423.exe
O4 - HKLM\..\Run: [cjnr4r48271290] C:\WINDOWS\system32\cjnr4r48271290.exe
O4 - HKLM\..\Run: [sklrr7y8135108] C:\WINDOWS\system32\sklrr7y8135108.exe
O4 - HKLM\..\Run: [mlsdf8h9699424] C:\WINDOWS\system32\mlsdf8h9699424.exe
O4 - HKLM\..\Run: [nlkfev7567122] C:\WINDOWS\system32\nlkfev7567122.exe
O4 - HKLM\..\Run: [dior4f46732971] C:\WINDOWS\system32\dior4f46732971.exe
O4 - HKLM\..\Run: [mlsdf8h7446974] C:\WINDOWS\system32\mlsdf8h7446974.exe
O4 - HKLM\..\Run: [sklrr7y2928898] C:\WINDOWS\system32\sklrr7y2928898.exe
O4 - HKLM\..\Run: [tmbs] C:\WINDOWS\system32\tmbs.exe
O4 - HKLM\..\Run: [rssb] C:\WINDOWS\system32\rssb.exe
O4 - HKLM\..\Run: [rsmg] C:\WINDOWS\system32\rsmg.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O23 - Service: Print Spooler Service (a8a1okoke) - Unknown owner - C:\WINDOWS\system32\rsbmsc.exe
O23 - Service: Access Task Manager - Unknown owner - C:\WINDOWS\system32\spoolcs.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Client IP-IPX - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000501 (file missing)
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Machine Debug Manager (MachineDbMgr) - Unknown owner - C:\WINDOWS\system32\mdm.exe
O23 - Service: Windows Network Latency Controller (nlc) - Unknown owner - C:\WINDOWS\system32\mbti.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Time Service (Time) - Unknown owner - C:\WINDOWS\system32\sklrr7ymxhrakuep.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WLANKEEPER - IntelŪ Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:38 AM

Posted 16 April 2007 - 01:35 AM

Hello,

Your system is terribly infected. Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.
Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.
So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.

In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start. Reason I am telling this is because when a system is so terribly infected and we try to clean this up manually, the damage that is already present may interfere with our removal attempts.

But first and most important thing....

When a computer is infected, first you should do is trying to remove it using an Antivirus scanner.
Unfortunately I don't see you ever scanned - you don't even have an Antivirus scanner installed.

This doesn't make sense that we try to clean this up manually if a scanner can already get rid of most.
Looks like there's more malware present than anything else here...

That's why I recommend you install a scanner first.

Please download and install the free Antivirus Avira:
http://www.free-av.com/

Reboot after you installed it.
After reboot, check for updates and let it update.

Then let it perform a full scan and let it remove everything it is finding.
Reboot once again afterwards, because some files may be in use and the need to get removed after reboot.

Then, Please download, install, and update AVG Anti-Spyware
  • Load AVG Anti-Spyware and then click the Update tab at the top. Under Manual Update click Start update.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Then click on the Scanner tab at the top. Click the "Settings" tab and then change the recommended action to Quarantine and click Automatically generate report after every scan. Click back to the "Scan" tab and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.
  • AVG Anti-Spyware will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVG Anti-Spyware will display "All actions have been applied" on the right hand side.
  • Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
  • Close AVG Anti-Spyware and reboot!!
  • Post the contents of the AVG Anti-Spyware log you saved in your next reply together with a new HijackThislog.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 brute force

brute force
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 21 April 2007 - 11:42 AM

yep. thanks.

but the virus is not the problem. i saw that my friend doesnt have any. so i tried to put AVG on there and it gave me an error.

i will look at it closer this weekend

i will then post again.

thanks

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:38 AM

Posted 21 April 2007 - 12:03 PM

This is confusing now and I am not sure what you are trying to say. The Hijackthislog you posted - it shows that your system is terribly infected.

but the virus is not the problem. i saw that my friend doesnt have any

Ofcourse this is a problem. When malware present, it causes a lot of other problems as well.
We cannot solve problems as long malware is present, that's why it is important you follow the steps I posted - including installing an Antivirus. I wasn't talking only about AVG Antispyware.

Edited by miekiemoes, 21 April 2007 - 12:05 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 brute force

brute force
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 22 April 2007 - 01:35 AM

thanks. here you go

Logfile of HijackThis v1.99.1
Scan saved at 3:29:16 AM, on 4/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Frank Bruno\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Norton] C:\WINDOWS\system32\avjwfi.exe
O4 - HKLM\..\Run: [RunAppBk] C:\tjAgent.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Print Spooler Service (a8a1okoke) - Unknown owner - C:\WINDOWS\system32\rsbmsc.exe (file missing)
O23 - Service: Access Task Manager - Unknown owner - C:\WINDOWS\system32\spoolcs.exe (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Client IP-IPX - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000501 (file missing)
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Machine Debug Manager (MachineDbMgr) - Unknown owner - C:\WINDOWS\system32\mdm.exe (file missing)
O23 - Service: Windows Network Latency Controller (nlc) - Unknown owner - C:\WINDOWS\system32\mbti.exe (file missing)
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Time Service (Time) - Unknown owner - C:\WINDOWS\system32\sklrr7ymxhrakuep.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WLANKEEPER - IntelŪ Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:38 AM

Posted 22 April 2007 - 03:16 AM

Hello,

Do you see now why an Antivirus is so important? It already removed a lot of malware.

But we are not finished yet...

I see you have Viewpoint installed...
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
Reboot afterwards...

It's better to print out the next instructions or save it in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.
It is also important you don't miss a step and perform everything in the right order!!

* Download SDFix and save it to your Desktop.

* Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

---------------------------

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
do not use the scan yet

--------------------------

* Reboot into Safe Mode`: ( without networking support !)
°To get into the Windows Safe Mode, restart your computer and, just before Windows starts to load, tap the F8 key a few times.
Choose Safe Mode from the menu that will appear and press Enter.

---------------------------

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present (some entries won't be present anymore):

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [Norton] C:\WINDOWS\system32\avjwfi.exe
O4 - HKLM\..\Run: [RunAppBk] C:\tjAgent.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O23 - Service: Print Spooler Service (a8a1okoke) - Unknown owner - C:\WINDOWS\system32\rsbmsc.exe (file missing)
O23 - Service: Access Task Manager - Unknown owner - C:\WINDOWS\system32\spoolcs.exe (file missing)
O23 - Service: Client IP-IPX - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000501 (file missing)
O23 - Service: Machine Debug Manager (MachineDbMgr) - Unknown owner - C:\WINDOWS\system32\mdm.exe (file missing)
O23 - Service: Windows Network Latency Controller (nlc) - Unknown owner - C:\WINDOWS\system32\mbti.exe (file missing)
O23 - Service: Time Service (Time) - Unknown owner - C:\WINDOWS\system32\sklrr7ymxhrakuep.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

--------------------------
  • Doubleclick the drweb-cureit.exe, Click Start and Allow to run the express scan.
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • It could be possible it displays a popup to buy it in between, to buy or 50% discount. Just close that popup again.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Once the scan has finished, i will display a list of the files found and checked by default.
    If the file "process.exe" was found - uncheck it. This because this file is related with SDFix and SDFix needs it. Most scanners do flag this file as a bad tool, but there's nothing wrong with it.
  • Then, Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
-------------------------
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
* Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.

Post the following logs in your next reply:

* Log from Combofix (C:\combofix.txt)
* Log from DrWeb CureIt
* Log from SDFix (present in the SDFix-folder)
* New HijackThislog
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 brute force

brute force
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 22 April 2007 - 05:51 PM

here you go.

thanks

Logfile of HijackThis v1.99.1
Scan saved at 7:31:58 PM, on 4/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Frank Bruno\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Machine Debug Manager (MachineDbMgr) - Unknown owner - C:\WINDOWS\system32\mdm.exe (file missing)
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - IntelŪ Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe


ipwins.exe;c:\program files\ipwindows;Trojan.Rond;Deleted.;
awtussq.dll;c:\windows\system32;Trojan.Virtumod;Will be cured after reboot.;
cbxyawu.dll;c:\windows\system32;Trojan.Virtumod;Will be cured after reboot.;
hgggghf.dll;c:\windows\system32;Trojan.Virtumod;Will be cured after reboot.;
jkhih.dll;c:\windows\system32;Trojan.Virtumod;Will be cured after reboot.;
khfgfdc.dll;c:\windows\system32;Trojan.Virtumod;Will be cured after reboot.;
opnmmlk.dll;c:\windows\system32;Trojan.Virtumod;Will be cured after reboot.;
pmnlkhe.dll;c:\windows\system32;Trojan.Virtumod;Will be cured after reboot.;
qomjgec.dll;c:\windows\system32;Trojan.Virtumod;Will be cured after reboot.;
itunes32b.exe;C:\;Adware.DollarRevenue;Moved.;
NNSCAA638.EXE;C:\;Adware.NewDotNet;Moved.;
stub_sca3.exe;C:\;Trojan.DownLoader.10588;Deleted.;
upsc[1];C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\ZQQBBUH0;Trojan.Virtumod;Deleted.;
i10.tmp;C:\Documents and Settings\Derek Morin\Local Settings\Temp;Adware.Surfside;Moved.;
shopbiz.exe;C:\Documents and Settings\Derek Morin\Local Settings\Temp;Adware.IESearch;Moved.;
popup[1].htm;C:\Documents and Settings\Derek Morin\Local Settings\Temp\Temporary Internet Files\Content.IE5\3NHBTGC1;Trojan.Click.1394;Deleted.;
CA5IJVPY.htm;C:\Documents and Settings\Derek Morin\Local Settings\Temp\Temporary Internet Files\Content.IE5\CCVVC7S7;Win32.HLLM.Graz;Incurable.Moved.;
popup[1].htm;C:\Documents and Settings\Derek Morin\Local Settings\Temp\Temporary Internet Files\Content.IE5\G7FRMKH1;Trojan.Click.1394;Deleted.;
popup[2].htm;C:\Documents and Settings\Derek Morin\Local Settings\Temp\Temporary Internet Files\Content.IE5\IT30DKNE;Trojan.Click.1394;Deleted.;
popup[3].htm;C:\Documents and Settings\Derek Morin\Local Settings\Temp\Temporary Internet Files\Content.IE5\IT30DKNE;Trojan.Click.1394;Deleted.;
popup[2].htm;C:\Documents and Settings\Derek Morin\Local Settings\Temp\Temporary Internet Files\Content.IE5\U89SK3V5;Trojan.Click.1394;Deleted.;
popup[4].htm;C:\Documents and Settings\Derek Morin\Local Settings\Temp\Temporary Internet Files\Content.IE5\U89SK3V5;Trojan.Click.1394;Deleted.;
upsc[1];C:\Documents and Settings\Derek Morin\Local Settings\Temporary Internet Files\Content.IE5\H8ONV8H5;Trojan.Virtumod;Deleted.;
lo1[1];C:\Documents and Settings\Derek Morin\Local Settings\Temporary Internet Files\Content.IE5\NMDOMZ10;Trojan.Virtumod;Deleted.;
upsc[1];C:\Documents and Settings\Derek Morin\Local Settings\Temporary Internet Files\Content.IE5\NMDOMZ10;Trojan.Virtumod;Deleted.;
iss[1].rt;C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0JKLM567;Trojan.Virtumod;Deleted.;
arp[1].tar;C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\YZI1KLM5;Adware.DollarRevenue;Moved.;
GTDownDE_87.ocx;C:\i386;Adware.Gdown;Moved.;
MiniBugTransporter.dll;C:\Program Files\AWS\WeatherBug;Adware.Aws;Moved.;
UnInstall.exe;C:\Program Files\Common Files\{380614E7-063A-1033-0118-050408160001};Adware.Lucky;Moved.;
UnInstall.exe;C:\Program Files\Ipwindows;Trojan.Rond;Deleted.;
Process.exe;C:\sdfix\SDFix\apps;Tool.Prockill;Moved.;
A0085090.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP150;BackDoor.Generic.1372;Deleted.;
A0085091.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP150;BackDoor.Generic.1372;Deleted.;
A0085108.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP150;Trojan.MulDrop.4100;Deleted.;
A0085113.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP150;Adware.Look2me;Moved.;
A0085120.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP150;Adware.Look2me;Moved.;
A0085217.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP150;Adware.Look2me;Moved.;
A0085219.sys;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP150;BackDoor.HackDef.227;Deleted.;
A0085267.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP150;Adware.Look2me;Moved.;
A0085269.sys;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP150;BackDoor.HackDef.227;Deleted.;
A0085374.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP150;Trojan.Qoologic;Deleted.;
A0085381.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP150;Adware.Look2me;Moved.;
A0085383.sys;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP150;BackDoor.HackDef.227;Deleted.;
A0085412.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP150;Tool.ProcessKill;Moved.;
A0085415.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP150;Adware.MyWay;Moved.;
A0085416.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP150;Adware.Look2me;Moved.;
A0085419.sys;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP150;BackDoor.HackDef.227;Deleted.;
A0085421.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP150;Adware.Look2me;Moved.;
A0085423.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP150;Adware.Look2me;Moved.;
A0085428.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP150;Adware.Look2me;Moved.;
A0085429.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP150;Trojan.MulDrop.4100;Deleted.;
A0085430.sys;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP150;BackDoor.HackDef.227;Deleted.;
A0085488.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP151;Adware.Look2me;Moved.;
A0085493.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP151;Adware.Look2me;Moved.;
A0085494.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP151;Trojan.MulDrop.4100;Deleted.;
A0085498.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP151;Adware.Look2me;Moved.;
A0085502.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP151;Trojan.MulDrop.4100;Deleted.;
A0085508.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP151;Adware.Look2me;Moved.;
A0085510.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP151;Adware.Look2me;Moved.;
A0085514.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP151;Trojan.MulDrop.4100;Deleted.;
A0085521.exe\data002;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP151\A0085521.exe;Trojan.Runner;;
A0085521.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP151;Archive contains infected objects;Moved.;
A0085580.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP151;Adware.Look2me;Moved.;
A0085590.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP151;Adware.Look2me;Moved.;
A0085597.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP151;Trojan.MulDrop.4100;Deleted.;
A0085601.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP151;Adware.Look2me;Moved.;
A0085602.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP151;Adware.Look2me;Moved.;
A0085607.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP151;Trojan.MulDrop.4100;Deleted.;
A0085611.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP151;Adware.Look2me;Moved.;
A0085612.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP151;Adware.Look2me;Moved.;
A0085616.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP151;Adware.Look2me;Moved.;
A0085618.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP151;Adware.Look2me;Moved.;
A0085623.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP151;Trojan.MulDrop.4100;Deleted.;
A0085624.sys;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP151;BackDoor.HackDef.227;Deleted.;
A0085691.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP151;Adware.Look2me;Moved.;
A0085697.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP151;Trojan.MulDrop.4100;Deleted.;
A0085704.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP151;Adware.Look2me;Moved.;
A0085709.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP151;Trojan.MulDrop.4100;Deleted.;
A0085904.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP151;Trojan.MulDrop.4100;Deleted.;
A0085929.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP151;Trojan.MulDrop.4100;Deleted.;
A0086032.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP152;Trojan.MulDrop.4100;Deleted.;
A0086064.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP153;Trojan.MulDrop.4100;Deleted.;
A0086079.com;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP153;Trojan.MulDrop.4100;Deleted.;
A0086086.com;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP153;Trojan.MulDrop.4100;Deleted.;
A0086226.com;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP154;Trojan.MulDrop.4100;Deleted.;
A0086250.com;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP155;Trojan.MulDrop.4100;Deleted.;
A0086347.com;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP155;Trojan.MulDrop.4100;Deleted.;
A0086355.sys;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP155;BackDoor.HackDef.227;Deleted.;
A0086392.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP155;Trojan.MulDrop.5612;Deleted.;
A0086393.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP155;Trojan.MulDrop.5694;Deleted.;
A0086394.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP155;Trojan.DownLoader.10918;Deleted.;
A0086416.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP155;Adware.DollarRevenue;Moved.;
A0086417.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP155;Adware.DollarRevenue;Moved.;
A0086433.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP155;Trojan.MulDrop.2785;Deleted.;
A0086441.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156;BackDoor.HackDef.227;Deleted.;
A0086442.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156;BackDoor.HackDef.227;Deleted.;
A0086443.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156;BackDoor.HackDef.227;Deleted.;
A0086444.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156;BackDoor.HackDef.227;Deleted.;
A0086445.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156;BackDoor.HackDef.227;Deleted.;
A0086446.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156;BackDoor.HackDef.227;Deleted.;
A0086447.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156;BackDoor.HackDef.227;Deleted.;
A0086448.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156;BackDoor.HackDef.227;Deleted.;
A0086449.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156;BackDoor.HackDef.227;Deleted.;
A0086450.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156;BackDoor.HackDef.227;Deleted.;
A0086451.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156;BackDoor.HackDef.227;Deleted.;
A0086452.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156;BackDoor.HackDef.227;Deleted.;
A0086453.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156;BackDoor.HackDef.227;Deleted.;
A0086454.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156;BackDoor.HackDef.227;Deleted.;
A0086455.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156;BackDoor.HackDef.227;Deleted.;
A0086456.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156;BackDoor.HackDef.227;Deleted.;
A0086457.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156;BackDoor.HackDef.227;Deleted.;
A0086458.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156;BackDoor.HackDef.227;Deleted.;
A0086459.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156;BackDoor.HackDef.227;Deleted.;
A0086460.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156;BackDoor.HackDef.227;Deleted.;
A0086461.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156;BackDoor.HackDef.227;Deleted.;
A0086462.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156;BackDoor.HackDef.227;Deleted.;
A0086463.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156;BackDoor.HackDef.227;Deleted.;
A0086464.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156;BackDoor.HackDef.227;Deleted.;
A0086465.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156;BackDoor.HackDef.227;Deleted.;
A0086466.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156;BackDoor.HackDef.227;Deleted.;
A0086467.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156;BackDoor.HackDef.227;Deleted.;
A0086468.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156;BackDoor.HackDef.227;Deleted.;
A0086469.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156;BackDoor.HackDef.227;Deleted.;
A0086470.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156;BackDoor.HackDef.227;Deleted.;
A0086471.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156;BackDoor.HackDef.227;Deleted.;
A0086472.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156;BackDoor.HackDef.227;Deleted.;
A0086473.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156;BackDoor.HackDef.227;Deleted.;
A0086474.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156;BackDoor.HackDef.227;Deleted.;
A0086475.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156;BackDoor.HackDef.227;Deleted.;
A0086476.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156;BackDoor.HackDef.227;Deleted.;
A0086477.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156;BackDoor.HackDef.227;Deleted.;
A0086478.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156;BackDoor.HackDef.227;Deleted.;
A0086479.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156;BackDoor.HackDef.227;Deleted.;
A0086480.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156;BackDoor.HackDef.227;Deleted.;
A0086481.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156;BackDoor.HackDef.227;Deleted.;
A0086482.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156;BackDoor.HackDef.227;Deleted.;
A0086483.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156;BackDoor.HackDef.227;Deleted.;
A0086484.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156;BackDoor.HackDef.227;Deleted.;
A0086485.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156;BackDoor.HackDef.227;Deleted.;
A0086486.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156;BackDoor.HackDef.227;Deleted.;
A0086487.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156;BackDoor.HackDef.227;Deleted.;
A0086488.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156;BackDoor.HackDef.227;Deleted.;
A0086489.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156;BackDoor.HackDef.227;Deleted.;
A0086490.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156;BackDoor.HackDef.227;Deleted.;
A0086491.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156;BackDoor.HackDef.227;Deleted.;
A0086492.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156;BackDoor.HackDef.227;Deleted.;
A0086493.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156;BackDoor.HackDef.227;Deleted.;
A0086494.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156;BackDoor.HackDef.227;Deleted.;
A0086498.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156;Trojan.Popuper;Deleted.;
A0086500.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156;Trojan.Popuper;Deleted.;
A0086501.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156;Trojan.Click.911;Deleted.;
A0086514.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156;Trojan.EmailSpy;Deleted.;
A0086519.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156;Trojan.EmailSpy;Deleted.;
A0086522.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156;Trojan.EmailSpy;Deleted.;
A0086529.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156;Trojan.MulDrop.4016;Deleted.;
A0086531.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156;Trojan.EmailSpy;Deleted.;
A0086533.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156;Trojan.EmailSpy;Deleted.;
A0086536.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156;Trojan.EmailSpy;Deleted.;
A0086540.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156;Trojan.EmailSpy;Deleted.;
A0086544.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156;Trojan.EmailSpy;Deleted.;
A0086546.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156;Trojan.EmailSpy;Deleted.;
A0086547.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156;Trojan.EmailSpy;Deleted.;
A0086548.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156;Trojan.MulDrop.4016;Deleted.;
A0086549.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156;Trojan.EmailSpy;Deleted.;
A0086550.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156;Trojan.EmailSpy;Deleted.;
A0086551.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156;Trojan.EmailSpy;Deleted.;
A0086554.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156;Trojan.EmailSpy;Deleted.;
A0086557.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156;Trojan.EmailSpy;Deleted.;
A0086560.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156;Trojan.MulDrop.4016;Deleted.;
A0086565.exe\data001;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156\A0086565.exe;Trojan.Popuper;;
A0086565.exe\data002;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156\A0086565.exe;Trojan.Popuper;;
A0086565.exe\data004;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156\A0086565.exe;Trojan.Dyfuca;;
A0086565.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156;Archive contains infected objects;Moved.;
A0086574.com;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156;Trojan.MulDrop.4100;Deleted.;
A0087371.com;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156;Trojan.MulDrop.4174;Deleted.;
A0087377.com;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156;Trojan.MulDrop.4174;Deleted.;
A0089440.sys;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP156;BackDoor.HackDef.227;Deleted.;
A0091454.sys;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP158;BackDoor.HackDef.227;Deleted.;
A0091455.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP159;Trojan.MulDrop.4176;Deleted.;
A0091486.exe\data002;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP160\A0091486.exe;Trojan.Dyfuca;;
A0091486.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP160;Archive contains infected objects;Moved.;
A0091489.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP160;Trojan.Click.1881;Deleted.;
A0091490.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP160;Trojan.MulDrop.4176;Deleted.;
A0091556.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP161;Trojan.Runner;Deleted.;
A0092622.sys;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP162;BackDoor.HackDef.227;Deleted.;
A0092740.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP163;BackDoor.HackDef.227;Deleted.;
A0101680.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP177;Trojan.MulDrop.4156;Deleted.;
A0101681.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP177;Trojan.MulDrop.4100;Deleted.;
A0101684.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP177;Trojan.DownLoader.18709;Deleted.;
A0101685.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP177;Trojan.MulDrop.4156;Deleted.;
A0101686.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP177;Trojan.MulDrop.4156;Deleted.;
A0101688.com;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP177;Trojan.MulDrop.4100;Deleted.;
A0101702.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP177;Trojan.Spambot;Deleted.;
A0101706.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP177;BackDoor.HackDef.227;Deleted.;
A0101709.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP177;Adware.BookedSpace;Moved.;
A0101713.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP177;Trojan.DownLoader.13289;Deleted.;
A0112684.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP189;Trojan.MulDrop.4156;Deleted.;
876056.exe;C:\WINDOWS;Adware.Mirarbar;Moved.;
NDNuninstall6_38.exe;C:\WINDOWS;Adware.NewDotNet;Moved.;
stub_mma3.exe;C:\WINDOWS;Trojan.DownLoader.10588;Deleted.;
awtussq.dll;C:\WINDOWS\system32;Trojan.Virtumod;Will be cured after reboot.;
cbxyawu.dll;C:\WINDOWS\system32;Trojan.Virtumod;Will be cured after reboot.;
ddcabcb.dll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
f6l02g3mg6.dll;C:\WINDOWS\system32;Adware.Look2me;Moved.;
fccyvsr.dll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
GTDownDE_87.ocx;C:\WINDOWS\system32;Adware.Gdown;Moved.;
hggfefc.dll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
hgggghf.dll;C:\WINDOWS\system32;Trojan.Virtumod;Will be cured after reboot.;
idkvfwrf.dll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
jkhih.dll;C:\WINDOWS\system32;Trojan.Virtumod;Will be cured after reboot.;
kcnzrop6.exe;C:\WINDOWS\system32;Adware.Yavak;Moved.;
khfgfdc.dll;C:\WINDOWS\system32;Trojan.Virtumod;Will be cured after reboot.;
l60ulgd9160.dll;C:\WINDOWS\system32;Adware.Look2me;Moved.;
opnmmlk.dll;C:\WINDOWS\system32;Trojan.Virtumod;Will be cured after reboot.;
ordsregk.exe;C:\WINDOWS\system32;Adware.ZenoSearch;Moved.;
p04u0ah9ed4.dll;C:\WINDOWS\system32;Adware.Look2me;Moved.;
pmnlkhe.dll;C:\WINDOWS\system32;Trojan.Virtumod;Will be cured after reboot.;
pwpkpuku.dll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
qomjgec.dll;C:\WINDOWS\system32;Trojan.Virtumod;Will be cured after reboot.;
yayxvss.dll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
ZICORN003.exe;C:\WINDOWS\system32;Adware.ZenoSearch;Moved.;
2new.exe;C:\WINDOWS\system32\bund1;Adware.NewDotNet;Moved.;
installdrivecleanerstart[1].exe;C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\V8CSQO42;Trojan.DownLoader.17676;Deleted.;



SDFix: Version 1.79

Run by Derek Morin - Sun 04/22/2007 - 16:34:49.52

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\sdfix\SDFix

Safe Mode:
Checking Services:

Name:
Client IP-IPX
nlc
TIME
Windows Overlay Components
a8a1okoke

ImagePath:
"C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000501
C:\WINDOWS\system32\mbti.exe
C:\WINDOWS\system32\sklrr7ymxhrakuep.exe
C:\WINDOWS\tgqhyev.exe
C:\WINDOWS\system32\rsbmsc.exe /service

Client IP-IPX - Deleted
nlc - Deleted
TIME - Deleted
Windows Overlay Components - Deleted
a8a1okoke - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\939922~1 - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun1.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun1.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun2.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun5.exe - Deleted
C:\WINDOWS\Temp\stdrun3.exe - Deleted
C:\WINDOWS\Temp\stdrun5.exe - Deleted
C:\WINDOWS\system32\cjnr4r4bmwfpzjt.exe - Deleted
C:\WINDOWS\system32\cjnr4r4oyhrbkveo.exe - Deleted
C:\WINDOWS\system32\cjnr4r4zjtclwgpa.exe - Deleted
C:\WINDOWS\Temp\cjnr4r4FB66C482.tmp - Deleted
C:\WINDOWS\Temp\cjnr4r4FB66C484.tmp - Deleted
C:\WINDOWS\Temp\cjnr4r4FB66C488.tmp - Deleted
C:\WINDOWS\Temp\cjnr4r4FB66C48B.tmp - Deleted
C:\WINDOWS\Temp\cjnr4r4FB66C48C.tmp - Deleted
C:\WINDOWS\Temp\cjnr4r4FB66C48D.tmp - Deleted
C:\WINDOWS\Temp\cjnr4r4FB66C497.tmp - Deleted
C:\WINDOWS\Temp\cjnr4r4FB66C4B4.tmp - Deleted
C:\WINDOWS\Temp\cjnr4r4FB66C4B5.tmp - Deleted
C:\WINDOWS\Temp\cjnr4r4FB66C4B6.tmp - Deleted
C:\WINDOWS\Temp\cjnr4r4FB66C4B7.tmp - Deleted
C:\WINDOWS\Temp\cjnr4r4FB66C4E1.tmp - Deleted
C:\WINDOWS\Temp\cjnr4r4FB66C4E2.tmp - Deleted
C:\WINDOWS\Temp\cjnr4r4FB66C4F8.tmp - Deleted
C:\WINDOWS\Temp\cjnr4r4FB66C4F9.tmp - Deleted
C:\WINDOWS\system32\dior4f4iscmvfpz.exe - Deleted
C:\WINDOWS\system32\dior4f4lveoxhrbl.exe - Deleted
C:\WINDOWS\system32\dior4f4sdnwg.exe - Deleted
C:\WINDOWS\system32\dior4f4udnwgqakue.exe - Deleted
C:\WINDOWS\system32\mlsdf8hfoxirb.exe - Deleted
C:\WINDOWS\system32\mlsdf8hjuenwhqa.exe - Deleted
C:\WINDOWS\system32\mlsdf8hzktcm.exe - Deleted
C:\WINDOWS\system32\nlkfev7mwfpzitcm.exe - Deleted
C:\WINDOWS\system32\nlkfev7qaktdnxgr.exe - Deleted
C:\WINDOWS\system32\nlkfev7tdmwfp.exe - Deleted
C:\WINDOWS\Temp\nlkfev7E663D792.tmp - Deleted
C:\WINDOWS\Temp\nlkfev7E663D795.tmp - Deleted
C:\WINDOWS\system32\sklrr7yfoyirclvgp.exe - Deleted
C:\WINDOWS\system32\sklrr7yitdn.exe - Deleted
C:\WINDOWS\system32\sklrr7yzkudm.exe - Deleted
C:\DOCUME~1\DEREKM~1\LOCALS~1\Temp\cjnr4r4FB66C482.tmp - Deleted
C:\DOCUME~1\DEREKM~1\LOCALS~1\Temp\cjnr4r4FB66C488.tmp - Deleted
C:\DOCUME~1\DEREKM~1\LOCALS~1\Temp\cjnr4r4FB66C48B.tmp - Deleted
C:\DOCUME~1\DEREKM~1\LOCALS~1\Temp\cjnr4r4FB66C48C.tmp - Deleted
C:\DOCUME~1\DEREKM~1\LOCALS~1\Temp\cjnr4r4FB66C48D.tmp - Deleted
C:\DOCUME~1\DEREKM~1\LOCALS~1\Temp\cjnr4r4FB66C4B6.tmp - Deleted
C:\DOCUME~1\DEREKM~1\LOCALS~1\Temp\cjnr4r4FB66C4B7.tmp - Deleted
C:\WINDOWS\system32\ldinfo.ldr - Deleted
C:\WINDOWS\system32\rpcc.dll - Deleted
C:\WINDOWS\Temp\removalfile.bat - Deleted
C:\WINDOWS\Uninst2.htm - Deleted
C:\WINDOWS\Unist1.htm - Deleted



Removing Temp Files

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"C:\\Program Files\\Common Files\\AOL\\1124997837\\ee\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1124997837\\ee\\AOLServiceHost.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Common Files\\AOL\\1151561952\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1151561952\\ee\\aolsoftware.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\1151561952\\ee\\aim6.exe"="C:\\Program Files\\Common Files\\AOL\\1151561952\\ee\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\WINDOWS\\system32\\ctrmjt.exe"="C:\\WINDOWS\\system32\\ctrmjt.exe:*:Enabled:Server"
"C:\\WINDOWS\\system32\\rhampr.exe"="C:\\WINDOWS\\system32\\rhampr.exe:*:Enabled:Server"
"C:\\WINDOWS\\system32\\avjwfi.exe"="C:\\WINDOWS\\system32\\avjwfi.exe:*:Enabled:Server"
"C:\\WINDOWS\\system32\\vrss.exe"="C:\\WINDOWS\\system32\\vrss.exe:*:Enabled:Server"
"C:\\WINDOWS\\system32\\mbti.exe"="C:\\WINDOWS\\system32\\mbti.exe:*:Enabled:Microsoft ® Windows Network Latency Controller"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\WINDOWS\\gsvpm.exe"="C:\\WINDOWS\\gsvpm.exe:*:Enabled:AntiVirusUpdateExe"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"C:\\Program Files\\Common Files\\AOL\\1124997837\\ee\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1124997837\\ee\\AOLServiceHost.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\WINDOWS\\system32\\ctrmjt.exe"="C:\\WINDOWS\\system32\\ctrmjt.exe:*:Enabled:Server"
"C:\\WINDOWS\\system32\\rhampr.exe"="C:\\WINDOWS\\system32\\rhampr.exe:*:Enabled:Server"
"C:\\WINDOWS\\system32\\avjwfi.exe"="C:\\WINDOWS\\system32\\avjwfi.exe:*:Enabled:Server"
"C:\\WINDOWS\\system32\\vrss.exe"="C:\\WINDOWS\\system32\\vrss.exe:*:Enabled:Server"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"


Remaining Files:
---------------

Backups Folder: - C:\sdfix\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes:

C:\Program Files\America Online 9.0\aolphx.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\America Online 9.0\RBM.exe
C:\Program Files\Common Files\??curity\?hkntfs.exe
C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp
C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp
C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\lock.tmp
C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch4\lock.tmp
C:\WINDOWS\system32\kjjjl.tmp

Finished

"Derek Morin" - 07-04-22 18:06:45 Service Pack 2
ComboFix 07-04-21.2V - Running from: C:\Documents and Settings\Derek Morin\Desktop\


((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))

REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\clsid\{80852D5B-3D64-4F50-80CF-7A1127C59FFF}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\clsid\{80852D5B-3D64-4F50-80CF-7A1127C59FFF}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{80852D5B-3D64-4F50-80CF-7A1127C59FFF}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{80852D5B-3D64-4F50-80CF-7A1127C59FFF}\InprocServer32]
@="C:\\WINDOWS\\system32\\dmskperf.dll"
"ThreadingModel"="Apartment"


[HKEY_CLASSES_ROOT\clsid\{FEF2651A-74A7-4BFD-AB1B-09ADD80195CB}]
@=""

[HKEY_CLASSES_ROOT\clsid\{FEF2651A-74A7-4BFD-AB1B-09ADD80195CB}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{FEF2651A-74A7-4BFD-AB1B-09ADD80195CB}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{FEF2651A-74A7-4BFD-AB1B-09ADD80195CB}\InprocServer32]
@="C:\\WINDOWS\\system32\\cvadmin.dll"
"ThreadingModel"="Apartment"


[HKEY_CLASSES_ROOT\clsid\{F837412B-7E7D-4646-AAFA-E0A684568464}]
@=""

[HKEY_CLASSES_ROOT\clsid\{F837412B-7E7D-4646-AAFA-E0A684568464}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{F837412B-7E7D-4646-AAFA-E0A684568464}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{F837412B-7E7D-4646-AAFA-E0A684568464}\InprocServer32]
@="C:\\WINDOWS\\system32\\vmoy.dll"
"ThreadingModel"="Apartment"


[HKEY_CLASSES_ROOT\clsid\{D1CE44C9-7C8C-4875-B86E-E3406D5BAFD2}]
@=""

[HKEY_CLASSES_ROOT\clsid\{D1CE44C9-7C8C-4875-B86E-E3406D5BAFD2}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{D1CE44C9-7C8C-4875-B86E-E3406D5BAFD2}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{D1CE44C9-7C8C-4875-B86E-E3406D5BAFD2}\InprocServer32]
@="C:\\WINDOWS\\system32\\mwftedit.dll"
"ThreadingModel"="Apartment"

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Granting SeDebugPrivilege to Administrators ... successful



(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\cbxyawu.dll
C:\WINDOWS\system32\hihkj.bak1
C:\WINDOWS\system32\hihkj.ini
C:\WINDOWS\system32\jkhih.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\keyboard1.dat
C:\WINDOWS\newname.dat
C:\WINDOWS\system32\atmtd.dll.tmp
C:\WINDOWS\uninstall_nmon.vbs
C:\DOCUME~1\DEREKM~1\APPLIC~1\Sskcwrd.dll
C:\DOCUME~1\DEREKM~1\APPLIC~1\Sskdmns.dll
C:\DOCUME~1\DEREKM~1\APPLIC~1\Sskknwrd.dll
C:\WINDOWS\764.exe
C:\Program Files\Common Files\simtest\svchostsys.bat
C:\Program Files\Common Files\simtest\temp.txt
C:\Program Files\cmfibula\sf.txt
C:\Program Files\cmfibula\Uninstall.exe
C:\Program Files\pslister\Uninstall.exe
C:\WINDOWS\system32\bund1\temp.txt
C:\DOCUME~1\LOCALS~1\APPLIC~1\netmon\domains.txt
C:\DOCUME~1\LOCALS~1\APPLIC~1\netmon\log.txt
C:\DOCUME~1\DEREKM~1\Desktop.\internet explorer.lnk
C:\WINDOWS\stat
C:\WINDOWS\uni_eh10.exe
C:\Program Files\Common Files\misc001
C:\Program Files\Common Files\simtest
C:\Program Files\cmfibula
C:\Program Files\inetget2
C:\Program Files\ipwindows
C:\Program Files\pslister
C:\WINDOWS\system32\bund1
C:\DOCUME~1\LOCALS~1\APPLIC~1\netmon
C:\Program Files\Common Files\{38061~1
C:\Program Files\Common Files\{38061~2
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\C\Program Files\WNSXS~1
C:\qoobox\purity\C\Program Files\Common Files\CURITY~1
C:\qoobox\purity\C\Program Files\Common Files\WNSXS~1


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CMDSERVICE
-------\LEGACY_NETWORK_MONITOR


((((((((((((((((((((((((((((((( Files Created from 2007-03-22 to 2007-04-22 ))))))))))))))))))))))))))))))))))


2007-04-22 15:06 <DIR> d-------- C:\DOCUME~1\DEREKM~1\DoctorWeb
2007-04-16 19:13 26,714 --------- C:\WINDOWS\system32\hgggghf.dll
2007-04-16 05:49 1,372,798 --ahs---- C:\WINDOWS\system32\kjjjl.ini2
2007-04-15 21:01 26,714 --------- C:\WINDOWS\system32\awtussq.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-22 12:42 -------- d-------- C:\Program Files\viewpoint
2007-04-21 16:10 -------- d-------- C:\Program Files\ofb11
2007-04-21 16:09 -------- d-------- C:\Program Files\messenger
2007-04-21 15:22 1372614 --ahs---- C:\WINDOWS\system32\kjjjl.bak1
2007-04-21 15:22 1371875 --ahs---- C:\WINDOWS\system32\kjjjl.bak2
2007-04-16 19:05 -------- d-------- C:\Program Files\online services
2007-04-15 21:11 -------- d-------- C:\Program Files\google
2007-04-15 21:07 -------- d--h----- C:\Program Files\installshield installation information
2007-04-15 21:07 -------- d-------- C:\Program Files\dell
2007-04-15 20:54 12 --a------ C:\WINDOWS\system32\gtv_sd.bin
2007-03-17 11:39 30720 --a------ C:\WINDOWS\7search.dll
2007-03-17 11:39 30464 --a------ C:\WINDOWS\updatetc.exe
2007-03-17 11:39 29952 --a------ C:\WINDOWS\wml.exe
2007-03-17 11:39 29696 --a------ C:\WINDOWS\cdsm32.dll
2007-03-17 11:39 26368 --a------ C:\WINDOWS\system32\wml.exe
2007-03-17 11:39 26368 --a------ C:\WINDOWS\susp.exe
2007-03-17 11:39 25856 --a------ C:\WINDOWS\flt.dll
2007-03-17 11:39 25856 --a------ C:\WINDOWS\180ax.exe
2007-03-17 11:39 25344 --a------ C:\WINDOWS\system32\msixu.dll
2007-03-17 11:39 25344 --a------ C:\WINDOWS\stcloader.exe
2007-03-17 11:39 23808 --a------ C:\WINDOWS\pbar.dll
2007-03-17 11:39 23040 --a------ C:\WINDOWS\vxddsk.exe
2007-03-17 11:39 23040 --a------ C:\WINDOWS\mspphe.dll
2007-03-17 11:39 22272 --a------ C:\WINDOWS\system32\wer8274.dll
2007-03-17 11:39 22016 --a------ C:\WINDOWS\bjam.dll
2007-03-17 11:39 17664 --a------ C:\WINDOWS\swin32.dll
2007-03-17 11:39 14336 --a------ C:\WINDOWS\saiemod.dll
2007-03-17 11:39 12800 --a------ C:\WINDOWS\salm.exe
2007-03-17 11:39 12032 --a------ C:\WINDOWS\satmat.exe
2007-03-17 11:39 10752 --a------ C:\WINDOWS\voiceip.dll
2007-03-17 11:39 10752 --a------ C:\WINDOWS\system32\vxddsk.exe
2007-03-17 11:39 10752 --a------ C:\WINDOWS\bokja.exe
2007-03-17 11:36 0 --a------ C:\WINDOWS\system32\cdromdrv32.dll
2007-02-10 06:03 268704 --a------ C:\WINDOWS\ofb11_setup.exe
2007-02-01 23:18 60416 --a------ C:\WINDOWS\ic5.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{0F782826-984A-4212-A199-F5BBF00137A0} C:\WINDOWS\system32\ljjjk.dll [x]
{1557B435-8242-4686-9AA3-9265BF7525A4} C:\WINDOWS\system32\xxiweagg.dll [x]
{3E71DC86-4A5C-4C71-A185-EBE9AC2EB607} C:\WINDOWS\system32\awtussq.dll
{7C554162-8CB7-45A4-B8F4-8EA1C75885F9} C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
{8F0E0244-5A13-4E41-B884-F9BF7804BD69} C:\Program Files\Online Services\woce.dll
{A09B31E4-BD77-47AD-73A5-D3E521FF59DE} C:\Program Files\Messenger\banuji.dll [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"sntcw"="C:\\WINDOWS\\system32\\wyjjux.exe reg_run"
"sys_up1"="C:\\Program Files\\Common Files\\svchostsys\\svchostsys.exe"
"Sen"="\"C:\\PROGRA~1\\COMMON~1\\WNSXS~1\\taskmgr.exe\" -vt yazr"
"Tgkilvyy"="C:\\Program Files\\Common Files\\??curity\\?hkntfs.exe"
"ALUAlert"="C:\\Program Files\\Symantec\\LiveUpdate\\ALUNotify.exe"
"WinMedia"="C:\\mt2560.exe"
"Kernel Fault Safe"="C:\\WINDOWS\\smss.exe"
"Microsoft Windows Installer"="C:\\WINDOWS\\TEMP\\stdrun5.exe"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source REG_SZ C:\Program Files\Common Files\zyre.html

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source REG_SZ C:\Program Files\ComPlus Applications\wopype.html

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AF1CC022-0228-42AE-912D-0CE89CD6559D}"=""
"{3E71DC86-4A5C-4C71-A185-EBE9AC2EB607}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtussq
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hgggghf
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfgfdc
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljjjk
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnmmlk
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\p4reg
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnlkhe
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qomjgec
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxywtur

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\America Online 9.0 Tray Icon.lnk"
"backup"="C:\\WINDOWS\\pss\\America Online 9.0 Tray Icon.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\AMERIC~1.0\\aoltray.exe -check"
"item"="America Online 9.0 Tray Icon"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Digital Line Detect.lnk"
"backup"="C:\\WINDOWS\\pss\\Digital Line Detect.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\DIGITA~1\\DLG.exe "
"item"="Digital Line Detect"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\QuickBooks Update Agent

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:38 AM

Posted 22 April 2007 - 06:01 PM

Hi,

Jeezes, what a mess! O_O
If that was my computer, I wouldn't doubt for a second to format and reinstall.

Your combofixlog is incomplete. Can you look where it cut off and post the rest please?

Also, I need another HijackThislog, but this time - rename HijackThis.exe to Analyze.exe
Then scan with Analyze.exe and post the log in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:38 AM

Posted 22 April 2007 - 06:21 PM

Nevermind, ignore my last post - because I cannot wait any longer to deal with this, because this computer really gives me the creeps. It's been a long time that I have seen more malware present than anything else on a system.

Anyway, perform next in the right order please..

* Please download the OTMoveIt by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Where it says: "Paste List of Files/Folders to be Moved", copy and paste next bold part into that Window:

    C:\WINDOWS\system32\kjjjl.tmp
    C:\Program Files\ofb11
    C:\WINDOWS\system32\kjjjl.bak1
    C:\WINDOWS\system32\kjjjl.bak2
    C:\WINDOWS\system32\gtv_sd.bin
    C:\WINDOWS\7search.dll
    C:\WINDOWS\updatetc.exe
    C:\WINDOWS\wml.exe
    C:\WINDOWS\cdsm32.dll
    C:\WINDOWS\system32\wml.exe
    C:\WINDOWS\susp.exe
    C:\WINDOWS\flt.dll
    C:\WINDOWS\180ax.exe
    C:\WINDOWS\system32\msixu.dll
    C:\WINDOWS\stcloader.exe
    C:\WINDOWS\pbar.dll
    C:\WINDOWS\vxddsk.exe
    C:\WINDOWS\mspphe.dll
    C:\WINDOWS\system32\wer8274.dll
    C:\WINDOWS\bjam.dll
    C:\WINDOWS\swin32.dll
    C:\WINDOWS\saiemod.dll
    C:\WINDOWS\salm.exe
    C:\WINDOWS\satmat.exe
    C:\WINDOWS\voiceip.dll
    C:\Program Files\Online Services\woce.dll
    C:\WINDOWS\system32\vxddsk.exe
    C:\WINDOWS\bokja.exe
    C:\WINDOWS\system32\cdromdrv32.dll
    C:\WINDOWS\ofb11_setup.exe
    C:\WINDOWS\ic5.exe


  • Then click the red Moveit! button below.
  • This will display the results in the right windows where it says "Results" on top
  • Copy and paste everything present in the Results window (right window) and save these results in notepad and save it on your desktop, because I need to see those results afterwards.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Then, Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AF1CC022-0228-42AE-912D-0CE89CD6559D}"=-
"{3E71DC86-4A5C-4C71-A185-EBE9AC2EB607}"=-

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\ctrmjt.exe"=-
"C:\\WINDOWS\\system32\\rhampr.exe"=-
"C:\\WINDOWS\\system32\\avjwfi.exe"=-
"C:\\WINDOWS\\system32\\vrss.exe"=-
"C:\\WINDOWS\\system32\\mbti.exe"=-
"C:\\WINDOWS\\gsvpm.exe"=-

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\ctrmjt.exe"=-
"C:\\WINDOWS\\system32\\rhampr.exe"=-
"C:\\WINDOWS\\system32\\avjwfi.exe"=-
"C:\\WINDOWS\\system32\\vrss.exe"=-

[-HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"="C:\\Program Files\\Symantec\\LiveUpdate\\ALUNotify.exe"

Save this as remove.reg Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.
(In case you are unsure how to create a reg file, take a look here with screenshots.)

(We'll deal with the other keys in your log afterwards)

* Go to start > run and copy and paste next command in the field:

sc delete MachineDbMgr

Hit enter

Then, * Go to start > control panel > Display properties > Desktop > Customize Desktop... > Web tab
Select everything you find in there (except for "My current home page") and press the delete button on the right.
Hit ok below > apply in previous window.

Then, go to start > run and copy and paste next command in the field:

"C:\Documents and Settings\Derek Morin\Desktop\ComboFix.exe" /v awtussq hgggghf ljjjk


Hit enter.

This should start combofix again, but in another way.

After reboot, post the new Combofix-log (C:\Combofix.txt) in your next reply together with a new HijackThislog (you may need more than one reply to post the logs)

Edited by miekiemoes, 22 April 2007 - 06:25 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 brute force

brute force
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 23 April 2007 - 08:12 AM

yep. absolutely one of the worst i have seen. i told my friend the same. but then again, as you had indicated, he didnt even have an antivirus program running. who doesnt have an antivirus program running today????

ill get going on your suggestions and let you know

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:38 AM

Posted 23 April 2007 - 08:19 AM

Well, one thing is for sure - your friend has to change his surfing habits, because the way he is using his computer now is just irresponsible. He's not only responsible for infecting his own computer but also for infecting a lot of other computers.

Also, once we're done here and could clean the malware - although damage may still be present which we can't always repair - he has to change ALL his passwords, because they are known.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 brute force

brute force
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 23 April 2007 - 11:12 AM

i will make sure i let him know. this was ridiculous and i am sorry about this. thanks again. here is the latest.

Logfile of HijackThis v1.99.1
Scan saved at 1:07:01 PM, on 4/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Frank Bruno\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: (no name) - {0F782826-984A-4212-A199-F5BBF00137A0} - C:\WINDOWS\system32\ljjjk.dll (file missing)
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\system32\xxiweagg.dll (file missing)
O2 - BHO: (no name) - {30000273-8230-4dd4-be4f-6889d1e74167} - (no file)
O2 - BHO: ofb1 - {3E1500AC-87A5-416b-A211-82E848649DA9} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {8F0E0244-5A13-4E41-B884-F9BF7804BD69} - C:\Program Files\Online Services\woce.dll (file missing)
O2 - BHO: 0 - {A09B31E4-BD77-47AD-73A5-D3E521FF59DE} - C:\Program Files\Messenger\banuji.dll (file missing)
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: khfgfdc - khfgfdc.dll (file missing)
O20 - Winlogon Notify: ljjjk - C:\WINDOWS\system32\ljjjk.dll (file missing)
O20 - Winlogon Notify: opnmmlk - opnmmlk.dll (file missing)
O20 - Winlogon Notify: p4reg - p432.dll (file missing)
O20 - Winlogon Notify: pmnlkhe - pmnlkhe.dll (file missing)
O20 - Winlogon Notify: qomjgec - qomjgec.dll (file missing)
O20 - Winlogon Notify: xxywtur - xxywtur.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - IntelŪ Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe


"Derek Morin" - 07-04-23 10:30:25 Service Pack 2
ComboFix 07-04-21.2V - Running from: C:\Documents and Settings\Derek Morin\Desktop\
Command switches used :: /v awtussq hgggghf ljjjk


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\hgggghf.dll
C:\WINDOWS\system32\qjqqekwt.dll
C:\WINDOWS\system32\qrrqr.bak1
C:\WINDOWS\system32\qrrqr.ini
C:\WINDOWS\system32\qrrqr.tmp
C:\WINDOWS\system32\awtussq.dll
C:\WINDOWS\system32\rqrrq.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\C\Program Files\WNSXS~1
C:\qoobox\purity\C\Program Files\Common Files\CURITY~1
C:\qoobox\purity\C\Program Files\Common Files\WNSXS~1


((((((((((((((((((((((((((((((( Files Created from 2007-03-23 to 2007-04-23 ))))))))))))))))))))))))))))))))))


2007-04-22 15:06 <DIR> d-------- C:\DOCUME~1\DEREKM~1\DoctorWeb
2007-04-16 05:49 1,372,798 --ahs---- C:\WINDOWS\system32\kjjjl.ini2


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-23 10:19 -------- d-------- C:\Program Files\online services
2007-04-22 12:42 -------- d-------- C:\Program Files\viewpoint
2007-04-21 16:09 -------- d-------- C:\Program Files\messenger
2007-04-15 21:11 -------- d-------- C:\Program Files\google
2007-04-15 21:07 -------- d--h----- C:\Program Files\installshield installation information
2007-04-15 21:07 -------- d-------- C:\Program Files\dell


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{0F782826-984A-4212-A199-F5BBF00137A0} C:\WINDOWS\system32\ljjjk.dll [x]
{1557B435-8242-4686-9AA3-9265BF7525A4} C:\WINDOWS\system32\xxiweagg.dll [x]
{7C554162-8CB7-45A4-B8F4-8EA1C75885F9} C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
{8F0E0244-5A13-4E41-B884-F9BF7804BD69} C:\Program Files\Online Services\woce.dll [x]
{A09B31E4-BD77-47AD-73A5-D3E521FF59DE} C:\Program Files\Messenger\banuji.dll [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"="C:\\Program Files\\Symantec\\LiveUpdate\\ALUNotify.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfgfdc
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljjjk
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnmmlk
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\p4reg
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnlkhe
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qomjgec
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxywtur

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\America Online 9.0 Tray Icon.lnk"
"backup"="C:\\WINDOWS\\pss\\America Online 9.0 Tray Icon.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\AMERIC~1.0\\aoltray.exe -check"
"item"="America Online 9.0 Tray Icon"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Digital Line Detect.lnk"
"backup"="C:\\WINDOWS\\pss\\Digital Line Detect.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\DIGITA~1\\DLG.exe "
"item"="Digital Line Detect"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\QuickBooks Update Agent.lnk"
"backup"="C:\\WINDOWS\\pss\\QuickBooks Update Agent.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Intuit\\QUICKB~1\\QBUpdate\\qbupdate.exe "
"item"="QuickBooks Update Agent"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACTX1]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="v1201"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\v1201.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ad8rIU3s]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="cvn0"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\cvn0.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="aim"
"hkey"="HKCU"
"command"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Apoint"
"hkey"="HKLM"
"command"="C:\\Program Files\\Apoint\\Apoint.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="atiptaxx"
"hkey"="HKLM"
"command"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CaISSDT]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="caissdt"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\CA\\eTrust Internet Security Suite\\caissdt.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\defender]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dfndrff_13"
"hkey"="HKLM"
"command"="C:\\\\dfndrff_13.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="quickset"
"hkey"="HKLM"
"command"="C:\\Program Files\\Dell\\QuickSet\\quickset.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DSAgnt"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DMXLauncher"
"hkey"="HKLM"
"command"="C:\\Program Files\\Dell\\Media Experience\\DMXLauncher.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DVDLauncher"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eTrustPPAP]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PPActiveDetection"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\CA\\eTrust Internet Security Suite\\eTrust PestPatrol Anti-Spyware\\PPActiveDetection.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ifrmewrk"
"hkey"="HKLM"
"command"="C:\\Program Files\\Intel\\Wireless\\Bin\\ifrmewrk.exe /tf Intel PROSet/Wireless"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\k6mmN5IOU]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wfxqhv"
"hkey"="HKLM"
"command"="\"C:\\WINDOWS\\system32\\wfxqhv.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\keyboard]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="kybrdff_13"
"hkey"="HKLM"
"command"="C:\\\\kybrdff_13.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mcagent"
"hkey"="HKLM"
"command"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="McUpdate"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\mcafee.com\\agent\\McUpdate.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MpfTray"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\McAfee.com\\PERSON~1\\MpfTray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\newname]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwnmff_13"
"hkey"="HKLM"
"command"="C:\\\\nwnmff_13.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OSCD_Creator]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PreODM"
"hkey"="HKLM"
"command"="c:\\Dell\\PreODM.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RealPlay"
"hkey"="HKLM"
"command"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RreN4HW]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="czuehf"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\czuehf.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sntcw]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wyjjux"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\wyjjux.exe reg_run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0_04\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SurfSideKick 3]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Ssk"
"hkey"="HKLM"
"command"="C:\\Program Files\\SurfSideKick 3\\Ssk.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sys03922663939]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="sys03922663939"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\sys03922663939.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tgqhyevA]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="tgqhyevA"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\tgqhyevA.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TheMonitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Duce6"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\Duce6.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mcvsshld"
"hkey"="HKLM"
"command"="c:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vjmrbclA]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="vjmrbclA"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\vjmrbclA.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vqnbuv]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wyjjux"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\wyjjux.exe reg_run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mcmnhdlr"
"hkey"="HKLM"
"command"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcmnhdlr.exe\" /checktask"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\w00152ce.dll]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RUNDLL32"
"hkey"="HKLM"
"command"="RUNDLL32.EXE w00152ce.dll,I2 001adf30000152ce"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zone Labs Client]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ca"
"hkey"="HKLM"
"command"="C:\\Program Files\\CA\\eTrust Internet Security Suite\\eTrust Personal Firewall\\ca.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Ad-Aware SE Personal.job
C:\WINDOWS\tasks\Symantec NetDetect.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-04-23 10:41:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 07-04-23 10:42:06 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-04-23 10:42
C:\ComboFix2.txt ... 07-04-22 18:32

#13 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:38 AM

Posted 23 April 2007 - 03:35 PM

Let's deal with the rest now... we are making progress...

As I can see in the combofix-log, some entries your friend disabled via msconfig, it shows that he is already dealing with malware for more than a year.

Do next please..

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: (no name) - {0F782826-984A-4212-A199-F5BBF00137A0} - C:\WINDOWS\system32\ljjjk.dll (file missing)
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\system32\xxiweagg.dll (file missing)
O2 - BHO: (no name) - {30000273-8230-4dd4-be4f-6889d1e74167} - (no file)
O2 - BHO: ofb1 - {3E1500AC-87A5-416b-A211-82E848649DA9} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {8F0E0244-5A13-4E41-B884-F9BF7804BD69} - C:\Program Files\Online Services\woce.dll (file missing)
O2 - BHO: 0 - {A09B31E4-BD77-47AD-73A5-D3E521FF59DE} - C:\Program Files\Messenger\banuji.dll (file missing)
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O20 - Winlogon Notify: khfgfdc - khfgfdc.dll (file missing)
O20 - Winlogon Notify: ljjjk - C:\WINDOWS\system32\ljjjk.dll (file missing)
O20 - Winlogon Notify: opnmmlk - opnmmlk.dll (file missing)
O20 - Winlogon Notify: p4reg - p432.dll (file missing)
O20 - Winlogon Notify: pmnlkhe - pmnlkhe.dll (file missing)
O20 - Winlogon Notify: qomjgec - qomjgec.dll (file missing)
O20 - Winlogon Notify: xxywtur - xxywtur.dll (file missing)


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Please set your system to show all files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Please hide your hidden files and folders afterwards again, when we are done with this thread and your problems are solved, because above instructions to set your system to show all files, unhide legit files and folders as well.
And I don't want you to delete them because they may look suspicious. To hide them again, just perform the above instructions in the opposite way.


delete next file:

C:\WINDOWS\system32\kjjjl.ini2

Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACTX1]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ad8rIU3s]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\defender]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\k6mmN5IOU]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\keyboard]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\newname]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RreN4HW]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sntcw]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SurfSideKick 3]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sys03922663939]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tgqhyevA]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TheMonitor]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vjmrbclA]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vqnbuv]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\w00152ce.dll]

Save this as remove2.reg Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Can you also let your friend know that an Antivirus is not supposed to be disabled. Because I see he had an antvirus before though - even two (McAfee and eTrust Internet Security Suite), but he disabled it and most probably also uninstalled them, because at least one reference should still be running if it was still installed, even though when disabled.
So tell him he really has to leave his Security Software enabled, because how is he going to protect his computer otherwise?

Post a new HijackThislog in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 brute force

brute force
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 23 April 2007 - 04:36 PM

here you go

Logfile of HijackThis v1.99.1
Scan saved at 6:32:31 PM, on 4/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Frank Bruno\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - IntelŪ Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

#15 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:38 AM

Posted 23 April 2007 - 04:59 PM

Looking good again...
Now one more thing to do..

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6u1.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6u1".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • J2SE Runtime Environment 5.0 Update 6
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.
Also, tell your friend to change all his passwords, because this is really important.

Let me know afterwards how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users