Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Log File


  • Please log in to reply
11 replies to this topic

#1 Michael Lopez

Michael Lopez

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:42 PM

Posted 02 June 2007 - 09:52 AM

Hi

I wanted to know about how can I know what program or process closes the Ollydbg program. I have tried many programs (spyware doctor, TrendMicro PC-Cilin,Ad adware be gone) but I still remains the same.

The only way that I could make it stay was by using Process Guard (with Secure Message Handling enabled), But It doesn't say anything about which programs, process, module tries to close the Ollydbg program.

Just recently I had Virtumonde virus that after following the instructions in this forum I think it's resolved. ( I also used spyware doctor and trend micro ) and I don't get anyother annoying popups, websites. But I still think that some variant of this virus closes Ollydbg (think the rootkit one). Tonight I checked the processes by Security Task Manager and I found that there was a dll with high risk in my memory.

I checked computer again by spyware doctor and trend micro Pc-cilin 2007 but none of them didn't find anything bad.


And this is the log file of Hijackthis

Logfile of HijackThis v1.99.1
Scan saved at 6:19:04 PM, on 6/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\WebcamMax\CAMTHINS.exe
D:\Program Files\Babylon\Babylon-Pro\Babylon.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\cFosSpeed\cFosSpeed.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
D:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
D:\Program Files\ProcessGuard\pgaccount.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\cFosSpeed\spd.exe
D:\Program Files\IDA\ida.exe
D:\Program Files\ProcessGuard\dcsuserprot.exe
D:\Program Files\ProcessGuard\procguard.exe
C:\Program Files\PowerMenu\PowerMenu.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\WindowsUptime.exe
C:\Program Files\MagicDisc\MagicDisc.exe
D:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
D:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
D:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
D:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
D:\Program Files\Azureus\Azureus.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Far\Far.exe
D:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IE 4.x-6.x BHO for Internet Download Accelerator - {2A646672-9C3A-4C28-9A7A-1FB0F63F28B6} - D:\PROGRA~1\IDA\idaiehlp.dll
O2 - BHO: MEGAUPLOADTOOLBAR - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Mega Manager IE Click Monitor - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - d:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll
O3 - Toolbar: MEGAUPLOADTOOLBAR - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O3 - Toolbar: IDA Bar - {C70E30C7-140A-4166-A2E8-43557E62B41A} - D:\Program Files\IDA\idabar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [WebcamMaxMoniter] "C:\Program Files\WebcamMax\CAMTHINS.exe" /m
O4 - HKLM\..\Run: [Babylon Client] d:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [cFosSpeed] C:\Program Files\cFosSpeed\cFosSpeed.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H
O4 - HKLM\..\Run: [pccguide.exe] "D:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [!1_pgaccount] "D:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Internet Download Accelerator] D:\Program Files\IDA\ida.exe -autorun
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "D:\Program Files\ProcessGuard\procguard.exe" -minimize
O4 - Startup: Windows Uptime Tool.lnk = C:\WINDOWS\system32\WindowsUptime.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: Yahoo! Widget Engine.lnk = D:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
O4 - Global Startup: PowerMenu.lnk = C:\Program Files\PowerMenu\PowerMenu.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: Download ALL with IDA - D:\Program Files\IDA\idaieall.htm
O8 - Extra context menu item: Download Link Using Mega Manager... - D:\Program Files\Megaupload\Mega Manager\mm_file.htm
O8 - Extra context menu item: Download with IDA - D:\Program Files\IDA\idaie.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - D:\Program Files\IDA\ida.exe
O9 - Extra 'Tools' menuitem: &Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - D:\Program Files\IDA\ida.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{38C25EF9-9C87-4935-8F17-547CD49FC1D2}: NameServer = 85.198.0.18 85.198.0.23
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: cFosSpeed System Service (cFosSpeedS) - Unknown owner - C:\Program Files\cFosSpeed\spd.exe" -service (file missing)
O23 - Service: DiamondCS ProcessGuard Service v3.200 (DCSPGSRV) - DiamondCS - D:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: FAR Background Copy Service (FARBCopy) - Unknown owner - C:\Program Files\Far\PlugIns\BackGroundCopy\bin\bcsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - D:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - D:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - D:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - D:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - D:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - D:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - D:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

Edited by Michael Lopez, 02 June 2007 - 09:53 AM.


BC AdBot (Login to Remove)

 


m

#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:12 PM

Posted 02 June 2007 - 10:31 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum Michael Lopez :thumbsup:

My name is Richie and i'll be helping you to fix your problems.

Please download Combofix and save to your desktop:
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.


******************************

Download and run Fixwareout from the link below:
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
After the reboot post the contents of the logfile C:\fixwareout\report.txt in your next reply,along with a new Hijackthis log.
Posted Image
Posted Image

#3 Michael Lopez

Michael Lopez
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:42 PM

Posted 02 June 2007 - 03:51 PM

Hi

Thanks for your help

I ran the combo fix from desktop but it seems to have some access denied problems this is the messages that I got from its screen and no combofix.txt exists at all

Preparing Log Report.
Please be patient. This takes a while.

Almost done . . .
A report of ComboFix's actions would be produced at C:\ComboFix.txt
Access is denied.
sed: can't read runs.cf: No such file or directory
Access is denied.
sed: can't read runs.cf: No such file or directory
Access is denied.
sed: can't read raw_system.cf: No such file or directory



But these are fixware and hijackthis log files:

Fixwareout Last edited 5/15/2007
Post this report in the forums please
...
»»»»»Prerun check

»»»»»

»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....

Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.


Click browse, find the file then click submit.
http://www.virustotal.com/flash/index_en.html
Or http://virusscan.jotti.org/

»»»»» Other

»»»»» Current runs

....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»




Logfile of HijackThis v1.99.1
Scan saved at 00:10, on 2007-06-03
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\cFosSpeed\spd.exe
D:\Program Files\ProcessGuard\dcsuserprot.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\WebcamMax\CAMTHINS.exe
D:\Program Files\Babylon\Babylon-Pro\Babylon.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\cFosSpeed\cFosSpeed.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
D:\Program Files\ProcessGuard\pgaccount.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
D:\Program Files\IDA\ida.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\PowerMenu\PowerMenu.exe
C:\WINDOWS\system32\WindowsUptime.exe
C:\Program Files\MagicDisc\MagicDisc.exe
D:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
D:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
D:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
D:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\ComboFix\9242.cfexe
C:\WINDOWS\explorer.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32Info.exe
D:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IE 4.x-6.x BHO for Internet Download Accelerator - {2A646672-9C3A-4C28-9A7A-1FB0F63F28B6} - D:\PROGRA~1\IDA\idaiehlp.dll
O2 - BHO: MEGAUPLOADTOOLBAR - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Mega Manager IE Click Monitor - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - d:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll
O3 - Toolbar: MEGAUPLOADTOOLBAR - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O3 - Toolbar: IDA Bar - {C70E30C7-140A-4166-A2E8-43557E62B41A} - D:\Program Files\IDA\idabar.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [WebcamMaxMoniter] "C:\Program Files\WebcamMax\CAMTHINS.exe" /m
O4 - HKLM\..\Run: [Babylon Client] d:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [cFosSpeed] C:\Program Files\cFosSpeed\cFosSpeed.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H
O4 - HKLM\..\Run: [pccguide.exe] "D:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [!1_pgaccount] "D:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Internet Download Accelerator] D:\Program Files\IDA\ida.exe -autorun
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "D:\Program Files\ProcessGuard\procguard.exe" -minimize
O4 - Startup: Windows Uptime Tool.lnk = C:\WINDOWS\system32\WindowsUptime.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: Yahoo! Widget Engine.lnk = D:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
O4 - Global Startup: PowerMenu.lnk = C:\Program Files\PowerMenu\PowerMenu.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: Download ALL with IDA - D:\Program Files\IDA\idaieall.htm
O8 - Extra context menu item: Download Link Using Mega Manager... - D:\Program Files\Megaupload\Mega Manager\mm_file.htm
O8 - Extra context menu item: Download with IDA - D:\Program Files\IDA\idaie.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - D:\Program Files\IDA\ida.exe
O9 - Extra 'Tools' menuitem: &Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - D:\Program Files\IDA\ida.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{38C25EF9-9C87-4935-8F17-547CD49FC1D2}: NameServer = 85.198.0.18 85.198.0.23
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: cFosSpeed System Service (cFosSpeedS) - Unknown owner - C:\Program Files\cFosSpeed\spd.exe" -service (file missing)
O23 - Service: DiamondCS ProcessGuard Service v3.200 (DCSPGSRV) - DiamondCS - D:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: FAR Background Copy Service (FARBCopy) - Unknown owner - C:\Program Files\Far\PlugIns\BackGroundCopy\bin\bcsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - D:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - D:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - D:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - D:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - D:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - D:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - D:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe



Sincerely
Michael Lopez

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:12 PM

Posted 02 June 2007 - 05:24 PM

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,on the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.

************************************

Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

You should copy/print the following because you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE" using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:
* Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
* Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
* Once the short scan has finished, Click Options > Change settings
* Choose the "Scan tab" and UNcheck "Heuristic analysis"
* Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
* Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
* When done, a message will be displayed at the bottom advising if any viruses were found.
* Click "Yes to all" if it asks if you want to cure/move the file.
* When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
* Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
* Save the DrWeb.csv report to your desktop.
* Exit Dr.Web Cureit when done.
* Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
* After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Also post a new Hijackthis log please.
Let me know how your pc is running now.
Posted Image
Posted Image

#5 Michael Lopez

Michael Lopez
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:42 PM

Posted 03 June 2007 - 07:56 AM

Hi

These are the log files:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/03/2007 at 03:41 AM

Application Version : 3.8.1002

Core Rules Database Version : 3248
Trace Rules Database Version: 1259

Scan type : Quick Scan
Total Scan Time : 00:52:09

Memory items scanned : 489
Memory threats detected : 0
Registry items scanned : 953
Registry threats detected : 29
File items scanned : 28324
File threats detected : 30

Unclassified.Oreans32
HKLM\System\ControlSet002\Services\oreans32
C:\WINDOWS\SYSTEM32\DRIVERS\OREANS32.SYS
HKLM\System\ControlSet003\Services\oreans32
HKLM\System\ControlSet004\Services\oreans32
HKLM\System\CurrentControlSet\Services\oreans32
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#DeviceDesc
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Capabilities
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Driver
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\LogConf
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\Control
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\Control#ActiveService
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#Type
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#Start
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#DisplayName
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Security
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Security#Security
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#NextInstance

Adware.Tracking Cookie
C:\Documents and Settings\Masood\Cookies\masood@upspiral[2].txt
C:\Documents and Settings\Masood\Cookies\masood@doubleclick[2].txt
C:\Documents and Settings\Masood\Cookies\masood@dailynewmedia[1].txt
C:\Documents and Settings\Masood\Cookies\masood@nextag[2].txt
C:\Documents and Settings\Masood\Cookies\masood@msnportal.112.2o7[1].txt
C:\Documents and Settings\Masood\Cookies\masood@adrevolver[1].txt
C:\Documents and Settings\Masood\Cookies\masood@media.adrevolver[2].txt
C:\Documents and Settings\Masood\Cookies\masood@hotlog[1].txt
C:\Documents and Settings\Masood\Cookies\masood@atwola[1].txt
C:\Documents and Settings\Masood\Cookies\masood@rambler[1].txt
C:\Documents and Settings\Masood\Cookies\masood@optimost[1].txt
C:\Documents and Settings\Masood\Cookies\masood@www.drivecleaner[2].txt
C:\Documents and Settings\Masood\Cookies\masood@philips.112.2o7[1].txt
C:\Documents and Settings\Masood\Cookies\masood@www.amaena[1].txt
C:\Documents and Settings\Masood\Cookies\masood@cpvfeed[2].txt
C:\Documents and Settings\Masood\Cookies\masood@www.crackdb[1].txt
C:\Documents and Settings\Masood\Cookies\masood@atdmt[1].txt
C:\Documents and Settings\Masood\Cookies\masood@questionmarket[2].txt
C:\Documents and Settings\Masood\Cookies\masood@ads.pointroll[1].txt
C:\Documents and Settings\Masood\Cookies\masood@statse.webtrendslive[2].txt
C:\Documents and Settings\Masood\Cookies\masood@drivecleaner[2].txt
C:\Documents and Settings\Masood\Cookies\masood@statcounter[1].txt
C:\Documents and Settings\Masood\Cookies\masood@adinterax[1].txt
C:\Documents and Settings\Masood\Cookies\masood@www.mediakey[2].txt
C:\Documents and Settings\Masood\Cookies\masood@winantivirus[1].txt
C:\Documents and Settings\Masood\Cookies\masood@2o7[2].txt
C:\Documents and Settings\Masood\Cookies\masood@m1.webstats.motigo[1].txt
C:\Documents and Settings\Masood\Cookies\masood@orangemedia[1].txt


Dr. web Cureit:

hprgiupe.dll.q_804C634_q;C:\Documents and Settings\All Users\Application Data\SecTaskMan;Trojan.Virtumod;Deleted.;
nsp5.tmp;C:\Documents and Settings\Masood\Local Settings\Temp;Tool.Prockill;;
Editor SkyNet.exe;C:\Program Files\SkyNet;Trojan.Bomgen;Deleted.;
A0045754.exe;C:\System Volume Information\_restore{8C190642-5BD1-4776-8DC6-7E73967D788F}\RP271;Trojan.Bomgen;Deleted.;
vtstq.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
A0045757.DLL;E:\System Volume Information\_restore{8C190642-5BD1-4776-8DC6-7E73967D788F}\RP271;Trojan.Popwin;Deleted.;


By the way I could scan by combofix in safe mode:

"Masood" - 2007-06-03 15:57:12 Service Pack 2 [SAFE MODE]
ComboFix 07-06-2.5.Ex - Running from: "C:\Documents and Settings\Masood\Desktop\"


((((((((((((((((((((((((( Files Created from 2007-05-03 to 2007-06-03 )))))))))))))))))))))))))))))))


2007-06-03 13:27 <DIR> d-------- C:\Documents and Settings\Masood\DoctorWeb
2007-06-03 13:27 <DIR> d-------- C:\DOCUME~1\Masood\DoctorWeb
2007-06-03 13:20 <DIR> d-------- C:\Cureit
2007-06-03 02:35 <DIR> d-------- C:\DOCUME~1\Masood\APPLIC~1\SUPERAntiSpyware.com
2007-06-03 02:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-06-02 23:56 8,279 --a------ C:\dnsbak.reg
2007-06-02 15:47 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-06-02 13:01 <DIR> d-------- C:\WINDOWS\CSC
2007-06-02 02:37 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SecTaskMan
2007-06-01 20:24 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\ViceVersa PRO 2
2007-06-01 18:27 74,316 --a------ C:\WINDOWS\system32\pguard.dat
2007-06-01 18:27 67,996 --a------ C:\WINDOWS\system32\pghash.dat
2007-06-01 18:19 27,968 --a------ C:\WINDOWS\system32\drivers\procguard.sys
2007-06-01 18:19 106,496 --a------ C:\WINDOWS\system32\procguard.dll
2007-06-01 16:33 <DIR> d-------- C:\Program Files\DFX
2007-06-01 16:33 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\DFX
2007-06-01 08:16 75,088 --a------ C:\WINDOWS\system32\drivers\tmtdi.sys
2007-06-01 08:16 32,528 --a------ C:\WINDOWS\system32\drivers\tmpreflt.sys
2007-06-01 08:16 288,848 --a------ C:\WINDOWS\system32\drivers\TM_CFW.sys
2007-06-01 08:16 199,440 --a------ C:\WINDOWS\system32\drivers\tmxpflt.sys
2007-06-01 08:16 111,888 --a------ C:\WINDOWS\system32\drivers\tm_mbd_c.sys
2007-06-01 08:16 1,052,472 --a------ C:\WINDOWS\system32\drivers\vsapint.sys
2007-06-01 08:16 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trend Micro
2007-06-01 01:22 <DIR> d-------- C:\DOCUME~1\Masood\APPLIC~1\Eset
2007-05-31 22:43 <DIR> d-------- C:\WINDOWS\system32\eScan
2007-05-31 21:29 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2007-05-31 21:29 33,624 --a------ C:\WINDOWS\system32\wups.dll
2007-05-31 21:20 <DIR> d--hs---- C:\FOUND.001
2007-05-31 20:42 <DIR> d-------- C:\VundoFix Backups
2007-05-31 20:13 <DIR> d-------- C:\WINDOWS\pss
2007-05-30 18:46 14 --a------ C:\WINDOWS\ASBG.dat
2007-05-30 17:20 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-05-29 21:04 <DIR> d-------- C:\Program Files\FLVPlayer
2007-05-29 15:28 0 -rahs---- C:\MSDOS.SYS
2007-05-29 15:28 0 -rahs---- C:\IO.SYS
2007-05-28 22:55 512 --a------ C:\drmHeader.bin
2007-05-27 23:01 83,536 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-05-27 23:01 59,984 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-05-27 23:01 52,304 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-05-27 23:01 39,248 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys
2007-05-27 23:01 26,064 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-05-27 23:00 <DIR> d-------- C:\DOCUME~1\Masood\APPLIC~1\PC Tools
2007-05-27 10:27 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trymedia
2007-05-26 17:44 49,152 --a------ C:\WINDOWS\TVicHW32.dll
2007-05-26 17:44 49,152 --a------ C:\WINDOWS\system32\TVicHW32.dll
2007-05-26 17:44 24,576 --a------ C:\WINDOWS\system32\drivers\TVicHW32.sys
2007-05-25 10:15 <DIR> d-------- C:\Program Files\Windows Updates Downloader
2007-05-23 15:56 <DIR> d--hs---- C:\FOUND.000
2007-05-22 09:47 <DIR> d-------- C:\WINDOWS\Packs
2007-05-22 01:52 640,507 ---hs---- C:\WINDOWS\system32\oqtss.ini2
2007-05-14 03:37 <DIR> d-------- C:\Reports
2007-05-13 19:08 <DIR> d-------- C:\WINDOWS\Full Speed
2007-05-13 10:30 <DIR> d-------- C:\Program Files\Creative
2007-05-12 02:42 <DIR> d-------- C:\DOCUME~1\Masood\APPLIC~1\Yahoo!
2007-05-12 02:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Azureus
2007-05-10 23:19 <DIR> d-------- C:\Program Files\nnCron
2007-05-10 12:07 <DIR> d-------- C:\DOCUME~1\Masood\APPLIC~1\Photodex
2007-05-10 11:53 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Eset
2007-05-10 10:45 <DIR> d-------- C:\DOCUME~1\Masood\APPLIC~1\iolo
2007-05-10 10:45 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\iolo
2007-05-09 09:57 <DIR> d-------- C:\DOCUME~1\Masood\APPLIC~1\Reallusion
2007-05-08 13:46 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee
2007-05-08 11:25 <DIR> d-------- C:\DOCUME~1\Masood\APPLIC~1\WinRAR
2007-05-07 21:45 <DIR> d-------- C:\Program Files\SatFile Filter
2007-05-07 21:45 <DIR> d-------- C:\Program Files\Common Files\Marwan Programs
2007-05-07 04:37 249,856 --------- C:\WINDOWS\Setup1.exe
2007-05-06 11:57 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-05-06 11:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Installations
2007-05-06 09:53 <DIR> d-------- C:\Program Files\TGTSoft
2007-05-06 09:26 <DIR> d-------- C:\DOCUME~1\Masood\APPLIC~1\Webroot
2007-05-06 03:38 299,520 --a------ C:\WINDOWS\uninst.exe
2007-05-06 03:28 <DIR> d--hs---- C:\WINDOWS\ftpcache
2007-05-06 03:25 <DIR> d-------- C:\DOCUME~1\Masood\APPLIC~1\Media Player Classic
2007-05-06 02:56 513,536 --a------ C:\WINDOWS\system32\WinDjView-0.4.3.exe
2007-05-06 02:53 <DIR> d-------- C:\Program Files\UIU
2007-05-05 23:49 <DIR> d-------- C:\DOCUME~1\Masood\APPLIC~1\Music Label
2007-05-05 21:25 89,360 --a------ C:\WINDOWS\system32\VB5DB.DLL
2007-05-05 21:25 81,332 -r------- C:\WINDOWS\system32\bass.dll
2007-05-05 21:25 69,632 -r------- C:\WINDOWS\system32\akrip32x.dll
2007-05-05 20:06 <DIR> d-------- C:\Program Files\Replay Converter
2007-05-05 20:04 <DIR> d-------- C:\WINDOWS\Cache
2007-05-05 19:43 <DIR> d-------- C:\DOCUME~1\Masood\APPLIC~1\InstallShield
2007-05-05 14:34 <DIR> d-------- C:\Program Files\Paltalk Messenger Interop
2007-05-05 14:17 <DIR> d-------- C:\Program Files\ReflexiveArcade
2007-05-05 14:00 969 --a------ C:\WINDOWS\mozver.dat
2007-05-05 13:56 <DIR> d-------- C:\DOCUME~1\Masood\APPLIC~1\Netscape
2007-05-05 13:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab Setup Files
2007-05-05 13:48 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-05-05 13:44 <DIR> d-------- C:\Program Files\GameHouse
2007-05-05 13:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MainType
2007-05-05 12:47 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-05-05 10:31 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2007-05-05 02:42 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2007-05-05 02:39 <DIR> d-------- C:\WINDOWS\system32\Flash
2007-05-05 01:15 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\TechSmith
2007-05-04 13:54 <DIR> d-------- C:\Program Files\DVBViewerTE
2007-05-04 13:54 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Technisat
2007-05-04 13:54 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\CMUV
2007-05-04 03:17 <DIR> d-------- C:\Program Files\SkyNet
2007-05-03 14:36 <DIR> d-------- C:\Documents and Settings\Masood\.SatFinder


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-07 01:07:26 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-04-29 11:18:16 -------- d-----w C:\DOCUME~1\Masood\APPLIC~1\TuneUp Software
2007-04-29 11:17:12 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-04-29 04:57:48 -------- d-----w C:\DOCUME~1\Masood\APPLIC~1\Internet Download Accelerator
2007-04-29 04:43:38 -------- d-----w C:\Program Files\WinPcap
2007-04-26 21:31:12 -------- d-----w C:\DOCUME~1\Masood\APPLIC~1\Teleca
2007-04-26 21:30:38 -------- d-----w C:\Program Files\Common Files\Teleca Shared
2007-04-26 21:27:22 6,144 ----a-w C:\WINDOWS\system32\drivers\k750cm.sys
2007-04-26 21:27:22 5,744 ----a-w C:\WINDOWS\system32\drivers\k750wh.sys
2007-04-24 11:20:32 -------- d-----w C:\Program Files\Bonjour
2007-04-24 11:12:06 -------- d-----w C:\Program Files\Common Files\Macrovision Shared
2007-04-23 12:44:36 -------- d-----w C:\Program Files\cFosSpeed
2007-04-23 11:44:04 -------- d-----w C:\DOCUME~1\Masood\APPLIC~1\Locktime
2007-04-23 11:05:32 -------- d-----w C:\DOCUME~1\Masood\APPLIC~1\CD Bank
2007-04-21 08:50:36 -------- d-----w C:\DOCUME~1\Masood\APPLIC~1\COWON
2007-04-18 21:09:32 -------- d-----w C:\DOCUME~1\Masood\APPLIC~1\GPass
2007-04-18 16:12:24 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 19:15:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 19:15:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 19:15:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 19:15:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 19:15:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 19:15:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 19:14:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-04-16 19:14:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2007-04-15 22:59:46 50,688 ----a-w C:\WINDOWS\system32\wbhelp2.dll
2007-04-14 21:21:04 -------- d-----w C:\DOCUME~1\Masood\APPLIC~1\gtk-2.0
2007-04-10 01:18:42 -------- d-----w C:\DOCUME~1\Masood\APPLIC~1\DivX
2007-04-10 00:32:22 -------- d-----w C:\Program Files\Pegasys Inc
2007-04-09 04:29:52 -------- d-----w C:\Program Files\Common Files\Elecard
2007-04-05 14:39:12 -------- d-----w C:\DOCUME~1\Masood\APPLIC~1\Real
2007-04-04 17:44:52 -------- d-----w C:\DOCUME~1\Masood\APPLIC~1\BSplayer Pro
2007-04-04 17:31:50 -------- d-----w C:\Program Files\C-Media
2007-04-01 17:58:52 53,248 ----a-w C:\WINDOWS\system32\GenSvcInst.exe
2007-04-01 17:58:52 118,784 ----a-w C:\WINDOWS\system32\bgsvcgen.exe
2007-03-28 08:57:52 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat
2007-03-28 02:24:16 22,704 ----a-w C:\WINDOWS\system32\emptyregdb.dat
2007-03-27 23:46:22 502,272 ----a-w C:\WINDOWS\system32\winlogon.exe
2007-03-23 02:37:56 1,683,280 ------w C:\WINDOWS\system32\XpsSvcs.dll
2007-03-23 02:37:54 583,504 ------w C:\WINDOWS\system32\XPSSHHDR.dll
2007-03-22 20:47:36 46,344 ----a-w C:\WINDOWS\NSSetDefaultBrowser.EXE
2007-03-22 16:55:02 124,928 ------w C:\WINDOWS\system32\prntvpt.dll
2007-03-21 17:24:16 77,312 ----a-w C:\WINDOWS\system32\TWAIN_32.DLL
2007-03-21 17:24:16 69,632 ----a-w C:\WINDOWS\system32\TWUNK_32.EXE
2007-03-21 17:24:16 48,560 ----a-w C:\WINDOWS\system32\TWUNK_16.EXE
2007-03-17 13:43:02 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-15 08:53:16 497,496 ----a-w C:\WINDOWS\system32\XceedZip.dll
2007-03-15 08:49:58 526,184 ----a-w C:\WINDOWS\system32\XceedCry.dll
2007-03-13 14:00:26 281,816 ----a-w C:\WINDOWS\system32\cfosspeed.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2006-05-03 10:06:54 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll
2007-02-21 11:47:16 31,744 --sh--r C:\WINDOWS\system32\msfDX.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{2A646672-9C3A-4C28-9A7A-1FB0F63F28B6}=D:\PROGRA~1\IDA\idaiehlp.dll [2006-12-15 17:40]
{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}=C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL [2006-10-31 10:25]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{bf00e119-21a3-4fd1-b178-3b8537e75c92}=d:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll [2006-11-17 18:35]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-06-05 12:35]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40]
"SoundMan"="SOUNDMAN.EXE" []
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 22:57]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-05-18 11:29]
"WebcamMaxMoniter"="C:\Program Files\WebcamMax\CAMTHINS.exe" [2007-03-07 15:16]
"Babylon Client"="d:\Program Files\Babylon\Babylon-Pro\Babylon.exe" [2006-04-23 18:24]
"C-Media Mixer"="Mixer.exe" []
"cFosSpeed"="C:\Program Files\cFosSpeed\cFosSpeed.exe" [2007-03-13 17:30]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2006-09-07 20:49]
"pccguide.exe"="D:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [2007-01-23 14:26]
"!1_pgaccount"="D:\Program Files\ProcessGuard\pgaccount.exe" [2005-12-23 12:37]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"SpyHunter"="C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe" [2007-04-26 19:03]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 19:04]
"Internet Download Accelerator"="D:\Program Files\IDA\ida.exe" [2006-12-15 17:38]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [2005-08-19 19:34]
"!1_ProcessGuard_Startup"="D:\Program Files\ProcessGuard\procguard.exe" [2006-01-09 21:11]
"SUPERAntiSpyware"="D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-05-24 20:26]
"RogueMonitor"="D:\Program Files\RogueRemover PRO\RogueRemoverPRO.exe" [2007-05-12 19:36]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"=1 (0x1)
"NoSaveSettings"=0 (0x0)
"NoSMConfigurePrograms"=1 (0x1)
"NoRecentDocsMenu"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="D:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
D:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdauxservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdcoreservice]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Server4PC.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Server4PC.lnk
backup=C:\WINDOWS\pss\Server4PC.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Masood^Start Menu^Programs^Startup^ts_winlirc.lnk]
path=C:\Documents and Settings\Masood\Start Menu\Programs\Startup\ts_winlirc.lnk
backup=C:\WINDOWS\pss\ts_winlirc.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\setup]
rundll32.exe "C:\WINDOWS\system32\sembskhn.dll",realset

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter]
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YTK.exe]
C:\Program Files\YTK Pro\YTK.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Sony Ericsson PC Suite"="D:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


Contents of the 'Scheduled Tasks' folder
2007-06-01 13:45:02 C:\WINDOWS\tasks\1-Click Maintenance.job
2007-06-02 05:30:02 C:\WINDOWS\tasks\Azureus.job

**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-03 16:00:24
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-03 16:03:05
C:\ComboFix-quarantined-files.txt ... 2007-06-03 16:01

--- E O F ---

The problems that I currently have are that ollydbg (I think other debugging programs be the same) is closed automatically.
And Internet explorer settings are changed to lowest security possible automatically. (My homepage is always changed to microsoft automatically too).

Do you know any programs to know which process tried to close the ollydbg?

Thanks in advance
Michael Lopez

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:12 PM

Posted 03 June 2007 - 10:14 AM

Download KillBox,unzip/extract it to your desktop.
http://download.bleepingcomputer.com/spyware/KillBox.zip
Start up Killbox and place a check in 'Delete on Reboot'.
In the 'Full path of file to delete' box,copy and paste:

C:\WINDOWS\system32\oqtss.ini2

Then press the red button with the white cross.
It will then provide a window for you to confirm the delete.
Next it will ask if you now wish to reboot,select YES.
Allow it to reboot.
If it does'nt reboot automatically,reboot manually.

******************************

Download and scan with the free 15 day trial of Counterspy V2
Save the report when it's finished:
1.Once Counterspy has done scanning,the 'Scan Results' box will appear.
2.Click on 'View Results'.
3.Under (Recommended Action),using the drop down menus at the side of each entry found,set EVERYTHING to 'Remove'.
4.Then click on 'Take Action'.
5.Once everything has been removed,click on 'View Details'.
6.Copy and Paste those details into your next reply.

Also post a new Hijackthis log.

Do you know any programs to know which process tried to close the ollydbg?

Cannot help you with that,you might want to take a look at the following link,you may find some help there:
OllyDbg Support Forums:
http://www.woodmann.com/forum/forumdisplay.php?f=37
Posted Image
Posted Image

#7 Michael Lopez

Michael Lopez
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:42 PM

Posted 04 June 2007 - 02:34 AM

Hi

These are the log files:


Scan History Details
Start Date: 6/4/2007 9:31:58 AM
End Date: 6/4/2007 12:42:10 PM
Total Time: 190 Min 12 Sec
Detected security risks

Cookie: DoubleClick Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\masood\cookies\masood@doubleclick[1].txt


Acez.SiteError Browser Plug-in more information...
Details: SiteError is a browser plug-in typically bundled with free applications such as screensavers.
Status: Deleted

Files detected
D:\icon\Old\101033.ico


A-311 Death Trojan more information...
Details: A-311 Death is a remote administration tool with many features, like registry access, process viewer, file download/upload, etc.
Status: Deleted

Registry entries detected
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003\SOFTWARE\P2
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003\SOFTWARE\P2\Db Profiles
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003\SOFTWARE\P2\Db Profiles
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003\SOFTWARE\P2\Db Profiles\Default
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003\SOFTWARE\P2\Db Profiles\Default
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003\SOFTWARE\P2\Db Profiles\Default
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003\SOFTWARE\P2
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003\SOFTWARE\P2
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003\SOFTWARE\P2\Settings
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003\SOFTWARE\P2\Settings
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003\SOFTWARE\P2\Settings


Trojan.Win32.Qhost.hf Trojan more information...
Status: Deleted

Registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\URLS


BSplayer Adware Bundler more information...
Details: BSplayer is bundle with WhenU Save. You cannot even run the software without WhenU Save.
Status: Deleted

Files detected
D:\Program Files\Webteh\BSplayerPro\bplay.exe
D:\Program Files\Webteh\BSplayerPro\bsplay.exe

Registry entries detected
HKEY_LOCAL_MACHINE\Software\Classes\BSPLAYERFILE.ASF
HKEY_LOCAL_MACHINE\Software\Classes\BSPLAYERFILE.ASF\Shell
HKEY_LOCAL_MACHINE\Software\Classes\BSPLAYERFILE.ASF\Shell\Playbs
HKEY_LOCAL_MACHINE\Software\Classes\BSPLAYERFILE.ASF\Shell\Playbs\DropTarget
HKEY_LOCAL_MACHINE\Software\Classes\BSPLAYERFILE.ASF\Shell\Playbs\DropTarget
HKEY_LOCAL_MACHINE\Software\Classes\BSPLAYERFILE.AVI
HKEY_LOCAL_MACHINE\Software\Classes\BSPLAYERFILE.AVI\Shell
HKEY_LOCAL_MACHINE\Software\Classes\BSPLAYERFILE.AVI\Shell\Playbs
HKEY_LOCAL_MACHINE\Software\Classes\BSPLAYERFILE.AVI\Shell\Playbs\DropTarget
HKEY_LOCAL_MACHINE\Software\Classes\BSPLAYERFILE.AVI\Shell\Playbs\DropTarget
HKEY_LOCAL_MACHINE\Software\Classes\BSPLAYERFILE.MKV
HKEY_LOCAL_MACHINE\Software\Classes\BSPLAYERFILE.MKV\Shell
HKEY_LOCAL_MACHINE\Software\Classes\BSPLAYERFILE.MKV\Shell\Playbs
HKEY_LOCAL_MACHINE\Software\Classes\BSPLAYERFILE.MKV\Shell\Playbs\DropTarget
HKEY_LOCAL_MACHINE\Software\Classes\BSPLAYERFILE.MKV\Shell\Playbs\DropTarget
HKEY_LOCAL_MACHINE\Software\Classes\BSPLAYERFILE.MPEG
HKEY_LOCAL_MACHINE\Software\Classes\BSPLAYERFILE.MPEG\Shell
HKEY_LOCAL_MACHINE\Software\Classes\BSPLAYERFILE.MPEG\Shell\open
HKEY_LOCAL_MACHINE\Software\Classes\BSPLAYERFILE.MPEG\Shell\Playbs
HKEY_LOCAL_MACHINE\Software\Classes\BSPLAYERFILE.MPEG\Shell\Playbs\DropTarget
HKEY_LOCAL_MACHINE\Software\Classes\BSPLAYERFILE.MPEG\Shell\Playbs\DropTarget
HKEY_LOCAL_MACHINE\Software\Classes\BSPLAYERFILE.MPG
HKEY_LOCAL_MACHINE\Software\Classes\BSPLAYERFILE.MPG\Shell
HKEY_LOCAL_MACHINE\Software\Classes\BSPLAYERFILE.MPG\Shell\Playbs
HKEY_LOCAL_MACHINE\Software\Classes\BSPLAYERFILE.MPG\Shell\Playbs\DropTarget
HKEY_LOCAL_MACHINE\Software\Classes\BSPLAYERFILE.MPG\Shell\Playbs\DropTarget
HKEY_LOCAL_MACHINE\Software\Classes\BSPLAYERFILE.OGG
HKEY_LOCAL_MACHINE\Software\Classes\BSPLAYERFILE.OGG\Shell
HKEY_LOCAL_MACHINE\Software\Classes\BSPLAYERFILE.OGG\Shell\Playbs
HKEY_LOCAL_MACHINE\Software\Classes\BSPLAYERFILE.OGG\Shell\Playbs\DropTarget
HKEY_LOCAL_MACHINE\Software\Classes\BSPLAYERFILE.OGG\Shell\Playbs\DropTarget
HKEY_LOCAL_MACHINE\Software\Classes\BSPLAYERFILE.OGM
HKEY_LOCAL_MACHINE\Software\Classes\BSPLAYERFILE.OGM\Shell
HKEY_LOCAL_MACHINE\Software\Classes\BSPLAYERFILE.OGM\Shell\Playbs
HKEY_LOCAL_MACHINE\Software\Classes\BSPLAYERFILE.OGM\Shell\Playbs\DropTarget
HKEY_LOCAL_MACHINE\Software\Classes\BSPLAYERFILE.OGM\Shell\Playbs\DropTarget
HKEY_LOCAL_MACHINE\Software\Classes\BSPLAYERFILE.WMV
HKEY_LOCAL_MACHINE\Software\Classes\BSPLAYERFILE.WMV\Shell
HKEY_LOCAL_MACHINE\Software\Classes\BSPLAYERFILE.WMV\Shell\Playbs
HKEY_LOCAL_MACHINE\Software\Classes\BSPLAYERFILE.WMV\Shell\Playbs\DropTarget
HKEY_LOCAL_MACHINE\Software\Classes\BSPLAYERFILE.WMV\Shell\Playbs\DropTarget
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\BSPLAYER1
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\BSPLAYER1
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\BSPLAYER1
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003\SOFTWARE\BST
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003\SOFTWARE\BST\bsplayerv1
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003\SOFTWARE\BST\bsplayerv1
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003\SOFTWARE\BST\bsplayerv1
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003_Classes\BSP.INIF
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003_Classes\BSP.INIF
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003_Classes\BSP.INIF\DefaultIcon
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003_Classes\BSP.INIF\DefaultIcon
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003_Classes\BSP.INIF\shell
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003_Classes\BSP.INIF\shell\open
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003_Classes\BSP.INIF\shell\open\command
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003_Classes\BSP.INIF\shell\open\command
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003_Classes\BSP.INIF\shell\play
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003_Classes\BSP.INIF\shell\play\command
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003_Classes\BSP.INIF\shell\play\command
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003_Classes\BSP.PLIST
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003_Classes\BSP.PLIST
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003_Classes\BSP.PLIST\DefaultIcon
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003_Classes\BSP.PLIST\DefaultIcon
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003_Classes\BSP.PLIST\shell
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003_Classes\BSP.PLIST\shell\open
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003_Classes\BSP.PLIST\shell\open\command
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003_Classes\BSP.PLIST\shell\open\command
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003_Classes\BSP.PLIST\shell\play
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003_Classes\BSP.PLIST\shell\play\command
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003_Classes\BSP.PLIST\shell\play\command
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003_Classes\BSP.SKINZIP
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003_Classes\BSP.SKINZIP
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003_Classes\BSP.SKINZIP\DefaultIcon
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003_Classes\BSP.SKINZIP\DefaultIcon
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003_Classes\BSP.SKINZIP\shell
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003_Classes\BSP.SKINZIP\shell\install
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003_Classes\BSP.SKINZIP\shell\install
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003_Classes\BSP.SKINZIP\shell\install\command
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003_Classes\BSP.SKINZIP\shell\install\command
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003_Classes\BSPLAYERFILE.MPEG
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003_Classes\BSPLAYERFILE.MPEG
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003_Classes\BSPLAYERFILE.MPEG\DefaultIcon
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003_Classes\BSPLAYERFILE.MPEG\DefaultIcon
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003_Classes\BSPLAYERFILE.MPEG\shell
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003_Classes\BSPLAYERFILE.MPEG\shell
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003_Classes\BSPLAYERFILE.MPEG\shell\Enqueue
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003_Classes\BSPLAYERFILE.MPEG\shell\Enqueue
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003_Classes\BSPLAYERFILE.MPEG\shell\Enqueue\command
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003_Classes\BSPLAYERFILE.MPEG\shell\Enqueue\command
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003_Classes\BSPLAYERFILE.MPEG\shell\Enqueue\ddeexec
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003_Classes\BSPLAYERFILE.MPEG\shell\Enqueue\ddeexec
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003_Classes\BSPLAYERFILE.MPEG\shell\Enqueue\ddeexec\Application
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003_Classes\BSPLAYERFILE.MPEG\shell\Enqueue\ddeexec\Application
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003_Classes\BSPLAYERFILE.MPEG\shell\Enqueue\ddeexec\topic
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003_Classes\BSPLAYERFILE.MPEG\shell\Enqueue\ddeexec\topic
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003_Classes\BSPLAYERFILE.MPEG\shell\Open
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003_Classes\BSPLAYERFILE.MPEG\shell\Open\command
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003_Classes\BSPLAYERFILE.MPEG\shell\Open\command
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003_Classes\BSPLAYERFILE.MPEG\shell\Open\ddeexec
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003_Classes\BSPLAYERFILE.MPEG\shell\Open\ddeexec
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003_Classes\BSPLAYERFILE.MPEG\shell\Open\ddeexec\Application
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003_Classes\BSPLAYERFILE.MPEG\shell\Open\ddeexec\Application
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003_Classes\BSPLAYERFILE.MPEG\shell\Open\ddeexec\topic
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003_Classes\BSPLAYERFILE.MPEG\shell\Open\ddeexec\topic
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003_Classes\BSPLAYERFILE.MPEG\shell\Play
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003_Classes\BSPLAYERFILE.MPEG\shell\Play
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003_Classes\BSPLAYERFILE.MPEG\shell\Play\command
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003_Classes\BSPLAYERFILE.MPEG\shell\Play\command
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003_Classes\BSPLAYERFILE.MPEG\shell\Play\ddeexec
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003_Classes\BSPLAYERFILE.MPEG\shell\Play\ddeexec
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003_Classes\BSPLAYERFILE.MPEG\shell\Play\ddeexec\Application
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003_Classes\BSPLAYERFILE.MPEG\shell\Play\ddeexec\Application
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003_Classes\BSPLAYERFILE.MPEG\shell\Play\ddeexec\topic
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003_Classes\BSPLAYERFILE.MPEG\shell\Play\ddeexec\topic
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003_Classes\BSPLAYERFILE.MPEG\shell\Playbs
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003_Classes\BSPLAYERFILE.MPEG\shell\Playbs
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003_Classes\BSPLAYERFILE.MPEG\shell\Playbs\command
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003_Classes\BSPLAYERFILE.MPEG\shell\Playbs\command
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003_Classes\BSPLAYERFILE.MPEG\shell\Playbs\ddeexec
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003_Classes\BSPLAYERFILE.MPEG\shell\Playbs\ddeexec
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003_Classes\BSPLAYERFILE.MPEG\shell\Playbs\ddeexec\Application
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003_Classes\BSPLAYERFILE.MPEG\shell\Playbs\ddeexec\Application
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003_Classes\BSPLAYERFILE.MPEG\shell\Playbs\ddeexec\topic
HKEY_USERS\S-1-5-21-1614895754-823518204-1801674531-1003_Classes\BSPLAYERFILE.MPEG\shell\Playbs\ddeexec\topic


Logfile of HijackThis v1.99.1
Scan saved at 10:59:23 PM, on 6/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\cFosSpeed\spd.exe
D:\Program Files\ProcessGuard\dcsuserprot.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\WebcamMax\CAMTHINS.exe
D:\Program Files\Babylon\Babylon-Pro\Babylon.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\cFosSpeed\cFosSpeed.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
D:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
D:\Program Files\ProcessGuard\pgaccount.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
D:\Program Files\IDA\ida.exe
D:\Program Files\ProcessGuard\procguard.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\Program Files\RogueRemover PRO\RogueRemoverPRO.exe
C:\Program Files\PowerMenu\PowerMenu.exe
C:\WINDOWS\system32\WindowsUptime.exe
C:\Program Files\MagicDisc\MagicDisc.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
D:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
D:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
D:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
D:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
D:\Program Files\Sunbelt Software\CounterSpy\CounterSpy.exe
D:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
D:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Azureus\Azureus.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Far\Far.exe
D:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IE 4.x-6.x BHO for Internet Download Accelerator - {2A646672-9C3A-4C28-9A7A-1FB0F63F28B6} - D:\PROGRA~1\IDA\idaiehlp.dll
O2 - BHO: MEGAUPLOADTOOLBAR - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Mega Manager IE Click Monitor - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - d:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll
O3 - Toolbar: MEGAUPLOADTOOLBAR - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O3 - Toolbar: IDA Bar - {C70E30C7-140A-4166-A2E8-43557E62B41A} - D:\Program Files\IDA\idabar.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [WebcamMaxMoniter] "C:\Program Files\WebcamMax\CAMTHINS.exe" /m
O4 - HKLM\..\Run: [Babylon Client] d:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [cFosSpeed] C:\Program Files\cFosSpeed\cFosSpeed.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H
O4 - HKLM\..\Run: [pccguide.exe] "D:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [!1_pgaccount] "D:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SBCSTray] D:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Internet Download Accelerator] D:\Program Files\IDA\ida.exe -autorun
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "D:\Program Files\ProcessGuard\procguard.exe" -minimize
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [RogueMonitor] D:\Program Files\RogueRemover PRO\RogueRemoverPRO.exe /monitor
O4 - Startup: Windows Uptime Tool.lnk = C:\WINDOWS\system32\WindowsUptime.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: Yahoo! Widget Engine.lnk = D:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
O4 - Global Startup: PowerMenu.lnk = C:\Program Files\PowerMenu\PowerMenu.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: Download ALL with IDA - D:\Program Files\IDA\idaieall.htm
O8 - Extra context menu item: Download Link Using Mega Manager... - D:\Program Files\Megaupload\Mega Manager\mm_file.htm
O8 - Extra context menu item: Download with IDA - D:\Program Files\IDA\idaie.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - D:\Program Files\IDA\ida.exe
O9 - Extra 'Tools' menuitem: &Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - D:\Program Files\IDA\ida.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{38C25EF9-9C87-4935-8F17-547CD49FC1D2}: NameServer = 85.198.0.18 85.198.0.23
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: cFosSpeed System Service (cFosSpeedS) - Unknown owner - C:\Program Files\cFosSpeed\spd.exe" -service (file missing)
O23 - Service: DiamondCS ProcessGuard Service v3.200 (DCSPGSRV) - DiamondCS - D:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: FAR Background Copy Service (FARBCopy) - Unknown owner - C:\Program Files\Far\PlugIns\BackGroundCopy\bin\bcsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - D:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - D:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - D:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - D:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - D:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - D:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - D:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - D:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe



Sicerely
Michael Lopez

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:12 PM

Posted 04 June 2007 - 02:47 AM

First disable Windows Defender's real-time protection,as it may interfere.
* Open Microsoft Windows Defender. Click Start>All Programs>Windows Defender.
* Click on 'Tools'>'Options'.
* Under 'Real-time protection options', unselect the 'Turn on real-time protection' check box
* Click 'Save'.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

Exit Hijackthis.

***************************

Do you recognise the IP or Domain 85.198.0.18
If you definitely do not recognise it,fix this following entry with Hijackthis:
O17 - HKLM\System\CCS\Services\Tcpip\..\{38C25EF9-9C87-4935-8F17-547CD49FC1D2}: NameServer = 85.198.0.18 85.198.0.23

Restart your pc,post a new Hijackthis log into your next reply.
Let me know how its going now.

Posted Image
Posted Image

#9 Michael Lopez

Michael Lopez
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:42 PM

Posted 04 June 2007 - 04:12 AM

Hi

And thanks for your support

I did what you said and this is the log files:


Found the programs which closes the ollyDBG: Inernet Download Accelerator.

When I close this programs and run OllyDBG it runs very well But when IDA is present OllyDBG is Closed automatically.


Logfile of HijackThis v1.99.1
Scan saved at 12:32:17 AM, on 6/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\cFosSpeed\spd.exe
D:\Program Files\ProcessGuard\dcsuserprot.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
D:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\WebcamMax\CAMTHINS.exe
C:\Program Files\cFosSpeed\cFosSpeed.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
D:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
D:\Program Files\ProcessGuard\pgaccount.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
D:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\PowerMenu\PowerMenu.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
D:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
D:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
D:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
D:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Far\Far.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\WinRAR\WinRAR.exe
D:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IE 4.x-6.x BHO for Internet Download Accelerator - {2A646672-9C3A-4C28-9A7A-1FB0F63F28B6} - D:\PROGRA~1\IDA\idaiehlp.dll
O2 - BHO: MEGAUPLOADTOOLBAR - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Mega Manager IE Click Monitor - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - d:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll
O3 - Toolbar: MEGAUPLOADTOOLBAR - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [WebcamMaxMoniter] "C:\Program Files\WebcamMax\CAMTHINS.exe" /m
O4 - HKLM\..\Run: [Babylon Client] d:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [cFosSpeed] C:\Program Files\cFosSpeed\cFosSpeed.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H
O4 - HKLM\..\Run: [pccguide.exe] "D:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [!1_pgaccount] "D:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SBCSTray] D:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Internet Download Accelerator] D:\Program Files\IDA\ida.exe -autorun
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "D:\Program Files\ProcessGuard\procguard.exe" -minimize
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [RogueMonitor] D:\Program Files\RogueRemover PRO\RogueRemoverPRO.exe /monitor
O4 - Startup: Windows Uptime Tool.lnk = C:\WINDOWS\system32\WindowsUptime.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: Yahoo! Widget Engine.lnk = D:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
O4 - Global Startup: PowerMenu.lnk = C:\Program Files\PowerMenu\PowerMenu.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: Download ALL with IDA - D:\Program Files\IDA\idaieall.htm
O8 - Extra context menu item: Download with IDA - D:\Program Files\IDA\idaie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - D:\Program Files\IDA\ida.exe
O9 - Extra 'Tools' menuitem: &Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - D:\Program Files\IDA\ida.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{38C25EF9-9C87-4935-8F17-547CD49FC1D2}: NameServer = 85.198.0.18 85.198.0.23
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: cFosSpeed System Service (cFosSpeedS) - Unknown owner - C:\Program Files\cFosSpeed\spd.exe" -service (file missing)
O23 - Service: DiamondCS ProcessGuard Service v3.200 (DCSPGSRV) - DiamondCS - D:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: FAR Background Copy Service (FARBCopy) - Unknown owner - C:\Program Files\Far\PlugIns\BackGroundCopy\bin\bcsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - D:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - D:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - D:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - D:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - D:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - D:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - D:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - D:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe


And I have three questions

1- What is this file for? O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll

2- And you know since the viruses are cleaned (thanks to you). when I open the start menu and right click-->open OR right click-> explore on any of it's items, No explorer window opens at all, just something like a command prompt for less than a second and it fades aways.
I know it's a minor problem but is there a way to restore default windows behavior for these two options in right click menu?

3- Which Antispyware, Anti virus and firewall programs do you recommend me to install on my computer for general safety? Thanks


By the way I finally knew which program closes OllyDBG with no prompt at all.

It's IDA (Internet Download Accelerator 5.2) which closes OllyDBG.

Sincerely
Michael Lopez

Edited by Michael Lopez, 04 June 2007 - 04:29 AM.


#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:12 PM

Posted 04 June 2007 - 05:58 AM

Your log is clean :thumbsup:
If all's ok,please do the following:

Find and delete:
Combofix
Fixwareout
KillBox

C:\QooBox
C:\Fixwareout
C:\!KillBox

Remove both the following via Start/Control Panel/Add or Remove Programs:
SUPERAntiSpyware
CounterSpy

Enable Windows Defender.

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Read through the information found here,to help you prevent any possible future infections.
'How to prevent Malware' by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html

************************************

And I have three questions
1- What is this file for?
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll

Part of Apple's Bonjour and/or Rendezvous zero configuration networking,most often added by Itunes version 5.0 and later.

2- And you know since the viruses are cleaned (thanks to you).
when I open the start menu and right click-->open OR right click-> explore on any of it's items, No explorer window opens at all, just something like a command prompt for less than a second and it fades aways.
I know it's a minor problem but is there a way to restore default windows behavior for these two options in right click menu?

See if this helps:
Copy and paste the following bold blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktop and agree to merge it into the registry,then reboot.

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoViewContextMenu"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoViewContextMenu"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoSetTaskbar"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoSaveSettings"=dword:00000000

3- Which Antispyware, Anti virus and firewall programs do you recommend me to install on my computer for general safety?

You've already got one of the best all round protection installed,Trend Micro Internet Security.
Posted Image
Posted Image

#11 Michael Lopez

Michael Lopez
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:42 PM

Posted 04 June 2007 - 10:32 AM

Hi

Thanks for all your help man. You Really ROCK.

Anything I can do?


Sincerely
Michael Lopez

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:12 PM

Posted 04 June 2007 - 11:08 AM

You're welcome :thumbsup:

Edited by RichieUK, 04 June 2007 - 12:10 PM.

Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users