Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pc Running Extremely Slow


  • This topic is locked This topic is locked
12 replies to this topic

#1 brownsfan

brownsfan

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:03 PM

Posted 03 June 2007 - 12:28 PM

Pc is running extremely slow with a ton of pop ups. Can anyone help get me back up and running correctly any help is greatly appreciated! Here is the hjt log


Logfile of HijackThis v1.99.1
Scan saved at 1:13:39 PM, on 6/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
O1 - Hosts: Code:
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by137fd.bay137.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: SysEnforce - Unknown owner - C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:03 PM

Posted 03 June 2007 - 02:16 PM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum brownsfan :thumbsup:

My name is Richie and i'll be helping you to fix your problems.

Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
When VundoFix re-opens,click the "Scan for Vundo" button.
Once it's done scanning,click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click "YES".
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed,it will prompt that it will reboot your computer,click "OK".
Post the contents of C:\vundofix.txt into your next reply.

Note:
It is possible that VundoFix encountered a file it could not remove.
In this case,VundoFix will run on reboot,simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

****************

Please download Combofix and save to your desktop:
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.


****************

Now go to:
C:\Program Files\HijackThis\HijackThis.exe
Right click on Hijackthis.exe and select 'Rename', rename it to xyz.bat
Double click on xyz.bat(which is still Hijackthis.exe),post that log into your next reply please.
Posted Image
Posted Image

#3 brownsfan

brownsfan
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:03 PM

Posted 03 June 2007 - 03:09 PM

ok i did as you said thanks for the quick reply here is the vundofix log:



VundoFix V6.2.13

Checking Java version...

Java version is 1.5.0.7

Scan started at 11:42:30 AM 5/29/2007

Listing files found while scanning....

C:\WINDOWS\system32\khfda.dll
C:\WINDOWS\system32\adfhk.ini
C:\WINDOWS\system32\adfhk.bak1
C:\WINDOWS\system32\adfhk.bak2
C:\WINDOWS\system32\adfhk.ini2
C:\WINDOWS\system32\adfhk.tmp

Beginning removal...

Attempting to delete C:\WINDOWS\system32\khfda.dll
C:\WINDOWS\system32\khfda.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\adfhk.ini
C:\WINDOWS\system32\adfhk.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\adfhk.bak1
C:\WINDOWS\system32\adfhk.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\adfhk.bak2
C:\WINDOWS\system32\adfhk.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\adfhk.ini2
C:\WINDOWS\system32\adfhk.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\adfhk.tmp
C:\WINDOWS\system32\adfhk.tmp Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.2.13

Checking Java version...

Java version is 1.5.0.7

Scan started at 12:06:54 PM 6/1/2007

Listing files found while scanning....

C:\WINDOWS\system32\vtspq.dll
C:\WINDOWS\system32\qpstv.ini
C:\WINDOWS\system32\qpstv.bak1
C:\WINDOWS\system32\qpstv.bak2

Beginning removal...

Attempting to delete C:\WINDOWS\system32\vtspq.dll
C:\WINDOWS\system32\vtspq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\qpstv.ini
C:\WINDOWS\system32\qpstv.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\qpstv.bak1
C:\WINDOWS\system32\qpstv.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\qpstv.bak2
C:\WINDOWS\system32\qpstv.bak2 Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.4.2

Checking Java version...

Java version is 1.5.0.7
Old versions of java are exploitable and should be removed.

Scan started at 3:39:11 PM 6/3/2007

Listing files found while scanning....

C:\WINDOWS\system32\gebabcb.dll
C:\WINDOWS\system32\mnmoq.bak1
C:\WINDOWS\system32\mnmoq.bak2
C:\WINDOWS\system32\mnmoq.ini
C:\WINDOWS\system32\qomnm.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\gebabcb.dll
C:\WINDOWS\system32\gebabcb.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\mnmoq.bak1
C:\WINDOWS\system32\mnmoq.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\mnmoq.bak2
C:\WINDOWS\system32\mnmoq.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\mnmoq.ini
C:\WINDOWS\system32\mnmoq.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\qomnm.dll
C:\WINDOWS\system32\qomnm.dll Has been deleted!

Performing Repairs to the registry.
Done!


here is the combofix log:

2007-06-03 10:39	  1147	--a------	C:\Qoobox\Quarantine\C\WINDOWS\Microsoft.NET\Framework\ntp2.ini.vir


Folder PATH listing
Volume serial number is 8C0A-1777
C:\QOOBOX
\---Quarantine
	+---C
	|   +---avenger
	|   +---Program Files
	|   |   \---Common Files
	|   |	   \---ICROSO~1
	|   \---WINDOWS
	|	   \---Microsoft.NET
	|		   \---Framework
	|				   ntp2.ini.vir
	|				   
	\---Registry_backups



and new hjt log:

Logfile of HijackThis v1.99.1
Scan saved at 4:00:53 PM, on 6/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\ZoneLabs\UpdClient.exe
C:\Program Files\Hijackthis\xyz.bat.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
O1 - Hosts: Code:
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {320F26E1-8F10-4143-B433-B2DB14896D1F} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {584B596B-9962-4A86-A920-814B2FB4537C} - C:\WINDOWS\system32\qomnm.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by137fd.bay137.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: abrmain - c:\windows\microsoft.net\framework\abrmain.dll (file missing)
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: SysEnforce - Unknown owner - C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#4 brownsfan

brownsfan
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:03 PM

Posted 03 June 2007 - 03:11 PM

i think i might have posted the wrong combofix log here it is:

"Browns Fan" - 2007-06-03 15:52:05 Service Pack 2 NTFS
ComboFix 07-06-3 - Running from: "C:\Documents and Settings\Browns Fan\Desktop\"


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



-- Purity Folders:
C:\Program Files\Common Files\{3C0A1~1
C:\Program Files\Common Files\{8C0A1~1
C:\Program Files\Common Files\{8C0A1~2
C:\Program Files\Common Files\ICROSO~1
C:\WINDOWS\Microsoft.NET\Framework\ntp2.ini


((((((((((((((((((((((((( Files Created from 2007-05-03 to 2007-06-03 )))))))))))))))))))))))))))))))


2007-06-03 11:34 159,744 --a------ C:\WINDOWS\system32\hasher.dll
2007-06-03 11:34 <DIR> d-------- C:\Program Files\Trisnap Technologies
2007-06-03 11:10 <DIR> d-------- C:\Program Files\Remove on Reboot
2007-06-03 10:24 <DIR> d-------- C:\!KillBox
2007-06-03 10:23 <DIR> d-------- C:\DOCUME~1\ADMINI~1.BRO\APPLIC~1\U3
2007-06-03 00:04 <DIR> d-------- C:\Program Files\Bazooka Scanner
2007-06-03 00:02 <DIR> d-------- C:\DOCUME~1\BROWNS~1\APPLIC~1\U3
2007-06-02 20:26 512 --a------ C:\ScanSectorLog.dat
2007-06-02 20:21 <DIR> d-------- C:\DOCUME~1\ADMINI~1.BRO\APPLIC~1\MailFrontier
2007-06-02 19:44 <DIR> d-------- C:\DOCUME~1\BROWNS~1\APPLIC~1\MailFrontier
2007-06-02 19:42 40,992 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-06-02 19:42 347,680 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-06-02 19:28 4,212 --ah----- C:\WINDOWS\system32\zllictbl.dat
2007-06-02 19:27 75,512 --a------ C:\WINDOWS\zllsputility.exe
2007-06-02 19:27 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-06-02 19:26 1,087,216 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-06-02 19:26 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-06-02 17:58 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-06-02 17:28 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-06-02 15:38 <DIR> d-------- C:\Program Files\Prison Tycoon
2007-06-02 15:29 5,248 --a------ C:\WINDOWS\system32\drivers\vax347s.sys
2007-06-02 15:29 159,616 --a------ C:\WINDOWS\system32\drivers\vax347b.sys
2007-06-02 15:28 <DIR> d-------- C:\Program Files\Alcohol Soft
2007-06-02 13:03 2,580 --a------ C:\WINDOWS\system32\hhxubimq.exe
2007-06-01 23:56 <DIR> d-------- C:\DOCUME~1\BROWNS~1\APPLIC~1\iWin
2007-06-01 23:53 <DIR> d-------- C:\Program Files\GameHouse
2007-06-01 23:15 <DIR> d-------- C:\DOCUME~1\BROWNS~1\Shared
2007-06-01 23:15 <DIR> d-------- C:\DOCUME~1\BROWNS~1\Incomplete
2007-06-01 23:14 <DIR> d-------- C:\Program Files\LimeWire
2007-06-01 23:14 <DIR> d-------- C:\DOCUME~1\BROWNS~1\APPLIC~1\LimeWire
2007-06-01 12:59 <DIR> d-------- C:\Program Files\a-squared Free
2007-06-01 12:42 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-06-01 12:41 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2007-06-01 12:41 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2007-06-01 12:41 <DIR> d-------- C:\DOCUME~1\BROWNS~1\APPLIC~1\Simply Super Software
2007-06-01 12:28 1,428,902 --ahs---- C:\WINDOWS\system32\mnmoq.ini.ren
2007-06-01 12:28 1,428,777 --a------ C:\WINDOWS\system32\mnmoq.bak1.ren
2007-05-31 11:44 <DIR> d-------- C:\DOCUME~1\BROWNS~1\.housecall6.6
2007-05-30 21:18 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-05-29 11:42 <DIR> d-------- C:\VundoFix Backups
2007-05-28 14:55 <DIR> d-------- C:\Program Files\mIRC
2007-05-27 16:36 24,192 --a------ C:\DOCUME~1\BROWNS~1\usbsermptxp.sys
2007-05-27 16:36 22,768 --a------ C:\DOCUME~1\BROWNS~1\usbsermpt.sys
2007-05-27 16:32 21,504 --a------ C:\WINDOWS\system32\drivers\motmodem.sys
2007-05-27 16:31 <DIR> d-------- C:\DOCUME~1\BROWNS~1\APPLIC~1\InstallShield
2007-05-27 16:07 <DIR> d-------- C:\DOCUME~1\BROWNS~1\APPLIC~1\NCH Swift Sound
2007-05-27 11:37 1,100,960 --a------ C:\WINDOWS\system32\wvqmdnld.ini.ren
2007-05-26 23:07 <DIR> d-------- C:\DOCUME~1\BROWNS~1\APPLIC~1\CyberLink
2007-05-26 23:07 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\CyberLink
2007-05-26 22:10 <DIR> d-------- C:\Program Files\CyberLink
2007-05-26 20:40 <DIR> d-------- C:\DOCUME~1\BROWNS~1\APPLIC~1\dvdcss
2007-05-26 12:36 <DIR> d---s---- C:\DOCUME~1\BROWNS~1\UserData
2007-05-24 12:18 <DIR> d-------- C:\DOCUME~1\BROWNS~1\APPLIC~1\Google
2007-05-10 21:04 101,888 --a------ C:\WINDOWS\system32\VB6STKIT.DLL
2007-05-10 21:04 <DIR> d-------- C:\Program Files\MSN content crazy show
2007-05-10 21:03 <DIR> d-------- C:\DOCUME~1\BROWNS~1\APPLIC~1\Screenshot Sender
2007-05-10 20:56 <DIR> d-------- C:\DOCUME~1\BROWNS~1\APPLIC~1\vlc
2007-05-10 20:41 <DIR> d-------- C:\Program Files\PowerISO
2007-05-09 14:06 <DIR> d-------- C:\DOCUME~1\BROWNS~1\Contacts
2007-05-09 13:38 <DIR> d-------- C:\DOCUME~1\BROWNS~1\APPLIC~1\MySpace
2007-05-09 13:34 <DIR> d-------- C:\DOCUME~1\BROWNS~1\APPLIC~1\uTorrent
2007-05-09 12:53 2,883,584 --ah----- C:\DOCUME~1\BROWNS~1\NTUSER.DAT
2007-05-08 13:02 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll
2007-05-08 13:02 8,192 --a------ C:\WINDOWS\system32\kbdkor.dll
2007-05-08 13:02 6,144 --a------ C:\WINDOWS\system32\kbd106.dll
2007-05-08 13:02 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll
2007-05-08 13:02 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll
2007-05-08 13:02 5,632 --a------ C:\WINDOWS\system32\kbd103.dll
2007-05-06 23:59 <DIR> d-------- C:\Program Files\PC_Sierras 3D Ultra Mini Golf -Ready2Run
2007-05-06 14:09 2,180,352 --a------ C:\WINDOWS\system32\LOGOOS.EXE


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-02 23:06:57 -------- d-----w C:\Program Files\Winamp
2007-06-02 23:06:47 -------- d-----w C:\Program Files\webui_v0.310_beta_2
2007-06-01 20:15:20 -------- d-----w C:\Program Files\iMesh Applications
2007-05-31 00:55:46 -------- d-----w C:\Program Files\Google
2007-05-31 00:55:41 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-27 20:36:20 22,768 ----a-w C:\WINDOWS\system32\drivers\usbsermpt.sys
2007-05-27 20:33:38 -------- d-----w C:\Program Files\Motorola Phone Tools
2007-05-27 14:56:05 -------- d-----w C:\Program Files\Yahoo!
2007-05-11 19:53:13 -------- d-----w C:\Program Files\MSN Messenger
2007-05-10 20:52:13 3,629 ----a-w C:\WINDOWS\mozver.dat
2007-05-09 17:38:21 10 ----a-w C:\WINDOWS\popcinfo.dat
2007-05-07 14:19:51 -------- d-----w C:\Program Files\VideoLAN
2007-04-29 04:46:03 -------- d-----w C:\Program Files\NoAds
2007-04-29 04:45:56 -------- d-----w C:\Program Files\TaskSwitchXP
2007-04-23 07:47:37 -------- d-----w C:\Program Files\DivX
2007-04-20 05:41:33 -------- d-----w C:\Program Files\Windows Media Connect 2
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 17:06:39 335 ----a-w C:\WINDOWS\nsreg.dat
2007-04-17 01:43:08 -------- d-----w C:\Program Files\Stardock
2007-04-09 12:27:07 31,548 ----a-w C:\WINDOWS\system32\drivers\scdemu.sys
2007-04-07 17:39:56 -------- d-----w C:\Program Files\Enigma Software Group
2007-04-07 17:27:38 -------- d-----w C:\Program Files\Messenger
2007-03-27 07:55:57 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-03-27 07:55:48 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-03-27 07:55:31 129,784 ----a-w C:\WINDOWS\system32\pxafs.dll
2007-03-27 07:55:31 118,520 ----a-w C:\WINDOWS\system32\pxinsi64.exe
2007-03-27 07:55:31 116,472 ----a-w C:\WINDOWS\system32\pxcpyi64.exe
2007-03-27 07:55:23 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-03-27 07:55:23 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-03-27 07:49:07 73,728 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-03-27 07:49:07 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-03-27 07:49:05 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-03-27 07:49:03 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-03-27 07:49:02 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-03-27 07:49:02 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-03-27 07:49:02 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-03-27 07:49:02 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-03-27 07:48:59 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-03-27 07:48:58 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-03-27 07:48:58 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-03-27 07:48:58 639,066 ----a-w C:\WINDOWS\system32\DivX.dll
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-15 16:23:16 497,496 ----a-w C:\WINDOWS\system32\XceedZip.dll
2007-03-15 16:19:58 526,184 ----a-w C:\WINDOWS\system32\XceedCry.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-03-03 19:27:52 69 --s-a-w C:\WINDOWS\url1.bat
2005-07-29 21:24:26 472 --sha-r C:\WINDOWS\QnJvY2s\kBLSsZP.vbs
2007-02-19 04:15:55 848 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-01-12 20:38]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]
{584B596B-9962-4A86-A920-814B2FB4537C}=C:\WINDOWS\system32\qomnm.dll []
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-04-17 14:32]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2002-08-01 15:43]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2002-08-01 15:43]
"ATIModeChange"="Ati2mdxx.exe" [2002-07-11 22:19 C:\WINDOWS\system32\Ati2mdxx.exe]
"AtiPTA"="atiptaxx.exe" [2002-07-12 00:08 C:\WINDOWS\system32\atiptaxx.exe]
"CARPService"="carpserv.exe" [2002-10-17 12:54 C:\WINDOWS\system32\carpserv.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2007-01-08 22:26]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-08 22:17]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-01-08 14:29]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"=0 (0x0)
"NoColorChoice"=0 (0x0)
"NoSizeChoice"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"NoDispCPL"=0 (0x0)
"NoVisualStyleChoice"=0 (0x0)
"NoDispSettingsPage"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"=1 (0x1)
"NoRemoteRecursiveEvents"=1 (0x1)
"NoActiveDesktopChanges"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSaveSettings"=0 (0x0)
"NoThemesTab"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\abrmain]
c:\windows\microsoft.net\framework\abrmain.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Usnsvc usnsvc

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{48b2cb1a-e939-11db-96e3-00904bb0a86a}]
AutoRun\command- F:\LaunchU3.exe


**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-03 15:57:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-03 15:58:49
C:\ComboFix-quarantined-files.txt ... 2007-06-03 15:58

--- E O F ---
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



-- Purity Folders:
C:\Program Files\Common Files\{3C0A1~1
C:\Program Files\Common Files\{8C0A1~1
C:\Program Files\Common Files\{8C0A1~2
C:\Program Files\Common Files\ICROSO~1
C:\WINDOWS\Microsoft.NET\Framework\ntp2.ini


((((((((((((((((((((((((( Files Created from 2007-05-03 to 2007-06-03 )))))))))))))))))))))))))))))))

#5 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:03 PM

Posted 03 June 2007 - 03:33 PM

Download Avenger from the link below:
http://swandog46.geekstogo.com/avenger.zip
Unzip/extract it to your desktop.

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens,copy and paste ALL the following bold blue text in the Quote box below:

Files to delete:
C:\WINDOWS\system32\hhxubimq.exe
C:\WINDOWS\system32\mnmoq.ini.ren
C:\WINDOWS\system32\mnmoq.bak1.ren
C:\WINDOWS\system32\wvqmdnld.ini.ren

Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Post the Avenger output.txt, which you can find at C:\Avenger\.txt into your next reply.

************************

Download HostsXpert 3.8:
http://www.funkytoad.com/download/HostsXpert.zip
1. Extract the zip file to your desktop or a permanent folder on your hard drive.
2. Open the folder and double-click on the Hoster.exe
3. Press "Restore Microsofts Original Hosts File"
4. Press "OK" and exit the program.

Go to:
C:\WINDOWS\System32\drivers\etc\HOSTS.
1) Right-click on the HOSTS file
2) Click Properties
3) You will see a window open,at the bottom of the window to the right of Attributes,check the box that says 'Read-only'.
4) Click Apply/OK.

************************

Download/install AVG Anti-Spyware 7.5.

Please follow these instructions very carefully.

Launch/start up AVG Anti-Spyware.
On the main page click the 'Update' tab,and then 'Start Update'.
Note:
If you have any problems running the update process prior to running the scan,download/install the 'Full Database' from here:
http://download.ewido.net/avgas-signatures-full-current.exe

Once the updates have been installed,do the following:
Select the 'Scanner' icon at the top of the screen, then select the 'Settings' tab.
Once in the 'Settings' screen,under 'How to act?',then under 'Set default action for detected malware to:', click on 'Recommended actions',then click on 'Quarantine'.
Under 'Reports' select 'Automatically generate report after every scan' and unselect 'Only if threats were found'.
Exit AVG Anti-Spyware,don't run the scan just yet.

You might want to print/copy the following as you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Have Hijack This fix the following [If still present], by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:

O1 - Hosts: Code:
O2 - BHO: (no name) - {320F26E1-8F10-4143-B433-B2DB14896D1F} - (no file)
O2 - BHO: (no name) - {584B596B-9962-4A86-A920-814B2FB4537C} - C:\WINDOWS\system32\qomnm.dll (file missing)
O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)
O20 - Winlogon Notify: abrmain - c:\windows\microsoft.net\framework\abrmain.dll (file missing)


Still in Safe Mode launch AVG Anti-Spyware.
Click the 'Scanner' icon at the top.
To start the scan click on 'Complete System Scan'.
Please be patient,it takes a while for the scan to finish.

Once the scan is complete,do the following.
If AVG Anti-Spyware detected any infected objects:,click on 'Apply All Actions'.

Next click on 'Save Report'.
Copy and paste that report into your next reply.
The report can be found under the 'Reports' tab at the top.
Close AVG Anti-Spyware when you've done.
Reboot normally.

Post the Avenger output.txt,the AVG Anti Spyware report and a new Hijackthis log into your next reply.
Let me know how your pc is running now please.

Posted Image
Posted Image

#6 brownsfan

brownsfan
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:03 PM

Posted 03 June 2007 - 05:39 PM

ok i did all as described pc is running better still far from good here is the avenger log:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\pcetbjft

*******************

Script file located at: \??\C:\Program Files\mcjkcrns.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\hhxubimq.exe deleted successfully.
File C:\WINDOWS\system32\mnmoq.ini.ren deleted successfully.
File C:\WINDOWS\system32\mnmoq.bak1.ren deleted successfully.
File C:\WINDOWS\system32\wvqmdnld.ini.ren deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

here is the avg log:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 6:25:48 PM 2007-06-03

+ Scan result:



C:\System Volume Information\_restore{0C749630-D684-4A2B-A8C9-655B3A589BF2}\RP99\A0015152.dll -> Adware.CommAd : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0C749630-D684-4A2B-A8C9-655B3A589BF2}\RP103\A0018428.exe -> Adware.Fakealert : Cleaned with backup (quarantined).
HKU\S-1-5-21-861567501-1202660629-1708537768-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} -> Adware.RogueSuspect : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0C749630-D684-4A2B-A8C9-655B3A589BF2}\RP99\A0015153.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0C749630-D684-4A2B-A8C9-655B3A589BF2}\RP99\A0015154.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0C749630-D684-4A2B-A8C9-655B3A589BF2}\RP99\A0015155.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0C749630-D684-4A2B-A8C9-655B3A589BF2}\RP76\A0007896.dll -> Adware.TargetServer : Cleaned with backup (quarantined).
C:\!KillBox\gebabcb.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\!KillBox\gebabcb.dll( 1) -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\!KillBox\gebabcb.dll( 10) -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\!KillBox\gebabcb.dll( 2) -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\!KillBox\gebabcb.dll( 4) -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\!KillBox\gebabcb.dll( 7) -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0C749630-D684-4A2B-A8C9-655B3A589BF2}\RP103\A0018579.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\VundoFix Backups\gebabcb.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
:mozilla.235:C:\Documents and Settings\Browns Fan\Application Data\Mozilla\Firefox\Profiles\qlvcx0xt.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.47:C:\Documents and Settings\Browns Fan\Application Data\Mozilla\Firefox\Profiles\qlvcx0xt.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.51:C:\Documents and Settings\Browns Fan\Application Data\Mozilla\Firefox\Profiles\qlvcx0xt.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.56:C:\Documents and Settings\Browns Fan\Application Data\Mozilla\Firefox\Profiles\qlvcx0xt.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.57:C:\Documents and Settings\Browns Fan\Application Data\Mozilla\Firefox\Profiles\qlvcx0xt.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.58:C:\Documents and Settings\Browns Fan\Application Data\Mozilla\Firefox\Profiles\qlvcx0xt.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.59:C:\Documents and Settings\Browns Fan\Application Data\Mozilla\Firefox\Profiles\qlvcx0xt.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Browns Fan\Cookies\browns fan@aavalue[1].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Browns Fan\Cookies\browns fan@arn.aavalue[2].txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.89:C:\Documents and Settings\Browns Fan\Application Data\Mozilla\Firefox\Profiles\qlvcx0xt.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.90:C:\Documents and Settings\Browns Fan\Application Data\Mozilla\Firefox\Profiles\qlvcx0xt.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.91:C:\Documents and Settings\Browns Fan\Application Data\Mozilla\Firefox\Profiles\qlvcx0xt.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Browns Fan\Cookies\browns fan@adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Browns Fan\Cookies\browns fan@ads.adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Browns Fan\Cookies\browns fan@rotator.adjuggler[1].txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.243:C:\Documents and Settings\Browns Fan\Application Data\Mozilla\Firefox\Profiles\qlvcx0xt.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\Browns Fan\Cookies\browns fan@advertising[1].txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.120:C:\Documents and Settings\Browns Fan\Application Data\Mozilla\Firefox\Profiles\qlvcx0xt.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Browns Fan\Cookies\browns fan@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.106:C:\Documents and Settings\Browns Fan\Application Data\Mozilla\Firefox\Profiles\qlvcx0xt.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.107:C:\Documents and Settings\Browns Fan\Application Data\Mozilla\Firefox\Profiles\qlvcx0xt.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.108:C:\Documents and Settings\Browns Fan\Application Data\Mozilla\Firefox\Profiles\qlvcx0xt.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.109:C:\Documents and Settings\Browns Fan\Application Data\Mozilla\Firefox\Profiles\qlvcx0xt.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.110:C:\Documents and Settings\Browns Fan\Application Data\Mozilla\Firefox\Profiles\qlvcx0xt.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.111:C:\Documents and Settings\Browns Fan\Application Data\Mozilla\Firefox\Profiles\qlvcx0xt.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Browns Fan\Cookies\browns fan@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.211:C:\Documents and Settings\Browns Fan\Application Data\Mozilla\Firefox\Profiles\qlvcx0xt.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.8:C:\Documents and Settings\Administrator.BROCK\Application Data\Mozilla\Firefox\Profiles\lpf4zrqr.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Browns Fan\Cookies\browns fan@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.131:C:\Documents and Settings\Browns Fan\Application Data\Mozilla\Firefox\Profiles\qlvcx0xt.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.132:C:\Documents and Settings\Browns Fan\Application Data\Mozilla\Firefox\Profiles\qlvcx0xt.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.133:C:\Documents and Settings\Browns Fan\Application Data\Mozilla\Firefox\Profiles\qlvcx0xt.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.134:C:\Documents and Settings\Browns Fan\Application Data\Mozilla\Firefox\Profiles\qlvcx0xt.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.157:C:\Documents and Settings\Browns Fan\Application Data\Mozilla\Firefox\Profiles\qlvcx0xt.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.193:C:\Documents and Settings\Browns Fan\Application Data\Mozilla\Firefox\Profiles\qlvcx0xt.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.197:C:\Documents and Settings\Browns Fan\Application Data\Mozilla\Firefox\Profiles\qlvcx0xt.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.198:C:\Documents and Settings\Browns Fan\Application Data\Mozilla\Firefox\Profiles\qlvcx0xt.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.229:C:\Documents and Settings\Browns Fan\Application Data\Mozilla\Firefox\Profiles\qlvcx0xt.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.256:C:\Documents and Settings\Browns Fan\Application Data\Mozilla\Firefox\Profiles\qlvcx0xt.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.100:C:\Documents and Settings\Browns Fan\Application Data\Mozilla\Firefox\Profiles\qlvcx0xt.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.101:C:\Documents and Settings\Browns Fan\Application Data\Mozilla\Firefox\Profiles\qlvcx0xt.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.99:C:\Documents and Settings\Browns Fan\Application Data\Mozilla\Firefox\Profiles\qlvcx0xt.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.10:C:\Documents and Settings\Browns Fan\Application Data\Mozilla\Firefox\Profiles\qlvcx0xt.default\cookies.txt -> TrackingCookie.Paypal : Cleaned.
:mozilla.87:C:\Documents and Settings\Browns Fan\Application Data\Mozilla\Firefox\Profiles\qlvcx0xt.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Browns Fan\Cookies\browns fan@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.176:C:\Documents and Settings\Browns Fan\Application Data\Mozilla\Firefox\Profiles\qlvcx0xt.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.177:C:\Documents and Settings\Browns Fan\Application Data\Mozilla\Firefox\Profiles\qlvcx0xt.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.178:C:\Documents and Settings\Browns Fan\Application Data\Mozilla\Firefox\Profiles\qlvcx0xt.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.180:C:\Documents and Settings\Browns Fan\Application Data\Mozilla\Firefox\Profiles\qlvcx0xt.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.185:C:\Documents and Settings\Browns Fan\Application Data\Mozilla\Firefox\Profiles\qlvcx0xt.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.186:C:\Documents and Settings\Browns Fan\Application Data\Mozilla\Firefox\Profiles\qlvcx0xt.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.241:C:\Documents and Settings\Browns Fan\Application Data\Mozilla\Firefox\Profiles\qlvcx0xt.default\cookies.txt -> TrackingCookie.Toplist : Cleaned.
:mozilla.127:C:\Documents and Settings\Browns Fan\Application Data\Mozilla\Firefox\Profiles\qlvcx0xt.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.129:C:\Documents and Settings\Browns Fan\Application Data\Mozilla\Firefox\Profiles\qlvcx0xt.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned.
:mozilla.103:C:\Documents and Settings\Browns Fan\Application Data\Mozilla\Firefox\Profiles\qlvcx0xt.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.104:C:\Documents and Settings\Browns Fan\Application Data\Mozilla\Firefox\Profiles\qlvcx0xt.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.105:C:\Documents and Settings\Browns Fan\Application Data\Mozilla\Firefox\Profiles\qlvcx0xt.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Browns Fan\Cookies\browns fan@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\System Volume Information\_restore{0C749630-D684-4A2B-A8C9-655B3A589BF2}\RP89\A0012191.exe -> Trojan.Obfuscated.en : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0C749630-D684-4A2B-A8C9-655B3A589BF2}\RP98\A0014889.vbs -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\QnJvY2s\kBLSsZP.vbs -> Trojan.Small : Cleaned with backup (quarantined).


::Report end


and hjt log:

Logfile of HijackThis v1.99.1
Scan saved at 6:32:31 PM, on 2007-06-03
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Hijackthis\xyz.bat.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by137fd.bay137.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: SysEnforce - Unknown owner - C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#7 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:03 PM

Posted 03 June 2007 - 06:48 PM

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1

Double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

Click 'Exit' on the Main menu to close the program.

******************************

Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

You should copy/print the following because you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE" using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:
* Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
* Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
* Once the short scan has finished, Click Options > Change settings
* Choose the "Scan tab" and UNcheck "Heuristic analysis"
* Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
* Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
* When done, a message will be displayed at the bottom advising if any viruses were found.
* Click "Yes to all" if it asks if you want to cure/move the file.
* When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
* Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
* Save the DrWeb.csv report to your desktop.
* Exit Dr.Web Cureit when done.
* Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
* After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Also post a new Hijackthis log please.
Let me know how its going now.

Posted Image
Posted Image

#8 brownsfan

brownsfan
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:03 PM

Posted 03 June 2007 - 08:44 PM

ok did as suggested seems to be running better
here is the dr web log:


abrmain.dll;C:\!KillBox;Trojan.Virtumod;Deleted.;
abrmain.dll( 12);C:\!KillBox;Trojan.Virtumod;Deleted.;
abrmain.dll( 13);C:\!KillBox;Trojan.Virtumod;Deleted.;
abrmain.dll( 3);C:\!KillBox;Trojan.Virtumod;Deleted.;
abrmain.dll( 6);C:\!KillBox;Trojan.Virtumod;Deleted.;
abrmain.dll( 9);C:\!KillBox;Trojan.Virtumod;Deleted.;
qomnm.dll;C:\!KillBox;Trojan.Virtumod;Deleted.;
qomnm.dll( 11);C:\!KillBox;Trojan.Virtumod;Deleted.;
qomnm.dll( 2);C:\!KillBox;Trojan.Virtumod;Deleted.;
qomnm.dll( 3);C:\!KillBox;Trojan.Virtumod;Deleted.;
qomnm.dll( 4);C:\!KillBox;Trojan.Virtumod;Deleted.;
qomnm.dll( 5);C:\!KillBox;Trojan.Virtumod;Deleted.;
qomnm.dll( 8);C:\!KillBox;Trojan.Virtumod;Deleted.;
Phil Vassar - Six-Pack Summer (6).mp3;C:\Documents and Settings\Browns Fan\My Documents\My Music\Country\Phil Vassar;Modification of BAT.310;Moved.;
qomnm.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
actskn45.ocx;C:\WINDOWS\system32;Trojan.Isbar.439;Deleted.;


new hjt log:


Logfile of HijackThis v1.99.1
Scan saved at 9:40:15 PM, on 2007-06-03
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Hijackthis\xyz.bat.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by137fd.bay137.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: SysEnforce - Unknown owner - C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#9 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:03 PM

Posted 04 June 2007 - 01:23 AM

Download and scan with the free 15 day trial of Counterspy V2
Save the report when it's finished:
1.Once Counterspy has done scanning,the 'Scan Results' box will appear.
2.Click on 'View Results'.
3.Under (Recommended Action),using the drop down menus at the side of each entry found,set EVERYTHING to 'Remove'.
4.Then click on 'Take Action'.
5.Once everything has been removed,click on 'View Details'.
6.Copy and Paste those details into your next reply.
Posted Image
Posted Image

#10 brownsfan

brownsfan
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:03 PM

Posted 04 June 2007 - 01:38 PM

ok here is new log:

Scan History Details
Start Date: 2007-06-04 11:20:01 AM
End Date: 2007-06-04 12:48:51 PM
Total Time: 88 Min 50 Sec
Detected security risks

Cookie: ATDMT.com Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\browns fan\cookies\browns fan@atdmt[2].txt


Cookie: DoubleClick Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\browns fan\cookies\browns fan@doubleclick[1].txt


Weatherbug Low Risk Adware more information...
Details: Weatherbug is an ad supported desktop weather applicaton that provides updates on weather conditions and displays real time temperatures in the taskbar icon.
Status: Deleted

Registry entries detected
HKEY_LOCAL_MACHINE\Software\Classes\IMSIDE1EGATE.APPLICATION.1
HKEY_LOCAL_MACHINE\Software\Classes\IMSIDE1EGATE.APPLICATION.1
HKEY_LOCAL_MACHINE\Software\Classes\IMSIDE1EGATE.APPLICATION.1\CLSID
HKEY_LOCAL_MACHINE\Software\Classes\IMSIDE1EGATE.APPLICATION.1\CLSID


Morpheus P2P Program more information...
Details: P2P file sharing program that installs a number of adware programs. Morpheus also displays its own popup advertsing.
Status: Deleted

Registry entries detected
HKEY_LOCAL_MACHINE\Software\Classes\MORPHTORRENT
HKEY_LOCAL_MACHINE\Software\Classes\MORPHTORRENT
HKEY_LOCAL_MACHINE\Software\Classes\MORPHTORRENT\DefaultIcon
HKEY_LOCAL_MACHINE\Software\Classes\MORPHTORRENT\DefaultIcon
HKEY_LOCAL_MACHINE\Software\Classes\MORPHTORRENT
HKEY_LOCAL_MACHINE\Software\Classes\MORPHTORRENT\shell
HKEY_LOCAL_MACHINE\Software\Classes\MORPHTORRENT\shell\open
HKEY_LOCAL_MACHINE\Software\Classes\MORPHTORRENT\shell\open\command
HKEY_LOCAL_MACHINE\Software\Classes\MORPHTORRENT\shell\open\command


Paltalk Low Risk Adware more information...
Details: Paltalk is an advertising-supported instant messaging client.
Status: Ignored

Files detected
C:\PROGRAM FILES\PALTALK MESSENGER
C:\PROGRAM FILES\PALTALK MESSENGER\RECEIVEDFILES

Registry entries detected
HKEY_LOCAL_MACHINE\Software\Classes\.PALTALK
HKEY_LOCAL_MACHINE\Software\Classes\.PALTALK
HKEY_LOCAL_MACHINE\Software\Classes\.PALTALK
HKEY_LOCAL_MACHINE\Software\Classes\PALTALKFILE
HKEY_LOCAL_MACHINE\Software\Classes\PALTALKFILE\DefaultIcon
HKEY_LOCAL_MACHINE\Software\Classes\PALTALKFILE\DefaultIcon
HKEY_LOCAL_MACHINE\Software\Classes\PALTALKFILE\Shell
HKEY_LOCAL_MACHINE\Software\Classes\PALTALKFILE\Shell\Open
HKEY_LOCAL_MACHINE\Software\Classes\PALTALKFILE\Shell\Open\Command
HKEY_LOCAL_MACHINE\Software\Classes\PALTALKFILE\Shell\Open\Command


Winvestigator Commercial Key Logger more information...
Status: Deleted

Registry entries detected
HKEY_LOCAL_MACHINE\Software\Classes\WVFILE
HKEY_LOCAL_MACHINE\Software\Classes\WVFILE
HKEY_LOCAL_MACHINE\Software\Classes\WVFILE\DefaultIcon
HKEY_LOCAL_MACHINE\Software\Classes\WVFILE\DefaultIcon
HKEY_LOCAL_MACHINE\Software\Classes\WVFILE
HKEY_LOCAL_MACHINE\Software\Classes\WVFILE
HKEY_LOCAL_MACHINE\Software\Classes\WVFILE\shell
HKEY_LOCAL_MACHINE\Software\Classes\WVFILE\shell
HKEY_LOCAL_MACHINE\Software\Classes\WVFILE\shell\open
HKEY_LOCAL_MACHINE\Software\Classes\WVFILE\shell\open
HKEY_LOCAL_MACHINE\Software\Classes\WVFILE\shell\open\command
HKEY_LOCAL_MACHINE\Software\Classes\WVFILE\shell\open\command
HKEY_LOCAL_MACHINE\Software\Classes\WVFILE\shell\open\DropTarget
HKEY_LOCAL_MACHINE\Software\Classes\WVFILE\shell\open\DropTarget
HKEY_LOCAL_MACHINE\Software\Classes\WVFILE\shell\open
HKEY_LOCAL_MACHINE\Software\Classes\WVFILE\shell\play
HKEY_LOCAL_MACHINE\Software\Classes\WVFILE\shell\play
HKEY_LOCAL_MACHINE\Software\Classes\WVFILE\shell\play\command
HKEY_LOCAL_MACHINE\Software\Classes\WVFILE\shell\play\command
HKEY_LOCAL_MACHINE\Software\Classes\WVFILE\shell\play\DropTarget
HKEY_LOCAL_MACHINE\Software\Classes\WVFILE\shell\play\DropTarget
HKEY_LOCAL_MACHINE\Software\Classes\WVFILE\shell\play
HKEY_LOCAL_MACHINE\Software\Classes\WVFILE\shell\play
HKEY_LOCAL_MACHINE\Software\Classes\WVFILE\shellex
HKEY_LOCAL_MACHINE\Software\Classes\WVFILE\shellex\ContextMenuHandlers
HKEY_LOCAL_MACHINE\Software\Classes\WVFILE\shellex\ContextMenuHandlers\WMPAddToPlaylist
HKEY_LOCAL_MACHINE\Software\Classes\WVFILE\shellex\ContextMenuHandlers\WMPAddToPlaylist
HKEY_LOCAL_MACHINE\Software\Classes\WVFILE\shellex\ContextMenuHandlers\WMPPlayAsPlaylist
HKEY_LOCAL_MACHINE\Software\Classes\WVFILE\shellex\ContextMenuHandlers\WMPPlayAsPlaylist


Cookie: ad.yieldmanager Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\browns fan\cookies\browns fan@ad.yieldmanager[2].txt


Trojan.Win32.Qhost.hf Trojan more information...
Status: Deleted

Registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\URLS

#11 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:03 PM

Posted 04 June 2007 - 01:47 PM

If all's ok,please do the following:

Find and delete:
VundoFix.exe
Combofix
Avenger
HostsXpert 3.8

C:\!KillBox
C:\Avenger
C:\QooBox
C:\VundoFix Backups

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Read through the information found here,to help you prevent any possible future infections.
'How to prevent Malware' by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html

:thumbsup:
Posted Image
Posted Image

#12 brownsfan

brownsfan
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:03 PM

Posted 04 June 2007 - 04:15 PM

Just would like to say thanks for all your help and quick responses it is greatly appreciated!!

#13 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:03 PM

Posted 05 June 2007 - 05:56 AM

You're welcome :thumbsup:

Since your problem appears to be resolved,this thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
If you should have a new issue, please start a new topic.
This applies only to the original topic starter.
Everyone else please begin a New Topic.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users