Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware Infection, Please Help


  • Please log in to reply
7 replies to this topic

#1 mads71390

mads71390

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:44 PM

Posted 25 June 2007 - 08:24 PM

I was recently trying to pirate something and much to my dismay I found the keygen for the program was, not surprisingly, malware. Now my computer is showing alot of annoying symptoms, and I have been working to get rid of the infection.

So far I have utilized my arsenal of cleaning programs to scan for the files. I used Ewido, CCleaner, SmitRem, SmitFraudFix, Hijack this, AdAware, and a-squared free, and these have partially cleaned up the infection.

However, I still have unknown processes that are running in the background and popups appearing every so often. The most peculiar symptom is that whenever I open hijack this, it instantly is closed, and the same thing happens when i try to go to any website with the word "Killbox" in the title bar.

The programs that I know arent sposed to be running are iexplore.exe, mgrs.exe, rundll32.exe, win70d.tmp.exe, win7A6.tmp.exe, and some various others that pop up once in a while, some that have names consisting of all numbers.

The original infection included the BraveSentry program, which i got rid of, but i hope that might help classify what is going wrong.

Other symptoms included a locked desktop background and changes to my logon screen.

Any help would be greatly appreciated, as this is my only computer. The latest HJT log that i could get is posted below. I would have posted this in the Hijack this thread, but in accordance to what i mentioned above, any window with the name "hijack this" in the title gets immediately closed. Thanks in advance.

(Moderator edit: log post moved to Team Forum for analysis and Member assistance. jgweed)

Logfile of HijackThis v1.99.1
Scan saved at 8:08:01 PM, on 6/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\PROGRA~1\CACHEM~1\CachemanXP.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\TEMP\win70D.tmp.exe
C:\WINDOWS\mgrs.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\TEMP\win7A6.tmp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hijack This\HijackThis.exe

O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [avp] C:\WINDOWS\TEMP\win7A6.tmp.exe
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvpow.dll,startup
O4 - HKLM\..\Run: [jopkrcbs.exe] C:\Documents and Settings\All Users\Application Data\jopkrcbs.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: CachemanXP (CachemanXPService) - OuterTechnologies - C:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\VXNlcg\command.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO. EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID. EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

Edited by jgweed, 25 June 2007 - 09:04 PM.


BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 26 June 2007 - 04:31 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum mads71390 :thumbsup:

You're running msconfig in Auto mode which means that you may have selectively unchecked some items in the past from starting up with Windows.
This can be bad if they're malware, so please re-enable those startup entries by doing the following:
Click on Start>Run,type msconfig and then press Enter.
When the System Configuration Utility opens click on the Startup tab,make sure all the boxes are checkmarked.
Then press Apply/Ok to exit the utility.
If it asks you to restart your pc,please don't.

******************************

Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
When VundoFix re-opens,click the "Scan for Vundo" button.
Once it's done scanning,click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click "YES".
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed,it will prompt that it will reboot your computer,click "OK".
Post the contents of C:\vundofix.txt into your next reply.

Note:
It is possible that VundoFix encountered a file it could not remove.
In this case,VundoFix will run on reboot,simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

******************************

Please download Combofix and save to your desktop:
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.


******************************

Now go to:
C:\Program Files\HijackThis\HijackThis.exe
Right click on Hijackthis.exe and select 'Rename', rename it to abc.bat
Double click on abc.bat(which is still Hijackthis.exe),post that log into your next reply please.

Edited by RichieUK, 26 June 2007 - 08:01 AM.

Posted Image
Posted Image

#3 mads71390

mads71390
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:44 PM

Posted 26 June 2007 - 10:13 AM

Thanks for the help.

I followed your isntructions, and vundofix did remove some files. Combofix, however, seemed to cause the system to restart right when some text appeared in the command prompt, and im not sure if it is supposed induce that. It did create a txt file though. One thing I just noticed is that my explorer.exe has been deleted from the windows folder, thankfully I have alot of backups from registry editing, and ive been able to just run a different version.

EDIT: I also forgot to mention that the renaming of HJT didnt stop it from being closed, because whatever is closing just looks for the word "HijackThis" in the titlebar of any program.

Logfile of HijackThis v1.99.1
Scan saved at 11:05, on 2007-06-26
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\PROGRA~1\CACHEM~1\CachemanXP.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\svchost.exe
C:\explorer.exe
C:\WINDOWS\TEMP\win7A6.tmp.exe
C:\WINDOWS\mgrs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\explorer.exe
C:\Program Files\Hijack This\abc.bat

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53B5F2B1-94DD-43E5-8187-EB4E31F00701} - C:\WINDOWS\system32\P9lOy0A7.dll
O2 - BHO: (no name) - {9054B928-C8A5-4EA7-9106-42843B53C542} - C:\WINDOWS\system32\ddcyv.dll (file missing)
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [avp] C:\WINDOWS\TEMP\win7A6.tmp.exe
O4 - HKLM\..\Run: [smgr] mgrs.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O20 - Winlogon Notify: botreg - C:\Documents and Settings\All Users\Documents\Settings\bot.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O20 - Winlogon Notify: winmfu32 - winmfu32.dll (file missing)
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: CachemanXP (CachemanXPService) - OuterTechnologies - C:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe




VundoFix V6.5.1

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Scan started at 10:45:32 AM 6/26/2007

Listing files found while scanning....

C:\windows\system32\cbadd.bak2
C:\windows\system32\cbadd.ini
C:\windows\system32\ddabc.dll
C:\WINDOWS\system32\ddcyv.dll
C:\WINDOWS\system32\opnnlmk.dll
C:\windows\system32\sqtmxnqw.ini
C:\windows\system32\ututv.ini
C:\windows\system32\vtutu.dll
C:\windows\system32\vycdd.bak2
C:\windows\system32\vycdd.ini
C:\WINDOWS\system32\wfvedaql.dll
C:\windows\system32\wqnxmtqs.dll

Beginning removal...

Attempting to delete C:\windows\system32\cbadd.bak2
C:\windows\system32\cbadd.bak2 Has been deleted!

Attempting to delete C:\windows\system32\cbadd.ini
C:\windows\system32\cbadd.ini Has been deleted!

Attempting to delete C:\windows\system32\ddabc.dll
C:\windows\system32\ddabc.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddcyv.dll
C:\WINDOWS\system32\ddcyv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\opnnlmk.dll
C:\WINDOWS\system32\opnnlmk.dll Has been deleted!

Attempting to delete C:\windows\system32\sqtmxnqw.ini
C:\windows\system32\sqtmxnqw.ini Has been deleted!

Attempting to delete C:\windows\system32\ututv.ini
C:\windows\system32\ututv.ini Has been deleted!

Attempting to delete C:\windows\system32\vtutu.dll
C:\windows\system32\vtutu.dll Has been deleted!

Attempting to delete C:\windows\system32\vycdd.bak2
C:\windows\system32\vycdd.bak2 Has been deleted!

Attempting to delete C:\windows\system32\vycdd.ini
C:\windows\system32\vycdd.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\wfvedaql.dll
C:\WINDOWS\system32\wfvedaql.dll Has been deleted!

Attempting to delete C:\windows\system32\wqnxmtqs.dll
C:\windows\system32\wqnxmtqs.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.1

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Scan started at 10:51:21 AM 6/26/2007

Listing files found while scanning....

No infected files were found.




"Mike" - 2007-06-26 11:00:41 - ComboFix 07-06-26.10 - Service Pack 2 NTFS

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CLIENT_IP-IPX
-------\LEGACY_CMDSERVICE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NDNET1
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_RUNTIME
-------\LEGACY_RUNTIME2
((((((((((((((((((((((((( Files Created from 2007-05-26 to 2007-06-26 )))))))))))))))))))))))))))))))


2007-06-26 11:00 11,776 --a------ C:\WINDOWS\mgrs.exe
2007-06-26 10:45 <DIR> d-------- C:\VundoFix Backups
2007-06-25 19:57 <DIR> d-------- C:\WINDOWS\system32\S?mantec
2007-06-25 19:57 <DIR> d-------- C:\Program Files\Common Files\S?mantec
2007-06-25 16:13 <DIR> d-------- C:\Program Files\a-squared Free
2007-06-25 15:33 57,344 --a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\jopkrcbs.exe
2007-06-25 15:33 <DIR> d-------- C:\WINDOWS\S?mantec
2007-06-25 15:33 <DIR> d-------- C:\Program Files\S?mantec
2007-06-24 20:13 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-06-24 20:13 508 --a------ C:\WINDOWS\system32\tmp.reg
2007-06-24 20:13 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-06-24 19:18 4,628 --a------ C:\WINDOWS\system32\bgsfqxpx.exe
2007-06-22 08:18 57,344 --a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\qvydclcl.exe
2007-06-22 00:25 33,536 --------- C:\WINDOWS\system32\drivers\runtime2.sys
2007-06-22 00:24 69,632 --a------ C:\WINDOWS\system32\P9lOy0A7.dll
2007-06-22 00:24 40,448 --a------ C:\WINDOWS\system32\iefuifu.dll
2007-06-12 07:20 <DIR> d-------- C:\DOCUME~1\Mom\APPLIC~1\Apple Computer
2007-06-11 20:47 92,108 --ah----- C:\WINDOWS\system32\mlfcache.dat
2007-06-11 20:41 <DIR> d-------- C:\Program Files\Safari
2007-06-08 19:06 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Viewpoint
2007-05-28 21:38 98,304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-05-28 21:26 <DIR> d-------- C:\Program Files\Sierra


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-26 15:06:51 -------- d-----w C:\Program Files\Hijack This
2007-06-22 04:30:44 -------- d-----w C:\Program Files\Cakewalk
2007-06-22 03:51:56 -------- d-s---w C:\Program Files\Xfire
2007-06-22 02:58:15 -------- d-----w C:\DOCUME~1\Mike\APPLIC~1\Xfire
2007-06-18 01:51:11 22,584 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-06-18 01:51:06 99,904 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2007-06-12 23:33:59 -------- d-----w C:\Program Files\JetAudio
2007-06-12 01:06:48 -------- d-----w C:\Program Files\Stardock
2007-06-12 01:06:48 -------- d-----w C:\Program Files\Common Files\Stardock
2007-06-12 00:59:48 -------- d-----w C:\Program Files\SpeedFan
2007-06-12 00:46:51 -------- d-----w C:\DOCUME~1\Mike\APPLIC~1\Apple Computer
2007-06-12 00:42:03 -------- d-----w C:\Program Files\Bonjour
2007-06-11 21:14:04 -------- d-----w C:\DOCUME~1\Mike\APPLIC~1\U3
2007-06-08 23:19:59 -------- d-----w C:\Program Files\AIM6
2007-06-08 23:05:52 -------- d-----w C:\Program Files\Common Files\AOL
2007-05-29 01:26:34 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-24 19:17:29 -------- d-----w C:\Program Files\Common Files\Thraex Software
2007-05-20 04:13:25 -------- d-----w C:\Program Files\WarRock
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-03-30 01:36:06 31,928 ----a-w C:\cc_20070329_2136.reg
2006-06-22 16:17:23 56 --sh--r C:\WINDOWS\system32\A4E43BA58D.sys
2006-06-22 16:17:23 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2005-07-29 21:24:26 472 --sha-r C:\WINDOWS\VXNlcg\prh5w0.vbs


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2005-09-24 00:12]
{53B5F2B1-94DD-43E5-8187-EB4E31F00701}=C:\WINDOWS\system32\P9lOy0A7.dll [2007-06-22 00:24]
{9054B928-C8A5-4EA7-9106-42843B53C542}=C:\WINDOWS\system32\ddcyv.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avp"="C:\WINDOWS\TEMP\win7A6.tmp.exe" [2007-06-25 19:56]
"smgr"="mgrs.exe" [2007-06-26 11:00 C:\WINDOWS\mgrs.exe]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ClearRecentDocsOnExit"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{53B5F2B1-94DD-43E5-8187-EB4E31F00701}"="C:\WINDOWS\system32\P9lOy0A7.dll" [2007-06-22 00:24]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="C:\Program Files\ewido anti-malware\shellhook.dll" [2004-09-30 08:21]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\botreg]
C:\Documents and Settings\All Users\Documents\Settings\bot.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winmfu32]
winmfu32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\xptpmm.sys]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\xptptt.sys]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dataviz Messenger.lnk]
backup=C:\WINDOWS\pss\Dataviz Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=C:\WINDOWS\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
backup=C:\WINDOWS\pss\Kodak software updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Monitor.lnk]
backup=C:\WINDOWS\pss\Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Mike^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Mike^Start Menu^Programs^Startup^Stardock ObjectDock.lnk]
path=C:\Documents and Settings\Mike\Start Menu\Programs\Startup\Stardock ObjectDock.lnk
backup=C:\WINDOWS\pss\Stardock ObjectDock.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Mike^Start Menu^Programs^Startup^Xfire.lnk]
backup=C:\WINDOWS\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Mom^Start Menu^Programs^Startup^Greetings Workshop Reminders.lnk]
backup=C:\WINDOWS\pss\Greetings Workshop Reminders.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\0mcamcap]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\24ebcf4e.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aete]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avp]
C:\WINDOWS\TEMP\win7A6.tmp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Blaero Start Orb]
C:\Program Files\Blaero Start Orb\Blaero Start Orb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BootSkin Startup Jobs]
"C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\brmfrsmq]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Calendar]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDrive]
rundll32.exe C:\WINDOWS\system32\drvpow.dll,startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDET]
"C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ezShieldProtector for Px]
C:\WINDOWS\system32\ezSP_Px.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GPLv3]
rundll32.exe "C:\WINDOWS\system32\wqnxmtqs.dll",realset

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Iiylroer]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\intell321.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
"C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jopkrcbs.exe]
C:\Documents and Settings\All Users\Application Data\jopkrcbs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogonStudio]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfee Guardian]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft WWW]
C:\WINDOWS\ServicePackFiles\free.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PestTrap]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSPVideo9]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Qhq]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rock]
rock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
C:\WINDOWS\ServicePackFiles\services.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SC2]
C:\WINDOWS\system32\scchk32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\shell]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\smgr]
mgrs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySheriff]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpywareQuake.com]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Start WingMan Profiler]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysTray]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
C:\WINDOWS\UpdReg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vista Sidebar]
C:\Program Files\Vista Sidebar\sidebar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VisualTooltip]
C:\Program Files\VisualTooltip\VisualToolTip.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows installer]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xem]
C:\WINDOWS\ServicePackFiles\services.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZPoint]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SPTISRV"=3 (0x3)
"RioMSC"=3 (0x3)
"PACSPTISVR"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Adobe LM Service"=3 (0x3)


**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-26 11:09:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

cmd.exe [1560]


scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\windev-6b85-35b4]
"ImagePath"="\??\C:\WINDOWS\system32\windev-6b85-35b4.sys"

Completion time: 2007-06-26 11:10:12
C:\ComboFix-quarantined-files.txt ... 2007-06-26 11:10

--- E O F ---

Edited by mads71390, 26 June 2007 - 10:14 AM.


#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 26 June 2007 - 10:41 AM

It appears you've no virus protection installed.
Download\install one of the following freeware options from the choice below.
Once installed update its definitions and then run a full system virus scan.

AVG7 Free Edition Antivirus:
http://free.grisoft.com/softw/70free/setup...ree_446a965.exe

Avast! 4 Home Edition:
http://files.avast.com/iavs4pro/setupeng.exe

Avira AntiVir Personal Edition Classic
http://www.free-av.com/

*************************

Download Avenger from the link below:
http://swandog46.geekstogo.com/avenger.zip
Unzip/extract it to your desktop.

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens,copy and paste ALL the following bold blue text in the Quote box below:

Files to delete:
C:\WINDOWS\mgrs.exe
C:\WINDOWS\system32\bgsfqxpx.exe
C:\WINDOWS\system32\drivers\runtime2.sys
C:\WINDOWS\system32\iefuifu.dll
C:\WINDOWS\TEMP\win7A6.tmp.exe
C:\DOCUME~1\ALLUSE~1\APPLIC~1\jopkrcbs.exe
C:\DOCUME~1\ALLUSE~1\APPLIC~1\qvydclcl.exe
C:\Documents and Settings\All Users\Documents\Settings\bot.dll

Folders to delete:
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Viewpoint

Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Post the Avenger output.txt, which you can find at C:\Avenger\.txt into your next reply.
Also post a new Hijackthis log please.

Posted Image
Posted Image

#5 mads71390

mads71390
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:44 PM

Posted 26 June 2007 - 05:45 PM

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\aithpyms

*******************

Script file located at: \??\C:\WINDOWS\oednecbn.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\WINDOWS\mgrs.exe not found!
Deletion of file C:\WINDOWS\mgrs.exe failed!

Could not process line:
C:\WINDOWS\mgrs.exe
Status: 0xc0000034

File C:\WINDOWS\system32\bgsfqxpx.exe deleted successfully.


File C:\WINDOWS\system32\drivers\runtime2.sys not found!
Deletion of file C:\WINDOWS\system32\drivers\runtime2.sys failed!

Could not process line:
C:\WINDOWS\system32\drivers\runtime2.sys
Status: 0xc0000034



File C:\WINDOWS\system32\iefuifu.dll not found!
Deletion of file C:\WINDOWS\system32\iefuifu.dll failed!

Could not process line:
C:\WINDOWS\system32\iefuifu.dll
Status: 0xc0000034



File C:\WINDOWS\TEMP\win7A6.tmp.exe not found!
Deletion of file C:\WINDOWS\TEMP\win7A6.tmp.exe failed!

Could not process line:
C:\WINDOWS\TEMP\win7A6.tmp.exe
Status: 0xc0000034

File C:\DOCUME~1\ALLUSE~1\APPLIC~1\jopkrcbs.exe deleted successfully.
File C:\DOCUME~1\ALLUSE~1\APPLIC~1\qvydclcl.exe deleted successfully.
File C:\Documents and Settings\All Users\Documents\Settings\bot.dll deleted successfully.
Folder C:\DOCUME~1\ALLUSE~1\APPLIC~1\Viewpoint deleted successfully.

Completed script processing.

*******************

Finished! Terminate.




Logfile of HijackThis v1.99.1
Scan saved at 6:45:32 PM, on 6/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\CACHEM~1\CachemanXP.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hijack This\abc.bat

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53B5F2B1-94DD-43E5-8187-EB4E31F00701} - C:\WINDOWS\system32\P9lOy0A7.dll
O2 - BHO: (no name) - {9054B928-C8A5-4EA7-9106-42843B53C542} - C:\WINDOWS\system32\ddcyv.dll (file missing)
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [avp] C:\WINDOWS\TEMP\win7A6.tmp.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O20 - Winlogon Notify: botreg - C:\Documents and Settings\All Users\Documents\Settings\bot.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O20 - Winlogon Notify: winmfu32 - winmfu32.dll (file missing)
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: CachemanXP (CachemanXPService) - OuterTechnologies - C:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 26 June 2007 - 05:56 PM

Download KillBox,unzip/extract it to your desktop.
http://download.bleepingcomputer.com/spyware/KillBox.exe
Start up Killbox and place a check in 'Delete on Reboot'.
In the 'Full path of file to delete' box,copy and paste:

C:\WINDOWS\system32\P9lOy0A7.dll

Then press the red button with the white cross.
It will then provide a window for you to confirm the delete.
Next it will ask if you now wish to reboot,select YES.
Allow it to reboot.
If it does'nt reboot automatically,reboot manually.

****************************

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {53B5F2B1-94DD-43E5-8187-EB4E31F00701} - C:\WINDOWS\system32\P9lOy0A7.dll
O2 - BHO: (no name) - {9054B928-C8A5-4EA7-9106-42843B53C542} - C:\WINDOWS\system32\ddcyv.dll (file missing)
O4 - HKLM\..\Run: [avp] C:\WINDOWS\TEMP\win7A6.tmp.exe
O20 - Winlogon Notify: botreg - C:\Documents and Settings\All Users\Documents\Settings\bot.dll (file missing)
O20 - Winlogon Notify: winmfu32 - winmfu32.dll (file missing)

Exit Hijackthis.

Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.
Also post a new Hijackthis log,let me know how your pc is running now.

Posted Image
Posted Image

#7 mads71390

mads71390
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:44 PM

Posted 27 June 2007 - 11:18 PM

That seems to have cleared it up, here are the logs though.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/27/2007 at 00:58 AM

Application Version : 3.9.1008

Core Rules Database Version : 3261
Trace Rules Database Version: 1272

Scan type : Complete Scan
Total Scan Time : 00:39:55

Memory items scanned : 350
Memory threats detected : 0
Registry items scanned : 6879
Registry threats detected : 72
File items scanned : 43874
File threats detected : 177

Adware.Tracking Cookie
C:\Documents and Settings\Mike\Cookies\mike@tribalfusion[2].txt
C:\Documents and Settings\Mike\Cookies\mike@toseeka[1].txt
C:\Documents and Settings\Mike\Cookies\mike@adecn[1].txt
C:\Documents and Settings\Mike\Cookies\mike@www.winantivirus[1].txt
C:\Documents and Settings\Mike\Cookies\mike@pagead[1].txt
C:\Documents and Settings\Mike\Cookies\mike@goclick[2].txt
C:\Documents and Settings\Mike\Cookies\mike@zero.bestmanage1[2].txt
C:\Documents and Settings\Mike\Cookies\mike@zedo[2].txt
C:\Documents and Settings\Mike\Cookies\mike@edge.ru4[2].txt
C:\Documents and Settings\Mike\Cookies\mike@67.15.239[3].txt
C:\Documents and Settings\Mike\Cookies\mike@67.15.239[5].txt
C:\Documents and Settings\Mike\Cookies\mike@winantivirus[2].txt
C:\Documents and Settings\Mike\Cookies\mike@klik.klikadvertising[2].txt
C:\Documents and Settings\Mike\Cookies\mike@revsci[2].txt
C:\Documents and Settings\Mike\Cookies\mike@www.amaena[1].txt
C:\Documents and Settings\Mike\Cookies\mike@67.15.239[1].txt
C:\Documents and Settings\Mike\Cookies\mike@[2].txt
C:\Documents and Settings\Mike\Cookies\mike@stats1.reliablestats[2].txt
C:\Documents and Settings\Mike\Cookies\mike@findwhat[1].txt
C:\Documents and Settings\Mike\Cookies\mike@ad.yieldmanager[1].txt
C:\Documents and Settings\Mike\Cookies\mike@buycom.122.2o7[1].txt
C:\Documents and Settings\Mike\Cookies\mike@ads.adbrite[1].txt
C:\Documents and Settings\Mike\Cookies\mike@count2.exitexchange[2].txt
C:\Documents and Settings\Mike\Cookies\mike@enhance[2].txt
C:\Documents and Settings\Mike\Cookies\mike@doubleclick[1].txt
C:\Documents and Settings\Mike\Cookies\mike@upspiral[1].txt
C:\Documents and Settings\Mike\Cookies\mike@ad.firstadsolution[2].txt
C:\Documents and Settings\Mike\Cookies\mike@drivecleaner[2].txt
C:\Documents and Settings\Mike\Cookies\mike@cpvfeed[2].txt
C:\Documents and Settings\Mike\Cookies\mike@f2.bestmanage[1].txt
C:\Documents and Settings\Mike\Cookies\mike@1071288427[1].txt
C:\Documents and Settings\Mike\Cookies\mike@adopt.specificclick[2].txt
C:\Documents and Settings\Mike\Cookies\mike@f1.bestmanage[1].txt
C:\Documents and Settings\Mike\Cookies\mike@fastclick[1].txt
C:\Documents and Settings\Mike\Cookies\mike@67.15.239[2].txt
C:\Documents and Settings\Mike\Cookies\mike@atdmt[2].txt
C:\Documents and Settings\Mike\Cookies\mike@67.15.239[6].txt
C:\Documents and Settings\Mike\Cookies\mike@1072620568[1].txt
C:\Documents and Settings\Mike\Cookies\mike@1071364186[1].txt
C:\Documents and Settings\Mike\Cookies\mike@azjmp[1].txt
C:\Documents and Settings\Mike\Cookies\mike@f3.bestmanage[1].txt
C:\Documents and Settings\Mike\Cookies\mike@cgi-bin[2].txt
C:\Documents and Settings\Mike\Cookies\mike@exitexchange[2].txt
C:\Documents and Settings\Mike\Cookies\mike@netshops.122.2o7[1].txt
C:\Documents and Settings\Mike\Cookies\mike@www.upspiral[1].txt
C:\Documents and Settings\Mike\Cookies\mike@adserver[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@cpvfeed[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@drivecleaner[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@www.drivecleaner[2].txt

Trojan.NetMon/DNSChange
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#DeviceDesc

Trojan.cmdService
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#DeviceDesc

Adware.MediaMediatickets
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/MediaTicketsInstaller.ocx
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/MediaTicketsInstaller.ocx#.Owner
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/MediaTicketsInstaller.ocx#{9EB320CE-BE1D-4304-A081-4B4665414BEF}

Trojan.XptpMM
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\xptpmm.sys
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\xptptt.sys
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\xptpmm.sys
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\xptptt.sys
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_XPTPMM
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_XPTPMM#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_XPTPMM\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_XPTPMM\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_XPTPMM\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_XPTPMM\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_XPTPMM\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_XPTPMM\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_XPTPMM\0000#DeviceDesc
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_XPTPMM\0000#Capabilities
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_XPTPMM\0000\LogConf
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_XPTPMM\0000\Control
HKLM\SYSTEM\CurrentControlSet\Services\xptpmm
HKLM\SYSTEM\CurrentControlSet\Services\xptpmm#Type
HKLM\SYSTEM\CurrentControlSet\Services\xptpmm#Start
HKLM\SYSTEM\CurrentControlSet\Services\xptpmm#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\xptpmm#ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\xptpmm#DisplayName
HKLM\SYSTEM\CurrentControlSet\Services\xptpmm\Security
HKLM\SYSTEM\CurrentControlSet\Services\xptpmm\Security#Security
HKLM\SYSTEM\CurrentControlSet\Services\xptpmm\Enum
HKLM\SYSTEM\CurrentControlSet\Services\xptpmm\Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\xptpmm\Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\xptpmm\Enum#NextInstance
HKLM\SYSTEM\CurrentControlSet\Services\xptpmm\Enum#INITSTARTFAILED
HKLM\SYSTEM\CurrentControlSet\Services\xptptt
HKLM\SYSTEM\CurrentControlSet\Services\xptptt#Type
HKLM\SYSTEM\CurrentControlSet\Services\xptptt#Start
HKLM\SYSTEM\CurrentControlSet\Services\xptptt#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\xptptt#ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\xptptt#DisplayName
HKLM\SYSTEM\CurrentControlSet\Services\xptptt\Security
HKLM\SYSTEM\CurrentControlSet\Services\xptptt\Security#Security
HKLM\SYSTEM\CurrentControlSet\Services\xptptt\Enum
HKLM\SYSTEM\CurrentControlSet\Services\xptptt\Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\xptptt\Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\xptptt\Enum#NextInstance
HKLM\SYSTEM\CurrentControlSet\Services\xptptt\Enum#INITSTARTFAILED

Trojan.Svchosts
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CLIENT_IP-IPX
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CLIENT_IP-IPX#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CLIENT_IP-IPX\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CLIENT_IP-IPX\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CLIENT_IP-IPX\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CLIENT_IP-IPX\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CLIENT_IP-IPX\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CLIENT_IP-IPX\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CLIENT_IP-IPX\0000#DeviceDesc

Trojan.Downloader-Gen/D3AB
C:\!KILLBOX\P9LOY0A7.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{676A50B9-FAEB-40B6-983D-17B262985C01}\RP1052\A0370673.DLL

Adware.Toolbar888
C:\PROGRAM FILES\HIJACK THIS\BACKUPS\BACKUP-20070129-193734-335.DLL
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\{30D26~1\BAR888.DLL.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{676A50B9-FAEB-40B6-983D-17B262985C01}\RP1051\A0367597.DLL

Trojan.Downloader-Gen/WinPop
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\WINPOP\WINPOP.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{676A50B9-FAEB-40B6-983D-17B262985C01}\RP1051\A0367596.EXE

Trojan.Downloader-Gen/Installer
C:\QOOBOX\QUARANTINE\C\WINDOWS\B122.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{676A50B9-FAEB-40B6-983D-17B262985C01}\RP1051\A0367603.EXE

Trojan.Downloader-Gen/C3
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\62242336.DLL.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{676A50B9-FAEB-40B6-983D-17B262985C01}\RP1051\A0367586.DLL

Trojan.Unknown Origin
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\WNSAPISV.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\UNINSTALL_NMON.VBS.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{676A50B9-FAEB-40B6-983D-17B262985C01}\RP1051\A0367581.VBS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{676A50B9-FAEB-40B6-983D-17B262985C01}\RP1051\A0367585.EXE
C:\WINDOWS\VXNLCG\PRH5W0.VBS

Trojan.Update-Mcboo
C:\RECYCLER\S-1-5-18\DC1\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC10\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC100\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC101\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC11\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC12\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC13\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC14\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC15\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC16\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC17\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC18\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC19\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC2\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC20\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC21\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC22\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC23\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC24\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC25\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC26\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC27\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC28\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC29\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC3\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC30\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC31\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC32\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC33\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC34\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC35\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC36\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC37\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC38\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC39\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC4\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC40\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC41\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC42\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC43\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC44\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC45\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC46\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC47\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC48\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC49\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC5\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC50\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC51\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC52\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC53\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC54\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC55\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC56\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC57\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC58\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC59\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC6\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC60\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC61\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC62\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC63\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC64\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC65\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC66\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC67\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC68\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC69\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC7\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC70\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC71\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC72\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC73\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC74\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC75\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC76\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC77\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC78\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC79\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC8\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC80\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC81\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC82\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC83\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC84\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC85\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC86\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC87\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC88\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC89\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC9\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC90\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC91\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC92\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC93\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC94\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC95\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC96\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC97\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC98\UPDATE.EXE
C:\RECYCLER\S-1-5-18\DC99\UPDATE.EXE

Trojan.Downloader-UltimateFixer
C:\SYSTEM VOLUME INFORMATION\_RESTORE{676A50B9-FAEB-40B6-983D-17B262985C01}\RP1047\A0341492.EXE

Dialer.Dial/Gen Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{676A50B9-FAEB-40B6-983D-17B262985C01}\RP1051\A0366532.EXE

Trojan.Downloader-Gen/HitItQuitIt
C:\SYSTEM VOLUME INFORMATION\_RESTORE{676A50B9-FAEB-40B6-983D-17B262985C01}\RP1051\A0367560.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{676A50B9-FAEB-40B6-983D-17B262985C01}\RP1051\A0367607.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{676A50B9-FAEB-40B6-983D-17B262985C01}\RP1051\A0367608.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{676A50B9-FAEB-40B6-983D-17B262985C01}\RP1051\A0367609.DLL

Malware.Ultimate Defender
C:\SYSTEM VOLUME INFORMATION\_RESTORE{676A50B9-FAEB-40B6-983D-17B262985C01}\RP1051\A0369585.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{676A50B9-FAEB-40B6-983D-17B262985C01}\RP1051\A0369586.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{676A50B9-FAEB-40B6-983D-17B262985C01}\RP1051\A0369587.EXE

Adware.ClickSpring/MediaTickets
C:\WINDOWS\MTUNINST.EXE

Trojan.PSA3D
C:\WINDOWS\SYSTEM32\PS.A3D




Logfile of HijackThis v1.99.1
Scan saved at 12:18:43 AM, on 6/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\CACHEM~1\CachemanXP.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\progra~1\mozill~1\firefox.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hijack This\abc.bat

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: CachemanXP (CachemanXPService) - OuterTechnologies - C:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 28 June 2007 - 05:23 AM

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\

*******************************

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1

Double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

Click 'Exit' on the Main menu to close the program.

******************************

Download and scan with the free 15 day trial of Counterspy V2
Save the report when it's finished:
1.Once Counterspy has done scanning,the 'Scan Results' box will appear.
2.Click on 'View Results'.
3.Under (Recommended Action),using the drop down menus at the side of each entry found,set EVERYTHING to 'Remove'.
4.Then click on 'Take Action'.
5.Once everything has been removed,click on 'View Details'.
6.Copy and Paste those details into your next reply.

Also post a new Hijackthis log please.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users