Malware problems - win32.delf.rtk ...mabidwe.exe ..solewxte.exe etc et

Welcome Guest ( Log In | Join )

Discover the best free computer help!
Learn more about Geeks to Go by taking the tour. Spyware, virus, trojan, fake security or privacy alerts? Read the malware cleaning guide. Want to reply to a topic, start a new one, or remove the advertising? Join today (always free).

> Geeks to Go! » Security » Malware Removal - HijackThis™ Logs Go Here

Malware problems - win32.delf.rtk ...mabidwe.exe ..solewxte.exe etc et

Options

muvva_oz View Member Profile	Sep 24 2008, 04:11 PM Post #1
New Member Posts: 7 OS: xp	Hi, i'm having problems removing the malware on my computer. I have followed all the steps before posting & although Malwarebytes seems to remove them, its only for a short period of time & they are back on my computer the following day. If anyone can help me fix the problem, it would really be appreciated! Here's my hijackthis log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:08:34 AM, on 25/09/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\brsvc01a.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\brss01a.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe C:\Program Files\Windows Defender\MSASCui.exe C:\WINDOWS\system32\afisicx.exe C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe C:\WINDOWS\system32\noytcyr.exe C:\WINDOWS\system32\roytctm.exe C:\WINDOWS\system32\solewxte.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\tdydowkc.exe C:\WINDOWS\system32\SearchIndexer.exe C:\WINDOWS\system32\wsldoekd.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe C:\WINDOWS\system32\tpszxyd.sys C:\WINDOWS\system32\mabidwe.exe C:\WINDOWS\system32\soxpeca.exe C:\WINDOWS\system32\taskmgr.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\udxfytw.sys C:\DOCUME~1\home\LOCALS~1\Temp\Temporary Directory 2 for HiJackThis.zip\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com.au/ R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames/GAME_UNO1.cab60096.cab O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.oztion.com.au/secure/OA/sell/up...geUploader3.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: afisicx Service (afisicx) - Unknown owner - C:\WINDOWS\system32\afisicx.exe O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe O23 - Service: mabidwe - Unknown owner - C:\WINDOWS\system32\mabidwe.exe O23 - Service: noytcyr - Unknown owner - C:\WINDOWS\system32\noytcyr.exe O23 - Service: roytctm - Unknown owner - C:\WINDOWS\system32\roytctm.exe O23 - Service: solewxte Service (solewxte) - Unknown owner - C:\WINDOWS\system32\solewxte.exe O23 - Service: soxpeca - Unknown owner - C:\WINDOWS\system32\soxpeca.exe O23 - Service: tdydowkc - Unknown owner - C:\WINDOWS\system32\tdydowkc.exe O23 - Service: wsldoekd Service (wsldoekd) - Unknown owner - C:\WINDOWS\system32\wsldoekd.exe -- End of file - 6851 bytes

koko_crunch View Member Profile	Sep 24 2008, 09:42 PM Post #2
Trusted Helper Posts: 1,712 OS: Windows XP	Hello muvva_oz and Welcome to Geeks to Go! We would very much like to help you, but first you must install Hijackthis on your computer. This will enable us to store backups of entries we fix just in case we need to restore them later. To do so, Click here to download HJTInstall.exe Save HJTInstall.exe to your desktop. Doubleclick on the HJTInstall.exe icon on your desktop. By default it will install to C:\Program Files\Trend Micro\HijackThis . Click on Install. It will create a HijackThis icon on the desktop. Once installed, it will launch Hijackthis. Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log. Come back here to this thread and Paste the log in your next reply. DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required. Next, Please download Malwarebytes' Anti-Malware from Here or Here Double Click mbam-setup.exe to install the application. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. If an update is found, it will download and install the latest version. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient. When the scan is complete, click OK, then Show Results to view the results. Make sure that everything is checked, and click Remove Selected. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note) The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. Copy&Paste the entire report in your next reply. Extra Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly. Please post back with - MBAM log - New HijackThis log

muvva_oz View Member Profile	Sep 24 2008, 10:52 PM Post #3
New Member Posts: 7 OS: xp	Hi, Thanks so much for getting back to me. No problems at all....i've installed hijack this & have also run malwarebytes & here are the new logs: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2:38:45 PM, on 25/09/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\brsvc01a.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\brss01a.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe C:\Program Files\Windows Defender\MSASCui.exe C:\WINDOWS\system32\afisicx.exe C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe C:\WINDOWS\system32\noytcyr.exe C:\WINDOWS\system32\roytctm.exe C:\WINDOWS\system32\solewxte.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\tdydowkc.exe C:\WINDOWS\system32\SearchIndexer.exe C:\WINDOWS\system32\wsldoekd.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe C:\WINDOWS\system32\mabidwe.exe C:\WINDOWS\system32\soxpeca.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\SearchProtocolHost.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com.au/ R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames/GAME_UNO1.cab60096.cab O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.oztion.com.au/secure/OA/sell/up...geUploader3.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: afisicx Service (afisicx) - Unknown owner - C:\WINDOWS\system32\afisicx.exe O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe O23 - Service: mabidwe - Unknown owner - C:\WINDOWS\system32\mabidwe.exe O23 - Service: noytcyr - Unknown owner - C:\WINDOWS\system32\noytcyr.exe O23 - Service: roytctm - Unknown owner - C:\WINDOWS\system32\roytctm.exe O23 - Service: solewxte Service (solewxte) - Unknown owner - C:\WINDOWS\system32\solewxte.exe O23 - Service: soxpeca - Unknown owner - C:\WINDOWS\system32\soxpeca.exe O23 - Service: tdydowkc - Unknown owner - C:\WINDOWS\system32\tdydowkc.exe O23 - Service: wsldoekd Service (wsldoekd) - Unknown owner - C:\WINDOWS\system32\wsldoekd.exe -- End of file - 6797 bytes Malwarebytes' Anti-Malware 1.28 Database version: 1203 Windows 5.1.2600 Service Pack 3 25/09/2008 2:48:15 PM mbam-log-2008-09-25 (14-48-15).txt Scan type: Quick Scan Objects scanned: 50568 Time elapsed: 4 minute(s), 44 second(s) Memory Processes Infected: 7 Memory Modules Infected: 0 Registry Keys Infected: 21 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 8 Memory Processes Infected: C:\WINDOWS\system32\mabidwe.exe (Trojan.Agent) -> Unloaded process successfully. C:\WINDOWS\system32\noytcyr.exe (Trojan.Agent) -> Unloaded process successfully. C:\WINDOWS\system32\roytctm.exe (Trojan.Agent) -> Unloaded process successfully. C:\WINDOWS\system32\soxpeca.exe (Trojan.Agent) -> Unloaded process successfully. C:\WINDOWS\system32\tdydowkc.exe (Trojan.Agent) -> Unloaded process successfully. C:\WINDOWS\system32\wsldoekd.exe (Trojan.Agent) -> Unloaded process successfully. C:\WINDOWS\system32\afisicx.exe (Trojan.Agent) -> Unloaded process successfully. Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\afisicx (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\afisicx (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\afisicx (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mabidwe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\mabidwe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mabidwe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\noytcyr (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\noytcyr (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\noytcyr (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\roytctm (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\roytctm (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\roytctm (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\soxpeca (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\soxpeca (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\soxpeca (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tdydowkc (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\tdydowkc (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdydowkc (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wsldoekd (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\wsldoekd (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wsldoekd (Trojan.Agent) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\afisicx.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\mabidwe.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\noytcyr.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\roytctm.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\soxpeca.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\tdydowkc.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\wsldoekd.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\comsa32.sys (Trojan.Agent) -> Quarantined and deleted successfully. Just let me know what I need to do next. Thanks in advance for your time & help!

koko_crunch View Member Profile	Sep 25 2008, 09:55 AM Post #4
Trusted Helper Posts: 1,712 OS: Windows XP	Ok, I want to try this first before we use other tools. Read this post completely before proceeding with the fix. Please download Brute Force Uninstaller to your desktop. Right click the BFU folder on your desktop, and choose Extract All Click "Next" In the box to choose where to extract the files to, Click "Browse" Click on the + sign next to "My Computer" Click on "Local Disk (C:) or whatever your primary drive is Click "Make New Folder" Type in BFU Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish". Next, Open Notepad. Copy and paste text in codeboxbelow Type filename as fix.bfu then Set Filetype to "all files" Locate C:\BFU then click Save. CODE OptionSaveLog c:\bfu\removed.txt OptionSetStatus Deleting Services... ServiceDelete comsa32 ServiceDelete udxfytw ServiceDelete tpszxyd ServiceDelete afisicx ServiceDelete mabidwe ServiceDelete noytcyr ServiceDelete roytctm ServiceDelete solewxte ServiceDelete soxpeca ServiceDelete tdydowkc ServiceDelete msweew ServiceDelete wsldoekd OptionSetStatus Deleting Files... FileDeleteOnReboot %SYSDIR%\udxfytw.sys FileDeleteOnReboot %SYSDIR%\tpszxyd.sys FileDeleteOnReboot %SYSDIR%\comsa32.sys FileDeleteOnReboot %SYSDIR%\afisicx.exe FileDeleteOnReboot %SYSDIR%\mabidwe.exe FileDeleteOnReboot %SYSDIR%\noytcyr.exe FileDeleteOnReboot %SYSDIR%\roytctm.exe FileDeleteOnReboot %SYSDIR%\solewxte.exe FileDeleteOnReboot %SYSDIR%\soxpeca.exe FileDeleteOnReboot %SYSDIR%\tdydowkc.exe FileDeleteOnReboot %SYSDIR%\wsldoekd.exe FileDeleteOnReboot %SYSDIR%\msweew.exe FileDeleteOnReboot %SYSDIR%\wsldoeke.exe OptionSetStatus Performing minor cleanup... SystemEmptyInternetCache SystemEmptyTempFolder SystemEmptyRecycleBin OptionSetStatus Restarting System... OptionPauseNow 1000 SystemRestartIfNeeded Rebooting System\|1 LogIfFileExists %SYSDIR%\udxfytw.sys LogIfFileExists %SYSDIR%\tpszxyd.sys LogIfFileExists %SYSDIR%\comsa32.sys LogIfFileExists %SYSDIR%\afisicx.exe LogIfFileExists %SYSDIR%\mabidwe.exe LogIfFileExists %SYSDIR%\noytcyr.exe LogIfFileExists %SYSDIR%\roytctm.exe LogIfFileExists %SYSDIR%\solewxte.exe LogIfFileExists %SYSDIR%\soxpeca.exe LogIfFileExists %SYSDIR%\tdydowkc.exe LogIfFileExists %SYSDIR%\wsldoekd.exe LogIfFileExists %SYSDIR%\msweew.exe LogIfFileExists %SYSDIR%\wsldoeke.exe Then, please go to Start > My Computer and navigate to the C:\BFU folder.[list] Start the Brute Force Uninstaller by doubleclicking BFU.exe Behind the scriptline to execute field click the folder icon and select fix.bfu Press Execute and let it do its job. (You ought to see a progress bar if you did this correctly.) Your system will restart to complete the process. Wait for the complete script execution box to pop up and press OK. Press exit to terminate the BFU program. Copy contents of removed.txt which will be located in c:\bfu Logs required. - Removed.txt - New HijackTHis log This post has been edited by koko_crunch: Sep 25 2008, 09:58 AM

muvva_oz View Member Profile	Sep 25 2008, 11:27 AM Post #5
New Member Posts: 7 OS: xp	Hi Thanks so much for getting back to me. Ok, I've followed your instructions to the letter.......however, after following the instructions & executing BFU, it said that the computer would need to be restarted to complete the process (which I clicked 'yes' to restart).....then a popup box said script completed (or something like that), then another popup box immediately came up and said 'cannot quit'. The computer then re-started, but it didn't save a log of any type & removed.txt is not located in c:\bfu. I tried the whole process again making sure that the 'show log after script ends' box was ticked, but still the same problem happens & the computer re-starts with both pop up boxes appear stating script completed & cannot quit & there is no removed.txt file in the BFU folder? I've run a new hijack this log:- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:24:30 AM, on 26/09/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\brsvc01a.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\brss01a.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe C:\Program Files\Windows Defender\MSASCui.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\SearchIndexer.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com.au/ R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames/GAME_UNO1.cab60096.cab O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.oztion.com.au/secure/OA/sell/up...geUploader3.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe -- End of file - 5747 bytes Please let me know what to do next. Many thanks again

koko_crunch View Member Profile	Sep 25 2008, 02:16 PM Post #6
Trusted Helper Posts: 1,712 OS: Windows XP	That's ok. Let's go ahead with an online scan to see if we made any progress. Please download ATF Cleaner by Atribune. This program is for XP and Windows 2000 only Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. If you use Firefox browser Click Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browser Click Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. For Technical Support, double-click the e-mail address located at the bottom of each menu. Then, Please do an online scan with Kaspersky WebScanner Temporarily disable your resident Antivirus software before proceeding. Welcome Information page will open. Click on Accept The program will launch and then begin downloading the latest definition files: Once the files have been downloaded, click on Scan Now under that section select My Computer This will program will start and scan your system. The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected. Now click on the Save Report as button: Save the file to your desktop. Copy and paste that information in your next post. Enable you Anti-Virus protection once scan is done.

muvva_oz View Member Profile	Sep 26 2008, 06:12 AM Post #7
New Member Posts: 7 OS: xp	Hi again Ok, i've run the kaspersky scan as instructed (phew, it did take a long time to complete the scan! lol). Here's a copy of the log:- -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7 REPORT Friday, September 26, 2008 Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Thursday, September 25, 2008 23:02:28 Records in database: 1261818 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yes Scan area - My Computer: A:\ C:\ D:\ E:\ G:\ Scan statistics: Files scanned: 420693 Threat name: 10 Infected objects: 10 Suspicious objects: 0 Duration of the scan: 07:47:09 File name / Threat name / Threats count C:\Documents and Settings\home\My Documents\SmitfraudFix\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1 C:\WINDOWS\system32\edtafct.sys Infected: Trojan-Clicker.Win32.VB.bud 1 C:\WINDOWS\system32\fduvfct.sys Infected: Trojan-Clicker.Win32.VB.bug 1 C:\WINDOWS\system32\tmp0_113579611828.bk.old Infected: Trojan-Downloader.Win32.Delf.obf 1 C:\WINDOWS\system32\tmp0_870141785073.bk.old Infected: Trojan.Win32.DNSChanger.inw 1 C:\WINDOWS\system32\xdufytw.sys Infected: Trojan-Clicker.Win32.VB.byk 1 E:\BACKUP OF DATA 08_12_03\Program Files\Support Software\SS1.DLL Infected: not-a-virus:AdWare.Win32.MediaPops.c 1 E:\BACKUP OF DATA 08_12_03\Program Files\Win VNC\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 1 E:\RECYCLER\S-1-5-21-73586283-813497703-854245398-1007\De1\Downloaded Program Files\imloader.exe Infected: not-a-virus:Downloader.Win32.ImLoader.l 1 E:\RECYCLER\S-1-5-21-73586283-813497703-854245398-1007\De1\system32\dbxDgrevCheck.dll Infected: not-a-virus:AdWare.Win32.Agent.ejp 1 The selected area was scanned. Just let me know what I need to do next. Thanks again for your help!

koko_crunch View Member Profile	Sep 26 2008, 08:49 AM Post #8
Trusted Helper Posts: 1,712 OS: Windows XP	Just some minor cleanup. Please download the OTMoveIt2 by OldTimer. Save it to your desktop. Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator") Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy): CODE C:\Documents and Settings\home\My Documents\SmitfraudFix\SmitfraudFix\Reboot.exe C:\WINDOWS\system32\edtafct.sys C:\WINDOWS\system32\fduvfct.sys C:\WINDOWS\system32\tmp0_113579611828.bk.old C:\WINDOWS\system32\tmp0_870141785073.bk.old C:\WINDOWS\system32\xdufytw.sys E:\BACKUP OF DATA 08_12_03\Program Files\Support Software\SS1.DLL E:\BACKUP OF DATA 08_12_03\Program Files\Win VNC\vncviewer.exe E:\RECYCLER\S-1-5-21-73586283-813497703-854245398-1007\De1\Downloaded Program Files\imloader.exe E:\RECYCLER\S-1-5-21-73586283-813497703-854245398-1007\De1\system32\dbxDgrevCheck.dll Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste. Click the red Moveit! button. A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply. Close OTMoveIt2 If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. Next, Download and scan with SUPERAntiSpyware Free for Home Users Double-click SUPERAntiSpyware.exe and use the default settings for installation. An icon will be created on your desktop. Double-click that icon to launch the program. If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.) Under "*Configuration and Preferences", click the Preferences* button. Click the Scanning Control tab. Under Scanner Options make sure the following are checked (leave all others unchecked): Close browsers before scanning. Scan for tracking cookies. Terminate memory threats before quarantining. Click the "Close" button to leave the control center screen. Back on the main screen, under "*Scan for Harmful Software" click Scan your computer. On the left, make sure you check C:\Fixed Drive. On the right, under "Complete Scan", choose Perform Complete Scan. Click "Next" to start the scan. Please be patient while it scans your computer. After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK". Make sure everything has a checkmark next to it and click "Next". A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu. If asked if you want to reboot, click "Yes". To retrieve the removal information after reboot, launch SUPERAntispyware again. Click Preferences, then click the Statistics/Logs tab.* Under Scanner Logs, double-click SUPERAntiSpyware Scan Log. If there are several logs, click the current dated log and press View log. A text file will open in your default text editor. Please copy and paste the Scan Log results in your next reply. Click Close to exit the program. Finally, Please download JavaRa to your desktop and unzip it to its own folder Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions. Accept any prompts. Open JavaRa.exe again and select Search For Updates. Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer. Logs required. - OTMoveit log - SuperAntispyware log - New HijackTHis log

muvva_oz

Sep 26 2008, 01:53 PM

Post #9

New Member

Posts: 7
OS: xp

Hi

Thanks again for you help. here's the logs:

C:\Documents and Settings\home\My Documents\SmitfraudFix\SmitfraudFix\Reboot.exe moved successfully.
C:\WINDOWS\system32\edtafct.sys moved successfully.
C:\WINDOWS\system32\fduvfct.sys moved successfully.
C:\WINDOWS\system32\tmp0_113579611828.bk.old moved successfully.
C:\WINDOWS\system32\tmp0_870141785073.bk.old moved successfully.
C:\WINDOWS\system32\xdufytw.sys moved successfully.
E:\BACKUP OF DATA 08_12_03\Program Files\Support Software\SS1.DLL unregistered successfully.
E:\BACKUP OF DATA 08_12_03\Program Files\Support Software\SS1.DLL moved successfully.
E:\BACKUP OF DATA 08_12_03\Program Files\Win VNC\vncviewer.exe moved successfully.
E:\RECYCLER\S-1-5-21-73586283-813497703-854245398-1007\De1\Downloaded Program Files\imloader.exe moved successfully.
DllUnregisterServer procedure not found in E:\RECYCLER\S-1-5-21-73586283-813497703-854245398-1007\De1\system32\dbxDgrevCheck.dll
E:\RECYCLER\S-1-5-21-73586283-813497703-854245398-1007\De1\system32\dbxDgrevCheck.dll NOT unregistered.
E:\RECYCLER\S-1-5-21-73586283-813497703-854245398-1007\De1\system32\dbxDgrevCheck.dll moved successfully.
File/Folder not found.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 09272008_013518

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/27/2008 at 04:59 AM

Application Version : 4.21.1004

Core Rules Database Version : 3580
Trace Rules Database Version: 1568

Scan type : Complete Scan
Total Scan Time : 03:15:02

Memory items scanned : 345
Memory threats detected : 0
Registry items scanned : 5687
Registry threats detected : 0
File items scanned : 420053
File threats detected : 65

Adware.Tracking Cookie
C:\Documents and Settings\home\Cookies\home@atdmt[2].txt
C:\Documents and Settings\home\Cookies\home@bs.serving-sys[2].txt
C:\Documents and Settings\home\Cookies\home@tacoda[2].txt
C:\Documents and Settings\home\Cookies\home@serving-sys[2].txt
C:\Documents and Settings\home\Cookies\home@advertising[2].txt
C:\Documents and Settings\home\Cookies\home@doubleclick[1].txt
C:\Documents and Settings\home\Cookies\home@mediaplex[2].txt
C:\Documents and Settings\home\Cookies\home@data.coremetrics[1].txt
C:\Documents and Settings\home\Cookies\home@tracking.keywordmax[1].txt
C:\Documents and Settings\home\Cookies\home@adopt.euroclick[1].txt
C:\Documents and Settings\home\Cookies\home@apmebf[1].txt
C:\Documents and Settings\home\Cookies\home@questionmarket[1].txt
C:\Documents and Settings\home\Cookies\home@overture[1].txt
C:\Documents and Settings\home\Cookies\home@imrworldwide[2].txt
C:\Documents and Settings\home\Cookies\home@www.googleadservices[1].txt
C:\Documents and Settings\home\Cookies\home@revsci[1].txt
C:\Documents and Settings\home\Cookies\home@tradedoubler[1].txt
C:\Documents and Settings\home\Cookies\home@statse.webtrendslive[1].txt
E:\BACKUP OF DATA 08_12_03\Documents and Settings\Laraine\Cookies\laraine@ad-rotator[2].txt
E:\BACKUP OF DATA 08_12_03\Documents and Settings\Laraine\Cookies\laraine@ad2.pamedia.com[1].txt
E:\BACKUP OF DATA 08_12_03\Documents and Settings\Laraine\Cookies\laraine@ads.addesktop[1].txt
E:\BACKUP OF DATA 08_12_03\Documents and Settings\Laraine\Cookies\laraine@ads.businessweek[1].txt
E:\BACKUP OF DATA 08_12_03\Documents and Settings\Laraine\Cookies\laraine@aecmedia[1].txt
E:\BACKUP OF DATA 08_12_03\Documents and Settings\Laraine\Cookies\laraine@atwola[1].txt
E:\BACKUP OF DATA 08_12_03\Documents and Settings\Laraine\Cookies\laraine@bizrate[2].txt
E:\BACKUP OF DATA 08_12_03\Documents and Settings\Laraine\Cookies\laraine@counter[2].txt
E:\BACKUP OF DATA 08_12_03\Documents and Settings\Laraine\Cookies\laraine@dealtime[2].txt
E:\BACKUP OF DATA 08_12_03\Documents and Settings\Laraine\Cookies\laraine@dynamicsitestats[1].txt
E:\BACKUP OF DATA 08_12_03\Documents and Settings\Laraine\Cookies\laraine@exitexchange[2].txt
E:\BACKUP OF DATA 08_12_03\Documents and Settings\Laraine\Cookies\laraine@fcstats.bcentral[1].txt
E:\BACKUP OF DATA 08_12_03\Documents and Settings\Laraine\Cookies\laraine@imperialwatches234.freestats[2].txt
E:\BACKUP OF DATA 08_12_03\Documents and Settings\Laraine\Cookies\laraine@indextools[2].txt
E:\BACKUP OF DATA 08_12_03\Documents and Settings\Laraine\Cookies\laraine@insightexpress[2].txt
E:\BACKUP OF DATA 08_12_03\Documents and Settings\Laraine\Cookies\laraine@insightfirst[2].txt
E:\BACKUP OF DATA 08_12_03\Documents and Settings\Laraine\Cookies\laraine@kimbush.freestats[1].txt
E:\BACKUP OF DATA 08_12_03\Documents and Settings\Laraine\Cookies\laraine@media3.sitebrand[2].txt
E:\BACKUP OF DATA 08_12_03\Documents and Settings\Laraine\Cookies\laraine@media[2].txt
E:\BACKUP OF DATA 08_12_03\Documents and Settings\Laraine\Cookies\laraine@searchco.freestats[2].txt
E:\BACKUP OF DATA 08_12_03\Documents and Settings\Laraine\Cookies\laraine@searche.freestats[2].txt
E:\BACKUP OF DATA 08_12_03\Documents and Settings\Laraine\Cookies\laraine@sprinks-clicks.about[1].txt
E:\BACKUP OF DATA 08_12_03\Documents and Settings\Laraine\Cookies\laraine@stat.dealtime[2].txt
E:\BACKUP OF DATA 08_12_03\Documents and Settings\Laraine\Cookies\laraine@stats.klsoft[1].txt
E:\BACKUP OF DATA 08_12_03\Documents and Settings\Laraine\Cookies\laraine@stats.sitesuite[1].txt
E:\BACKUP OF DATA 08_12_03\Documents and Settings\Laraine\Cookies\laraine@windowsmedia[2].txt
E:\BACKUP OF DATA 08_12_03\Documents and Settings\Laraine\Cookies\laraine@www.clickxchange[2].txt
E:\BACKUP OF DATA 08_12_03\Documents and Settings\Laraine\Cookies\laraine@www.nextag[1].txt
.insightfirst.com [ E:\Documents and Settings\Laraine\My Documents\Copy of Application Data\Mozilla\Profiles\default\lhsih4ch.slt\cookies.txt ]
.atwola.com [ E:\Documents and Settings\Laraine\My Documents\Copy of Application Data\Mozilla\Profiles\default\lhsih4ch.slt\cookies.txt ]
hc2.humanclick.com [ E:\Documents and Settings\Laraine\My Documents\Copy of Application Data\Mozilla\Profiles\default\lhsih4ch.slt\cookies.txt ]
hc2.humanclick.com [ E:\Documents and Settings\Laraine\My Documents\Copy of Application Data\Mozilla\Profiles\default\lhsih4ch.slt\cookies.txt ]
hc2.humanclick.com [ E:\Documents and Settings\Laraine\My Documents\Copy of Application Data\Mozilla\Profiles\default\lhsih4ch.slt\cookies.txt ]
hc2.humanclick.com [ E:\Documents and Settings\Laraine\My Documents\Copy of Application Data\Mozilla\Profiles\default\lhsih4ch.slt\cookies.txt ]
hc2.humanclick.com [ E:\Documents and Settings\Laraine\My Documents\Copy of Application Data\Mozilla\Profiles\default\lhsih4ch.slt\cookies.txt ]
www.web-stat.com [ E:\Documents and Settings\Laraine\My Documents\Copy of Application Data\Mozilla\Profiles\default\lhsih4ch.slt\cookies.txt ]
www.web-stat.com [ E:\Documents and Settings\Laraine\My Documents\Copy of Application Data\Mozilla\Profiles\default\lhsih4ch.slt\cookies.txt ]
www.hhousediscountmall.com [ E:\Documents and Settings\Laraine\My Documents\Copy of Application Data\Mozilla\Profiles\default\lhsih4ch.slt\cookies.txt ]
www.hhousediscountmall.com [ E:\Documents and Settings\Laraine\My Documents\Copy of Application Data\Mozilla\Profiles\default\lhsih4ch.slt\cookies.txt ]
ad.sensismediasmart.com.au [ E:\Documents and Settings\Laraine\My Documents\Copy of Application Data\Mozilla\Profiles\default\lhsih4ch.slt\cookies.txt ]
.imrworldwide.com [ E:\Documents and Settings\Laraine\My Documents\Copy of Application Data\Mozilla\Profiles\default\lhsih4ch.slt\cookies.txt ]
.superstats.com [ E:\Documents and Settings\Laraine\My Documents\Copy of Application Data\Mozilla\Profiles\default\lhsih4ch.slt\cookies.txt ]
www1.addfreestats.com [ E:\Documents and Settings\Laraine\My Documents\Copy of Application Data\Mozilla\Profiles\default\lhsih4ch.slt\cookies.txt ]
server.bizland.humanclick.com [ E:\Documents and Settings\Laraine\My Documents\Copy of Application Data\Mozilla\Profiles\default\lhsih4ch.slt\cookies.txt ]
server.bizland.humanclick.com [ E:\Documents and Settings\Laraine\My Documents\Copy of Application Data\Mozilla\Profiles\default\lhsih4ch.slt\cookies.txt ]

Unclassified.Unknown Origin
E:\DOCUMENTS AND SETTINGS\LARAINE\MY DOCUMENTS\WEBSITE\ZIPPED FOLDERS\FLASHMX2004-EN\PAINTSHOPPROV9.00CRACKFFF\KEYGEN.NFO
E:\PROGRAM FILES\JASC SOFTWARE INC\PAINT SHOP PRO 9\KEYGEN.NFO

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:50:42 AM, on 27/09/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS&#