Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Blue desktop with yellow box in the middle saying "Warning!..


  • This topic is locked This topic is locked

#1
op684

op684

    Member

  • Member
  • PipPip
  • 18 posts
My sister's computer has been infected with some sort of virus. EVery time the PC loads, the desktop background is blue with a yellow box in the middle with this text inside: "Warning! Spyware detected on your computer! Install an antivirus or spyware remover to clean your computer." Other than that, the PC is VERY slow. When I try to click links on the internet, it forwards me to some search engines instead of the links. There are constant spontaneous dating websites/pornographic pop-ups even when there are no browsers open. Also spontaneously appear shortcuts on desktop that link to pornographic material on the internet. When I tried to download Firefox from mozilla.com, the version it downloads is French, instead of English, so I had to download the English version from some other website.

I've tried everything to fix this, but to no avail. No Smitfraud, adware/spyware remover, or any other program I tried removes it. Apparently, her PC caught the virus after she was browsing some Russian celebrity news websites.

I don't want to format the hard disk and reinstall, so is there anything I can do to fix her computer?

Please help in any way you can. Thanks a lot.

Here's the HiJack report:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:45:04, on 05/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R3 - URLSearchHook: (no name) - {292c9657-b39c-41f9-993b-b34170bc9d79} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {0651E167-92CF-427A-983A-B4155E2D52E9} - C:\WINDOWS\system32\CSCDL.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-ABCD-7DD20B8622FF} - C:\Program Files\Helper\1202187441.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Windows Defender] C:\DOCUME~1\emil\LOCALS~1\Temp\wdc1.exe
O4 - HKLM\..\Run: [Windows Defender Adds] C:\DOCUME~1\emil\LOCALS~1\Temp\wda2.exe
O4 - HKLM\..\Run: [Windows Defender Monitor] C:\WINDOWS\wdm3.exe
O4 - HKLM\..\Run: [Windows Defender Updater] C:\WINDOWS\wdu4.exe
O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\system32\ctfmona.exe
O4 - HKLM\..\Run: [AntiVirusPro] C:\Program Files\AntiVirusPro\AntiVirusPro.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Ultimate Cleaner] "C:\Program Files\Ultimate Cleaner\UltimateCleaner.exe" hide
O4 - HKCU\..\Run: [Windows Defender] C:\DOCUME~1\emil\LOCALS~1\Temp\wdc5.exe
O4 - HKCU\..\Run: [Windows Defender Adds] C:\DOCUME~1\emil\LOCALS~1\Temp\wda6.exe
O4 - HKCU\..\Run: [Windows Defender Monitor] C:\WINDOWS\wdm7.exe
O4 - HKCU\..\Run: [Windows Defender Updater] C:\WINDOWS\wdu8.exe
O8 - Extra context menu item: ImTranslator - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html
O8 - Extra context menu item: Закачать все при помощи FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Закачать при помощи FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra button: ImTranslator - {AE436396-55E7-4ec4-AD6D-45E88A530A4C} - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html (HKCU)
O9 - Extra 'Tools' menuitem: ImTranslator - {AE436396-55E7-4ec4-AD6D-45E88A530A4C} - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html (HKCU)
O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
  • 0

Advertisements


#2
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello op684

Welcome to G2Go. :)
===============
I see no anti virus so the first thing I will need you to do is to Download this anti-virus program and install it.
This is free.
AVG free
======================================
After that Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\system32\CSCDL.dll
    C:\Program Files\Helper
    C:\DOCUME~1\emil\LOCALS~1\Temp\wdc1.exe
    C:\DOCUME~1\emil\LOCALS~1\Temp\wda2.exe
    C:\WINDOWS\wdm3.exe
    C:\WINDOWS\wdu4.exe
    C:\WINDOWS\system32\ctfmona.exe
    C:\Program Files\AntiVirusPro
    C:\Program Files\Ultimate Cleaner
    C:\DOCUME~1\emil\LOCALS~1\Temp\wdc5.exe
    C:\WINDOWS\wdm7.exe
    C:\WINDOWS\wdu8.exe
    C:\WINDOWS\system32\wowfx.dll

  • Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

========================================
After that Please download ComboFix from Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Also post the OT move it log.
  • 0

#3
op684

op684

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Will do and report ASAP. Many thanks for such a quick response, kahdah.

Edited by op684, 05 February 2008 - 09:50 PM.

  • 0

#4
op684

op684

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
OTMoveIt log:

DllUnregisterServer procedure not found in C:\WINDOWS\system32\CSCDL.dll
C:\WINDOWS\system32\CSCDL.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\CSCDL.dll scheduled to be moved on reboot.
C:\Program Files\Helper moved successfully.
File/Folder C:\DOCUME~1\emil\LOCALS~1\Temp\wdc1.exe not found.
File/Folder C:\DOCUME~1\emil\LOCALS~1\Temp\wda2.exe not found.
File/Folder C:\WINDOWS\wdm3.exe not found.
File/Folder C:\WINDOWS\wdu4.exe not found.
File/Folder C:\WINDOWS\system32\ctfmona.exe not found.
C:\Program Files\AntiVirusPro\Quarantine moved successfully.
C:\Program Files\AntiVirusPro moved successfully.
File/Folder C:\Program Files\Ultimate Cleaner not found.
File/Folder C:\DOCUME~1\emil\LOCALS~1\Temp\wdc5.exe not found.
File/Folder C:\WINDOWS\wdm7.exe not found.
File/Folder C:\WINDOWS\wdu8.exe not found.
LoadLibrary failed for C:\WINDOWS\system32\wowfx.dll
C:\WINDOWS\system32\wowfx.dll NOT unregistered.
C:\WINDOWS\system32\wowfx.dll moved successfully.
OTMoveIt2 v1.0.17 log created on 02062008_000427

ComboFix

ComboFix 08-02.05.3 - emil 2008-02-06 0:15:33.1 - NTFSx86
Running from: C:\Documents and Settings\emil\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\emil\Application Data\Ultimate Cleaner
C:\Documents and Settings\emil\Application Data\Ultimate Cleaner\settings.dat
C:\Documents and Settings\emil\Application Data\Ultimate Defender
C:\Documents and Settings\emil\Application Data\Ultimate Defender\logs\1158895062.log
C:\Documents and Settings\emil\Application Data\Ultimate Defender\logs\1163726017.log
C:\Documents and Settings\emil\Application Data\Ultimate Defender\logs\1163735772.log
C:\Documents and Settings\emil\Application Data\ultra
C:\Documents and Settings\emil\Application Data\ultra\uninstall.bat
C:\WINDOWS\inf\ultra.inf
C:\WINDOWS\system32\cscdl.dll
C:\WINDOWS\system32\drivers\dpgmrhqi.dat
C:\WINDOWS\system32\drivers\etc\.protected
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\winupdate.exe
C:\WINDOWS\system32\wowfx.dll . . . . failed to delete
C:\WINDOWS\system32\wscmp.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_NTLOAD
-------\LEGACY_WUOZKAZW
-------\wuozkazw


((((((((((((((((((((((((( Files Created from 2008-01-06 to 2008-02-06 )))))))))))))))))))))))))))))))
.

2008-02-06 00:04 . 2008-02-06 00:04 <DIR> d-------- C:\_OTMoveIt
2008-02-05 23:59 . 2008-02-06 00:00 <DIR> d-------- C:\Documents and Settings\emil\Application Data\AVG7
2008-02-05 23:58 . 2008-02-05 23:58 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-05 23:57 . 2008-02-05 23:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-02-05 22:53 . 2008-02-05 23:51 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2008-02-05 22:53 . 2008-02-05 22:53 30,590 --a------ C:\WINDOWS\SYSTEM32\pavas.ico
2008-02-05 22:53 . 2008-02-05 22:53 2,550 --a------ C:\WINDOWS\SYSTEM32\Uninstall.ico
2008-02-05 22:53 . 2008-02-05 22:53 1,406 --a------ C:\WINDOWS\SYSTEM32\Help.ico
2008-02-05 20:32 . 2008-02-05 20:29 102,664 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2008-02-05 20:29 . 2008-02-05 22:32 <DIR> d-------- C:\Documents and Settings\emil\.housecall6.6
2008-02-05 20:27 . 2008-02-05 20:27 1,158 --a------ C:\WINDOWS\mozver.dat
2008-02-05 19:44 . 2008-02-05 19:44 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-05 18:14 . 2008-02-05 18:14 269,334 --a------ C:\WINDOWS\SYSTEM32\edorelknepgnid.bmp
2008-02-05 18:10 . 2008-02-05 18:10 269,334 --a------ C:\WINDOWS\SYSTEM32\dobqtob.bmp
2008-02-05 16:45 . 2008-02-05 16:45 754 --a------ C:\WINDOWS\WORDPAD.INI
2008-02-05 16:37 . 2008-02-05 16:37 <DIR> d-------- C:\Program Files\CCleaner
2008-02-05 16:32 . 2008-02-05 16:32 <DIR> d-------- C:\Documents and Settings\emil\Application Data\Grisoft
2008-02-05 16:32 . 2008-02-05 23:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-05 16:32 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2008-02-05 16:13 . 2008-02-05 16:13 269,334 --a------ C:\WINDOWS\SYSTEM32\srqlknqt.bmp
2008-02-05 15:45 . 2008-02-05 15:46 230,912 --a------ C:\WINDOWS\SYSTEM32\wscmp.dll.tmp
2008-02-05 15:42 . 2008-02-05 15:42 269,334 --a------ C:\WINDOWS\SYSTEM32\ormdsjatkbip.bmp
2008-02-05 15:31 . 2008-02-05 15:31 269,334 --a------ C:\WINDOWS\SYSTEM32\crihcrmlkbmt.bmp
2008-02-04 23:56 . 2008-02-04 23:56 269,334 --a------ C:\WINDOWS\SYSTEM32\cjqlcfmlcnmtob.bmp
2008-02-04 20:41 . 2008-02-04 20:41 269,334 --a------ C:\WINDOWS\SYSTEM32\obepkfetonahgn.bmp
2008-02-04 19:55 . 2008-02-04 19:55 269,334 --a------ C:\WINDOWS\SYSTEM32\snetsr.bmp
2008-02-04 16:28 . 2008-02-04 16:28 269,334 --a------ C:\WINDOWS\SYSTEM32\ofilgnatoradcf.bmp
2008-02-04 13:18 . 2008-02-04 13:18 269,334 --a------ C:\WINDOWS\SYSTEM32\cjmpobidgjit.bmp
2008-02-04 11:58 . 2008-02-04 11:58 269,334 --a------ C:\WINDOWS\SYSTEM32\kfadcbilcrqh.bmp
2008-02-03 21:28 . 2008-02-03 21:28 269,334 --a------ C:\WINDOWS\SYSTEM32\bqdgbmlcnahkn.bmp
2008-02-03 21:25 . 2008-02-03 21:25 269,334 --a------ C:\WINDOWS\SYSTEM32\bapcfahcjip.bmp
2008-02-03 20:57 . 2008-02-03 20:57 269,334 --a------ C:\WINDOWS\SYSTEM32\tkbqtgfmp.bmp
2008-02-03 20:43 . 2008-02-03 20:43 269,334 --a------ C:\WINDOWS\SYSTEM32\adsfqlkrap.bmp
2008-02-03 20:27 . 2008-02-03 20:27 269,334 --a------ C:\WINDOWS\SYSTEM32\snmtsridkb.bmp
2008-02-03 12:17 . 2008-02-03 12:17 269,334 --a------ C:\WINDOWS\SYSTEM32\tobidobqhoj.bmp
2008-02-02 23:14 . 2008-02-02 23:14 269,334 --a------ C:\WINDOWS\SYSTEM32\ojitsrmh.bmp
2008-02-02 22:13 . 2008-02-02 22:13 269,334 --a------ C:\WINDOWS\SYSTEM32\lcbmlcjitsb.bmp
2008-02-02 16:38 . 2008-02-02 16:38 269,334 --a------ C:\WINDOWS\SYSTEM32\tcjmpojahgbih.bmp
2008-02-02 13:00 . 2008-02-02 13:00 269,334 --a------ C:\WINDOWS\SYSTEM32\tobedonaporad.bmp
2008-02-01 19:30 . 2008-02-01 19:30 269,334 --a------ C:\WINDOWS\SYSTEM32\hcbmdorqtkf.bmp
2008-02-01 18:14 . 2008-02-01 18:14 269,334 --a------ C:\WINDOWS\SYSTEM32\pcfmpgbqp.bmp
2008-02-01 11:03 . 2008-02-01 11:03 269,334 --a------ C:\WINDOWS\SYSTEM32\grehknadcrel.bmp
2008-02-01 10:49 . 2008-02-05 15:48 3,262 --a------ C:\WINDOWS\SYSTEM32\sex5.ico
2008-02-01 10:48 . 2008-02-01 19:00 3,262 --a------ C:\WINDOWS\SYSTEM32\sex4.ico
2008-02-01 10:48 . 2008-02-01 19:02 3,262 --a------ C:\WINDOWS\SYSTEM32\sex3.ico
2008-02-01 10:47 . 2008-02-01 18:18 3,262 --a------ C:\WINDOWS\SYSTEM32\sex2.ico
2008-02-01 10:47 . 2008-02-05 15:48 3,262 --a------ C:\WINDOWS\SYSTEM32\sex1.ico
2008-02-01 10:44 . 2008-02-01 10:44 269,334 --a------ C:\WINDOWS\SYSTEM32\bipcn.bmp
2008-01-31 20:43 . 2008-01-31 20:43 269,334 --a------ C:\WINDOWS\SYSTEM32\pojit.bmp
2008-01-31 20:15 . 2008-01-31 20:15 269,334 --a------ C:\WINDOWS\SYSTEM32\adcrmpcfmhcrep.bmp
2008-01-31 15:31 . 2008-01-31 15:31 269,334 --a------ C:\WINDOWS\SYSTEM32\tkbqlsretkfep.bmp
2008-01-31 14:26 . 2008-01-31 14:26 269,334 --a------ C:\WINDOWS\SYSTEM32\mlsjmhsnmpcr.bmp
2008-01-31 11:11 . 2008-01-31 11:11 269,334 --a------ C:\WINDOWS\SYSTEM32\sfilkbetsf.bmp
2008-01-31 08:33 . 2008-01-31 08:33 269,334 --a------ C:\WINDOWS\SYSTEM32\knilsrqh.bmp
2008-01-30 11:50 . 2008-01-30 11:50 269,334 --a------ C:\WINDOWS\SYSTEM32\cfqpsnqtgj.bmp
2008-01-30 00:05 . 2008-01-30 00:05 269,334 --a------ C:\WINDOWS\SYSTEM32\gjipgnetkn.bmp
2008-01-29 18:46 . 2008-01-29 18:46 33,106 --a------ C:\Documents and Settings\emil\Application Data\61151.exe
2008-01-29 18:44 . 2008-01-29 18:44 269,334 --a------ C:\WINDOWS\SYSTEM32\tsratcrilsbih.bmp
2008-01-29 11:51 . 2008-01-29 11:51 269,334 --a------ C:\WINDOWS\SYSTEM32\tgnehsbapofmh.bmp
2008-01-28 10:22 . 2008-01-28 10:22 269,334 --a------ C:\WINDOWS\SYSTEM32\bmlonilcrqdkb.bmp
2008-01-27 19:34 . 2008-01-27 19:34 269,334 --a------ C:\WINDOWS\SYSTEM32\srqpofatgfmh.bmp
2008-01-26 21:03 . 2008-01-26 21:03 269,334 --a------ C:\WINDOWS\SYSTEM32\ahkbatsbat.bmp
2008-01-25 22:41 . 2008-01-25 22:41 269,334 --a------ C:\WINDOWS\SYSTEM32\hgjipkrih.bmp
2008-01-25 21:22 . 2008-01-25 21:22 269,334 --a------ C:\WINDOWS\SYSTEM32\ipkjmpkrqdsnml.bmp
2008-01-25 20:53 . 2008-01-25 20:53 269,334 --a------ C:\WINDOWS\SYSTEM32\gjepsr.bmp
2008-01-25 20:24 . 2008-01-25 20:24 269,334 --a------ C:\WINDOWS\SYSTEM32\tgfqlsretof.bmp
2008-01-25 20:23 . 2008-01-25 20:23 269,334 --a------ C:\WINDOWS\SYSTEM32\hgnmh.bmp
2008-01-25 20:18 . 2008-01-25 20:18 269,334 --a------ C:\WINDOWS\SYSTEM32\pgnqd.bmp
2008-01-25 20:17 . 2008-01-25 20:17 269,334 --a------ C:\WINDOWS\SYSTEM32\dknatcn.bmp
2008-01-25 20:12 . 2008-01-25 20:12 269,334 --a------ C:\WINDOWS\SYSTEM32\sbidorqtgrqlob.bmp
2008-01-25 20:09 . 2008-01-25 20:09 269,334 --a------ C:\WINDOWS\SYSTEM32\lonmpsrah.bmp
2008-01-25 19:08 . 2008-01-25 19:08 269,334 --a------ C:\WINDOWS\SYSTEM32\nilcretofqh.bmp
2008-01-25 19:07 . 2008-01-25 19:07 269,334 --a------ C:\WINDOWS\SYSTEM32\grilkjit.bmp
2008-01-25 18:46 . 2008-01-25 18:46 269,334 --a------ C:\WINDOWS\SYSTEM32\ralkf.bmp
2008-01-23 00:25 . 2008-01-23 00:25 269,334 --a------ C:\WINDOWS\SYSTEM32\dkbetonilcned.bmp
2008-01-22 17:28 . 2008-01-22 17:28 269,334 --a------ C:\WINDOWS\SYSTEM32\bqlkn.bmp
2008-01-22 11:57 . 2008-01-22 11:57 269,334 --a------ C:\WINDOWS\SYSTEM32\bilsfqpofip.bmp
2008-01-21 20:51 . 2008-01-21 20:51 269,334 --a------ C:\WINDOWS\SYSTEM32\cjilsbahsjed.bmp
2008-01-21 18:20 . 2008-01-21 18:20 269,334 --a------ C:\WINDOWS\SYSTEM32\pgbqpgbit.bmp
2008-01-21 13:05 . 2008-01-21 13:05 269,334 --a------ C:\WINDOWS\SYSTEM32\crapor.bmp
2008-01-20 21:30 . 2008-01-20 21:30 269,334 --a------ C:\WINDOWS\SYSTEM32\hkfetsfqtcjah.bmp
2008-01-20 10:21 . 2008-01-20 10:21 269,334 --a------ C:\WINDOWS\SYSTEM32\aporqpcfqpgbid.bmp
2008-01-20 00:52 . 2008-01-20 00:52 269,334 --a------ C:\WINDOWS\SYSTEM32\jetobmpsbmpsb.bmp
2008-01-20 00:49 . 2008-01-20 00:49 269,334 --a------ C:\WINDOWS\SYSTEM32\natgj.bmp
2008-01-19 20:55 . 2008-01-19 20:55 269,334 --a------ C:\WINDOWS\SYSTEM32\hobetkrehcbal.bmp
2008-01-19 19:08 . 2008-01-19 19:08 269,334 --a------ C:\WINDOWS\SYSTEM32\ipsnqlonipkf.bmp
2008-01-19 11:46 . 2008-01-19 11:46 269,334 --a------ C:\WINDOWS\SYSTEM32\kfepkjedof.bmp
2008-01-18 19:53 . 2008-01-18 19:53 269,334 --a------ C:\WINDOWS\SYSTEM32\ofqdgjipoj.bmp
2008-01-18 17:03 . 2008-01-18 17:03 269,334 --a------ C:\WINDOWS\SYSTEM32\knilsjetknqh.bmp
2008-01-17 23:57 . 2008-01-17 23:57 269,334 --a------ C:\WINDOWS\SYSTEM32\dcfmh.bmp
2008-01-17 23:29 . 2008-01-17 23:29 269,334 --a------ C:\WINDOWS\SYSTEM32\dsfalgbepob.bmp
2008-01-17 20:35 . 2008-01-17 20:35 269,334 --a------ C:\WINDOWS\SYSTEM32\dgbehgr.bmp
2008-01-16 17:43 . 2008-01-16 17:43 269,334 --a------ C:\WINDOWS\SYSTEM32\hkjqpoj.bmp
2008-01-16 16:47 . 2008-01-16 16:47 <DIR> d-------- C:\Documents and Settings\emil\Application Data\Anti-Virus-Pro.com
2008-01-16 16:46 . 2008-01-16 16:46 269,334 --a------ C:\WINDOWS\SYSTEM32\tknahcb.bmp
2008-01-15 10:42 . 2008-01-15 10:42 13,824 --a------ C:\WINDOWS\wduB.exe
2008-01-15 10:42 . 2008-01-15 10:42 13,824 --a------ C:\WINDOWS\wdmA.exe
2008-01-12 21:11 . 2008-01-12 21:11 <DIR> d-------- C:\Documents and Settings\emil\Application Data\InfeStop.com
2008-01-12 21:10 . 2008-01-13 13:13 <DIR> d-------- C:\Program Files\InfeStop
2008-01-12 17:30 . 2005-05-13 21:23 150,576 --a------ C:\Documents and Settings\emil\Application Data\spyguard.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-06 04:37 --------- d-----w C:\Program Files\Google
2008-01-26 03:55 --------- d-----w C:\Program Files\eMule
2008-01-26 03:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\MP3 FILM ELSE PURE
2008-01-26 02:48 --------- d-----w C:\Program Files\TuneUp Utilities 2007
2008-01-26 00:03 --------- d-----w C:\Program Files\Real
2008-01-13 18:16 --------- d-----w C:\Program Files\DivX
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F10587E9-0E47-4CBE-ABCD-7DD20B8622FF}]
C:\Program Files\Helper\1202187441.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-30 19:42 68856]
"Windows Defender Monitor"="C:\WINDOWS\wdm7.exe" [ ]
"Windows Defender Updater"="C:\WINDOWS\wdu8.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender Monitor"="C:\WINDOWS\wdm3.exe" [ ]
"Windows Defender Updater"="C:\WINDOWS\wdu4.exe" [ ]
"ctfmona"="C:\WINDOWS\system32\ctfmona.exe" [ ]
"AntiVirusPro"="C:\Program Files\AntiVirusPro\AntiVirusPro.exe" [ ]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-05 23:57 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-05 23:57 219136]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\system32\wowfx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, wowfx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^.protected]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\.protected
backup=C:\WINDOWS\pss\.protectedCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^kamilla^Start Menu^Programs^Startup^.protected]
path=C:\Documents and Settings\kamilla\Start Menu\Programs\Startup\.protected
backup=C:\WINDOWS\pss\.protectedStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\56fe227b.exe]
C:\WINDOWS\system32\56fe227b.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bat Global]
C:\DOCUME~1\emil\APPLIC~1\USERFA~1\bore move admin.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bikini]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BufferZone]
C:\Program Files\BufferZone\CLIENTGUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CMLoader]
c:\program files\crystalys media\cm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 06:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a--c--- 2004-07-19 07:51 306688 C:\Program Files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a--c--- 2004-08-13 02:05 122939 C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2004-08-23 19:19 57344 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E6TaskPanel]
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\funk]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2005-10-19 07:59 126976 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2005-10-19 07:59 155648 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
--a------ 2003-09-03 21:12 221184 C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\links]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPTBox]
C:\Program Files\Canon\MultiPASS\MPTBox.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MP_STATUS_MONITOR]
C:\Program Files\Canon\MultiPASS\monitr32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MW1HelperStartUp]
C:\PROGRA~1\MAGICW~1\MW1HEL~1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
C:\Program Files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PestTrap]
C:\Program Files\PestTrap\PestTrap.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2004-11-22 10:52 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rock]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sectdatathunkextra]
C:\Documents and Settings\All Users\Application Data\exitmpegsectdata\TYPE BOLT.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2003-11-19 18:48 32881 C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-11-30 19:42 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-11-14 18:18 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ultimate Cleaner]
C:\Program Files\Ultimate Cleaner\App.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ultimate Defender]
C:\Program Files\Ultimate Defender\App.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2004-01-07 02:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows installer]
C:\winstall.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsServicesStartup]
C:\DOCUME~1\kamilla\LOCALS~1\Temp\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MPService"=2 (0x2)
"AOL ACS"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"gusvc"=3 (0x3)

R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 06:00]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

.
Contents of the 'Scheduled Tasks' folder
"2008-01-18 22:15:08 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-06 00:24:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Windows Defender Monitor = C:\WINDOWS\wdm7.exe????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
Windows Defender Updater = C:\WINDOWS\wdu8.exe????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-02-06 0:30:07 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-06 05:29:52
  • 0

#5
op684

op684

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
HiJackThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:35:30, on 06/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R3 - URLSearchHook: (no name) - {292c9657-b39c-41f9-993b-b34170bc9d79} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-ABCD-7DD20B8622FF} - C:\Program Files\Helper\1202187441.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Windows Defender Monitor] C:\WINDOWS\wdm3.exe
O4 - HKLM\..\Run: [Windows Defender Updater] C:\WINDOWS\wdu4.exe
O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\system32\ctfmona.exe
O4 - HKLM\..\Run: [AntiVirusPro] C:\Program Files\AntiVirusPro\AntiVirusPro.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Windows Defender Monitor] C:\WINDOWS\wdm7.exe
O4 - HKCU\..\Run: [Windows Defender Updater] C:\WINDOWS\wdu8.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: ImTranslator - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html
O8 - Extra context menu item: Закачать все при помощи FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Закачать при помощи FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra button: ImTranslator - {AE436396-55E7-4ec4-AD6D-45E88A530A4C} - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html (HKCU)
O9 - Extra 'Tools' menuitem: ImTranslator - {AE436396-55E7-4ec4-AD6D-45E88A530A4C} - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html (HKCU)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

--
End of file - 5022 bytes
  • 0

#6
op684

op684

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
I closed all the real-time protection programs, BUT, while ComboFix was working, AVG popped up, like it does after a restart. If I knew it was going to restart, I'd disable it. Should I do a scan again? Thank you very much.
  • 0

#7
op684

op684

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
I will be back early tomorrow. Gotta leave now. Thanks again.
  • 0

#8
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
No it worked fine.

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\SYSTEM32\srqlknqt.bmp
C:\WINDOWS\SYSTEM32\wscmp.dll.tmp
C:\WINDOWS\SYSTEM32\ormdsjatkbip.bmp
C:\WINDOWS\SYSTEM32\crihcrmlkbmt.bmp
C:\WINDOWS\SYSTEM32\cjqlcfmlcnmtob.bmp
C:\WINDOWS\SYSTEM32\obepkfetonahgn.bmp
C:\WINDOWS\SYSTEM32\snetsr.bmp
C:\WINDOWS\SYSTEM32\ofilgnatoradcf.bmp
C:\WINDOWS\SYSTEM32\cjmpobidgjit.bmp
C:\WINDOWS\SYSTEM32\kfadcbilcrqh.bmp
C:\WINDOWS\SYSTEM32\bqdgbmlcnahkn.bmp
C:\WINDOWS\SYSTEM32\bapcfahcjip.bmp
C:\WINDOWS\SYSTEM32\tkbqtgfmp.bmp
C:\WINDOWS\SYSTEM32\adsfqlkrap.bmp
C:\WINDOWS\SYSTEM32\snmtsridkb.bmp
C:\WINDOWS\SYSTEM32\tobidobqhoj.bmp
C:\WINDOWS\SYSTEM32\ojitsrmh.bmp
C:\WINDOWS\SYSTEM32\lcbmlcjitsb.bmp
C:\WINDOWS\SYSTEM32\tcjmpojahgbih.bmp
C:\WINDOWS\SYSTEM32\tobedonaporad.bmp
C:\WINDOWS\SYSTEM32\hcbmdorqtkf.bmp
C:\WINDOWS\SYSTEM32\pcfmpgbqp.bmp
C:\WINDOWS\SYSTEM32\grehknadcrel.bmp
C:\WINDOWS\SYSTEM32\sex5.ico
C:\WINDOWS\SYSTEM32\sex4.ico
C:\WINDOWS\SYSTEM32\sex3.ico
C:\WINDOWS\SYSTEM32\sex2.ico
C:\WINDOWS\SYSTEM32\sex1.ico
C:\WINDOWS\SYSTEM32\bipcn.bmp
C:\WINDOWS\SYSTEM32\pojit.bmp
C:\WINDOWS\SYSTEM32\adcrmpcfmhcrep.bmp
C:\WINDOWS\SYSTEM32\tkbqlsretkfep.bmp
C:\WINDOWS\SYSTEM32\mlsjmhsnmpcr.bmp
C:\WINDOWS\SYSTEM32\sfilkbetsf.bmp
C:\WINDOWS\SYSTEM32\knilsrqh.bmp
C:\WINDOWS\SYSTEM32\cfqpsnqtgj.bmp
C:\WINDOWS\SYSTEM32\gjipgnetkn.bmp
C:\Documents and Settings\emil\Application Data\61151.exe
C:\WINDOWS\SYSTEM32\tsratcrilsbih.bmp
C:\WINDOWS\SYSTEM32\tgnehsbapofmh.bmp
C:\WINDOWS\SYSTEM32\bmlonilcrqdkb.bmp
C:\WINDOWS\SYSTEM32\srqpofatgfmh.bmp
C:\WINDOWS\SYSTEM32\ahkbatsbat.bmp
C:\WINDOWS\SYSTEM32\hgjipkrih.bmp
C:\WINDOWS\SYSTEM32\ipkjmpkrqdsnml.bmp
C:\WINDOWS\SYSTEM32\gjepsr.bmp
C:\WINDOWS\SYSTEM32\tgfqlsretof.bmp
C:\WINDOWS\SYSTEM32\hgnmh.bmp
C:\WINDOWS\SYSTEM32\pgnqd.bmp
C:\WINDOWS\SYSTEM32\dknatcn.bmp
C:\WINDOWS\SYSTEM32\sbidorqtgrqlob.bmp
C:\WINDOWS\SYSTEM32\lonmpsrah.bmp
C:\WINDOWS\SYSTEM32\nilcretofqh.bmp
C:\WINDOWS\SYSTEM32\grilkjit.bmp
C:\WINDOWS\SYSTEM32\ralkf.bmp
C:\WINDOWS\SYSTEM32\dkbetonilcned.bmp
C:\WINDOWS\SYSTEM32\bqlkn.bmp
C:\WINDOWS\SYSTEM32\bilsfqpofip.bmp
C:\WINDOWS\SYSTEM32\cjilsbahsjed.bmp
C:\WINDOWS\SYSTEM32\pgbqpgbit.bmp
C:\WINDOWS\SYSTEM32\crapor.bmp
C:\WINDOWS\SYSTEM32\hkfetsfqtcjah.bmp
C:\WINDOWS\SYSTEM32\aporqpcfqpgbid.bmp
C:\WINDOWS\SYSTEM32\jetobmpsbmpsb.bmp
C:\WINDOWS\SYSTEM32\natgj.bmp
C:\WINDOWS\SYSTEM32\hobetkrehcbal.bmp
C:\WINDOWS\SYSTEM32\ipsnqlonipkf.bmp
C:\WINDOWS\SYSTEM32\kfepkjedof.bmp
C:\WINDOWS\SYSTEM32\ofqdgjipoj.bmp
C:\WINDOWS\SYSTEM32\knilsjetknqh.bmp
C:\WINDOWS\SYSTEM32\dcfmh.bmp
C:\WINDOWS\SYSTEM32\dsfalgbepob.bmp
C:\WINDOWS\SYSTEM32\dgbehgr.bmp
C:\WINDOWS\SYSTEM32\hkjqpoj.bmp
C:\Documents and Settings\emil\Application Data\Anti-Virus-Pro.com
C:\WINDOWS\SYSTEM32\tknahcb.bmp
C:\WINDOWS\wduB.exe
C:\WINDOWS\wdmA.exe
C:\Documents and Settings\emil\Application Data\InfeStop.com
C:\Documents and Settings\emil\Application Data\spyguard.exe
C:\WINDOWS\system32\56fe227b.exe
C:\winstall.exe
C:\DOCUME~1\kamilla\LOCALS~1\Temp\svchost.exe
C:\WINDOWS\wdm7.exe
C:\WINDOWS\wdu8.exe
C:\WINDOWS\wdm3.exe
C:\WINDOWS\wdu4.exe
Folder::
C:\Program Files\InfeStop
C:\Documents and Settings\All Users\Application Data\MP3 FILM ELSE PURE
C:\DOCUME~1\emil\APPLIC~1\USERFA~1
c:\program files\crystalys media
C:\Program Files\PestTrap
C:\Documents and Settings\All Users\Application Data\exitmpegsectdata
C:\Program Files\Ultimate Cleaner
C:\Program Files\Ultimate Defender
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F10587E9-0E47-4CBE-ABCD-7DD20B8622FF}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender Monitor"=-
"Windows Defender Updater"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender Monitor"=-
"Windows Defender Updater"=-
"ctfmona"=-
"AntiVirusPro"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=""
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"= "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,"
[-HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^.protected]
[-HKLM\~\startupfolder\C:^Documents and Settings^kamilla^Start Menu^Programs^Startup^.protected]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\56fe227b.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bat Global]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bikini]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CMLoader]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\funk]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\links]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PestTrap]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rock]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sectdatathunkextra]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ultimate Cleaner]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ultimate Defender]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows installer]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsServicesStartup]


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#9
op684

op684

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
kahdah, I'll have to wait until tomorrow to do this as I can't be at my sister's place today.

Seeing how messed up their PC is, your help is VERY appreciated, kahdah. Thanks A LOT.
  • 0

#10
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Okay no problem I will see you tomorrow. :)
  • 0

Advertisements


#11
op684

op684

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
COMBOFIX LOG:

ComboFix 08-02.05.3 - emil 2008-02-07 14:41:22.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1251.7.1033.18.103 [GMT -5:00]
Running from: C:\Documents and Settings\emil\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\emil\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\DOCUME~1\kamilla\LOCALS~1\Temp\svchost.exe
C:\Documents and Settings\emil\Application Data\61151.exe
C:\Documents and Settings\emil\Application Data\Anti-Virus-Pro.com
C:\Documents and Settings\emil\Application Data\InfeStop.com
C:\Documents and Settings\emil\Application Data\spyguard.exe
C:\WINDOWS\system32\56fe227b.exe
C:\WINDOWS\SYSTEM32\adcrmpcfmhcrep.bmp
C:\WINDOWS\SYSTEM32\adsfqlkrap.bmp
C:\WINDOWS\SYSTEM32\ahkbatsbat.bmp
C:\WINDOWS\SYSTEM32\aporqpcfqpgbid.bmp
C:\WINDOWS\SYSTEM32\bapcfahcjip.bmp
C:\WINDOWS\SYSTEM32\bilsfqpofip.bmp
C:\WINDOWS\SYSTEM32\bipcn.bmp
C:\WINDOWS\SYSTEM32\bmlonilcrqdkb.bmp
C:\WINDOWS\SYSTEM32\bqdgbmlcnahkn.bmp
C:\WINDOWS\SYSTEM32\bqlkn.bmp
C:\WINDOWS\SYSTEM32\cfqpsnqtgj.bmp
C:\WINDOWS\SYSTEM32\cjilsbahsjed.bmp
C:\WINDOWS\SYSTEM32\cjmpobidgjit.bmp
C:\WINDOWS\SYSTEM32\cjqlcfmlcnmtob.bmp
C:\WINDOWS\SYSTEM32\crapor.bmp
C:\WINDOWS\SYSTEM32\crihcrmlkbmt.bmp
C:\WINDOWS\SYSTEM32\dcfmh.bmp
C:\WINDOWS\SYSTEM32\dgbehgr.bmp
C:\WINDOWS\SYSTEM32\dkbetonilcned.bmp
C:\WINDOWS\SYSTEM32\dknatcn.bmp
C:\WINDOWS\SYSTEM32\dsfalgbepob.bmp
C:\WINDOWS\SYSTEM32\gjepsr.bmp
C:\WINDOWS\SYSTEM32\gjipgnetkn.bmp
C:\WINDOWS\SYSTEM32\grehknadcrel.bmp
C:\WINDOWS\SYSTEM32\grilkjit.bmp
C:\WINDOWS\SYSTEM32\hcbmdorqtkf.bmp
C:\WINDOWS\SYSTEM32\hgjipkrih.bmp
C:\WINDOWS\SYSTEM32\hgnmh.bmp
C:\WINDOWS\SYSTEM32\hkfetsfqtcjah.bmp
C:\WINDOWS\SYSTEM32\hkjqpoj.bmp
C:\WINDOWS\SYSTEM32\hobetkrehcbal.bmp
C:\WINDOWS\SYSTEM32\ipkjmpkrqdsnml.bmp
C:\WINDOWS\SYSTEM32\ipsnqlonipkf.bmp
C:\WINDOWS\SYSTEM32\jetobmpsbmpsb.bmp
C:\WINDOWS\SYSTEM32\kfadcbilcrqh.bmp
C:\WINDOWS\SYSTEM32\kfepkjedof.bmp
C:\WINDOWS\SYSTEM32\knilsjetknqh.bmp
C:\WINDOWS\SYSTEM32\knilsrqh.bmp
C:\WINDOWS\SYSTEM32\lcbmlcjitsb.bmp
C:\WINDOWS\SYSTEM32\lonmpsrah.bmp
C:\WINDOWS\SYSTEM32\mlsjmhsnmpcr.bmp
C:\WINDOWS\SYSTEM32\natgj.bmp
C:\WINDOWS\SYSTEM32\nilcretofqh.bmp
C:\WINDOWS\SYSTEM32\obepkfetonahgn.bmp
C:\WINDOWS\SYSTEM32\ofilgnatoradcf.bmp
C:\WINDOWS\SYSTEM32\ofqdgjipoj.bmp
C:\WINDOWS\SYSTEM32\ojitsrmh.bmp
C:\WINDOWS\SYSTEM32\ormdsjatkbip.bmp
C:\WINDOWS\SYSTEM32\pcfmpgbqp.bmp
C:\WINDOWS\SYSTEM32\pgbqpgbit.bmp
C:\WINDOWS\SYSTEM32\pgnqd.bmp
C:\WINDOWS\SYSTEM32\pojit.bmp
C:\WINDOWS\SYSTEM32\ralkf.bmp
C:\WINDOWS\SYSTEM32\sbidorqtgrqlob.bmp
C:\WINDOWS\SYSTEM32\sex1.ico
C:\WINDOWS\SYSTEM32\sex2.ico
C:\WINDOWS\SYSTEM32\sex3.ico
C:\WINDOWS\SYSTEM32\sex4.ico
C:\WINDOWS\SYSTEM32\sex5.ico
C:\WINDOWS\SYSTEM32\sfilkbetsf.bmp
C:\WINDOWS\SYSTEM32\snetsr.bmp
C:\WINDOWS\SYSTEM32\snmtsridkb.bmp
C:\WINDOWS\SYSTEM32\srqlknqt.bmp
C:\WINDOWS\SYSTEM32\srqpofatgfmh.bmp
C:\WINDOWS\SYSTEM32\tcjmpojahgbih.bmp
C:\WINDOWS\SYSTEM32\tgfqlsretof.bmp
C:\WINDOWS\SYSTEM32\tgnehsbapofmh.bmp
C:\WINDOWS\SYSTEM32\tkbqlsretkfep.bmp
C:\WINDOWS\SYSTEM32\tkbqtgfmp.bmp
C:\WINDOWS\SYSTEM32\tknahcb.bmp
C:\WINDOWS\SYSTEM32\tobedonaporad.bmp
C:\WINDOWS\SYSTEM32\tobidobqhoj.bmp
C:\WINDOWS\SYSTEM32\tsratcrilsbih.bmp
C:\WINDOWS\SYSTEM32\wscmp.dll.tmp
C:\WINDOWS\wdm3.exe
C:\WINDOWS\wdm7.exe
C:\WINDOWS\wdmA.exe
C:\WINDOWS\wdu4.exe
C:\WINDOWS\wdu8.exe
C:\WINDOWS\wduB.exe
C:\winstall.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\wowfx.dll . . . . failed to delete
.
---- Previous Run -------
.
C:\Documents and Settings\All Users\Application Data\MP3 FILM ELSE PURE
C:\Documents and Settings\emil\Application Data\61151.exe
C:\Documents and Settings\emil\Application Data\spyguard.exe
C:\Program Files\InfeStop
C:\WINDOWS\SYSTEM32\adcrmpcfmhcrep.bmp
C:\WINDOWS\SYSTEM32\adsfqlkrap.bmp
C:\WINDOWS\SYSTEM32\ahkbatsbat.bmp
C:\WINDOWS\SYSTEM32\aporqpcfqpgbid.bmp
C:\WINDOWS\SYSTEM32\bapcfahcjip.bmp
C:\WINDOWS\SYSTEM32\bilsfqpofip.bmp
C:\WINDOWS\SYSTEM32\bipcn.bmp
C:\WINDOWS\SYSTEM32\bmlonilcrqdkb.bmp
C:\WINDOWS\SYSTEM32\bqdgbmlcnahkn.bmp
C:\WINDOWS\SYSTEM32\bqlkn.bmp
C:\WINDOWS\SYSTEM32\cfqpsnqtgj.bmp
C:\WINDOWS\SYSTEM32\cjilsbahsjed.bmp
C:\WINDOWS\SYSTEM32\cjmpobidgjit.bmp
C:\WINDOWS\SYSTEM32\cjqlcfmlcnmtob.bmp
C:\WINDOWS\SYSTEM32\crapor.bmp
C:\WINDOWS\SYSTEM32\crihcrmlkbmt.bmp
C:\WINDOWS\SYSTEM32\dcfmh.bmp
C:\WINDOWS\SYSTEM32\dgbehgr.bmp
C:\WINDOWS\SYSTEM32\dkbetonilcned.bmp
C:\WINDOWS\SYSTEM32\dknatcn.bmp
C:\WINDOWS\SYSTEM32\dsfalgbepob.bmp
C:\WINDOWS\SYSTEM32\gjepsr.bmp
C:\WINDOWS\SYSTEM32\gjipgnetkn.bmp
C:\WINDOWS\SYSTEM32\grehknadcrel.bmp
C:\WINDOWS\SYSTEM32\grilkjit.bmp
C:\WINDOWS\SYSTEM32\hcbmdorqtkf.bmp
C:\WINDOWS\SYSTEM32\hgjipkrih.bmp
C:\WINDOWS\SYSTEM32\hgnmh.bmp
C:\WINDOWS\SYSTEM32\hkfetsfqtcjah.bmp
C:\WINDOWS\SYSTEM32\hkjqpoj.bmp
C:\WINDOWS\SYSTEM32\hobetkrehcbal.bmp
C:\WINDOWS\SYSTEM32\ipkjmpkrqdsnml.bmp
C:\WINDOWS\SYSTEM32\ipsnqlonipkf.bmp
C:\WINDOWS\SYSTEM32\jetobmpsbmpsb.bmp
C:\WINDOWS\SYSTEM32\kfadcbilcrqh.bmp
C:\WINDOWS\SYSTEM32\kfepkjedof.bmp
C:\WINDOWS\SYSTEM32\knilsjetknqh.bmp
C:\WINDOWS\SYSTEM32\knilsrqh.bmp
C:\WINDOWS\SYSTEM32\lcbmlcjitsb.bmp
C:\WINDOWS\SYSTEM32\lonmpsrah.bmp
C:\WINDOWS\SYSTEM32\mlsjmhsnmpcr.bmp
C:\WINDOWS\SYSTEM32\natgj.bmp
C:\WINDOWS\SYSTEM32\nilcretofqh.bmp
C:\WINDOWS\SYSTEM32\obepkfetonahgn.bmp
C:\WINDOWS\SYSTEM32\ofilgnatoradcf.bmp
C:\WINDOWS\SYSTEM32\ofqdgjipoj.bmp
C:\WINDOWS\SYSTEM32\ojitsrmh.bmp
C:\WINDOWS\SYSTEM32\ormdsjatkbip.bmp
C:\WINDOWS\SYSTEM32\pcfmpgbqp.bmp
C:\WINDOWS\SYSTEM32\pgbqpgbit.bmp
C:\WINDOWS\SYSTEM32\pgnqd.bmp
C:\WINDOWS\SYSTEM32\pojit.bmp
C:\WINDOWS\SYSTEM32\ralkf.bmp
C:\WINDOWS\SYSTEM32\sbidorqtgrqlob.bmp
C:\WINDOWS\SYSTEM32\sex1.ico
C:\WINDOWS\SYSTEM32\sex2.ico
C:\WINDOWS\SYSTEM32\sex3.ico
C:\WINDOWS\SYSTEM32\sex4.ico
C:\WINDOWS\SYSTEM32\sex5.ico
C:\WINDOWS\SYSTEM32\sfilkbetsf.bmp
C:\WINDOWS\SYSTEM32\snetsr.bmp
C:\WINDOWS\SYSTEM32\snmtsridkb.bmp
C:\WINDOWS\SYSTEM32\srqlknqt.bmp
C:\WINDOWS\SYSTEM32\srqpofatgfmh.bmp
C:\WINDOWS\SYSTEM32\tcjmpojahgbih.bmp
C:\WINDOWS\SYSTEM32\tgfqlsretof.bmp
C:\WINDOWS\SYSTEM32\tgnehsbapofmh.bmp
C:\WINDOWS\SYSTEM32\tkbqlsretkfep.bmp
C:\WINDOWS\SYSTEM32\tkbqtgfmp.bmp
C:\WINDOWS\SYSTEM32\tknahcb.bmp
C:\WINDOWS\SYSTEM32\tobedonaporad.bmp
C:\WINDOWS\SYSTEM32\tobidobqhoj.bmp
C:\WINDOWS\SYSTEM32\tsratcrilsbih.bmp
C:\WINDOWS\system32\wowfx.dll . . . . failed to delete
C:\WINDOWS\SYSTEM32\wscmp.dll.tmp
C:\WINDOWS\wdmA.exe
C:\WINDOWS\wduB.exe

.
((((((((((((((((((((((((( Files Created from 2008-01-07 to 2008-02-07 )))))))))))))))))))))))))))))))
.

2008-02-06 00:04 . 2008-02-06 00:04 <DIR> d-------- C:\_OTMoveIt
2008-02-05 23:59 . 2008-02-06 00:00 <DIR> d-------- C:\Documents and Settings\emil\Application Data\AVG7
2008-02-05 23:58 . 2008-02-05 23:58 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-05 23:57 . 2008-02-07 11:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-02-05 22:53 . 2008-02-05 23:51 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2008-02-05 22:53 . 2008-02-05 22:53 30,590 --a------ C:\WINDOWS\SYSTEM32\pavas.ico
2008-02-05 22:53 . 2008-02-05 22:53 2,550 --a------ C:\WINDOWS\SYSTEM32\Uninstall.ico
2008-02-05 22:53 . 2008-02-05 22:53 1,406 --a------ C:\WINDOWS\SYSTEM32\Help.ico
2008-02-05 20:32 . 2008-02-05 20:29 102,664 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2008-02-05 20:29 . 2008-02-05 22:32 <DIR> d-------- C:\Documents and Settings\emil\.housecall6.6
2008-02-05 20:27 . 2008-02-05 20:27 1,158 --a------ C:\WINDOWS\mozver.dat
2008-02-05 19:44 . 2008-02-05 19:44 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-05 18:14 . 2008-02-05 18:14 269,334 --a------ C:\WINDOWS\SYSTEM32\edorelknepgnid.bmp
2008-02-05 18:10 . 2008-02-05 18:10 269,334 --a------ C:\WINDOWS\SYSTEM32\dobqtob.bmp
2008-02-05 16:45 . 2008-02-05 16:45 754 --a------ C:\WINDOWS\WORDPAD.INI
2008-02-05 16:37 . 2008-02-05 16:37 <DIR> d-------- C:\Program Files\CCleaner
2008-02-05 16:32 . 2008-02-05 16:32 <DIR> d-------- C:\Documents and Settings\emil\Application Data\Grisoft
2008-02-05 16:32 . 2008-02-05 23:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-05 16:32 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2008-01-16 16:47 . 2008-01-16 16:47 <DIR> d-------- C:\Documents and Settings\emil\Application Data\Anti-Virus-Pro.com
2008-01-12 21:11 . 2008-01-12 21:11 <DIR> d-------- C:\Documents and Settings\emil\Application Data\InfeStop.com
2008-01-12 16:27 . 2008-01-12 16:27 <DIR> d-------- C:\Documents and Settings\emil\Application Data\spy-rid.com
2008-01-11 13:38 . 2008-01-13 13:16 <DIR> d-------- C:\Program Files\EasySpywareCleaner
2008-01-11 13:38 . 2008-01-11 13:38 <DIR> d-------- C:\Documents and Settings\emil\Application Data\EasySpywareCleaner.com
2008-01-11 13:33 . 2005-06-09 23:11 18,944 --a------ C:\WINDOWS\SYSTEM32\wowfx.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-06 04:37 --------- d-----w C:\Program Files\Google
2008-01-26 03:55 --------- d-----w C:\Program Files\eMule
2008-01-26 02:48 --------- d-----w C:\Program Files\TuneUp Utilities 2007
2008-01-26 00:03 --------- d-----w C:\Program Files\Real
2008-01-13 18:16 --------- d-----w C:\Program Files\DivX
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-05 23:57 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\system32\wowfx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, wowfx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
--a------ 2007-06-11 04:25 6731312 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
--a------ 2008-02-07 11:06 579072 C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BufferZone]
C:\Program Files\BufferZone\CLIENTGUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 06:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a--c--- 2004-07-19 07:51 306688 C:\Program Files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a--c--- 2004-08-13 02:05 122939 C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2004-08-23 19:19 57344 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E6TaskPanel]
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2005-10-19 07:59 126976 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2005-10-19 07:59 155648 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
--a------ 2003-09-03 21:12 221184 C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPTBox]
C:\Program Files\Canon\MultiPASS\MPTBox.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MP_STATUS_MONITOR]
C:\Program Files\Canon\MultiPASS\monitr32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MW1HelperStartUp]
C:\PROGRA~1\MAGICW~1\MW1HEL~1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
C:\Program Files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2004-11-22 10:52 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2003-11-19 18:48 32881 C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-11-30 19:42 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-11-14 18:18 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2004-01-07 02:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MPService"=2 (0x2)
"AOL ACS"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"gusvc"=3 (0x3)
"AVGEMS"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"AVG Anti-Spyware Guard"=2 (0x2)

R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 06:00]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

.
Contents of the 'Scheduled Tasks' folder
"2008-01-18 22:15:08 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-07 14:47:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-02-07 14:50:39 - machine was rebooted [emil]
ComboFix-quarantined-files.txt 2008-02-07 19:50:21
ComboFix2.txt 2008-02-06 05:30:08
  • 0

#12
op684

op684

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
HiJack LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:54:58, on 07/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R3 - URLSearchHook: (no name) - {292c9657-b39c-41f9-993b-b34170bc9d79} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: ImTranslator - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html
O8 - Extra context menu item: Закачать все при помощи FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Закачать при помощи FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra button: ImTranslator - {AE436396-55E7-4ec4-AD6D-45E88A530A4C} - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html (HKCU)
O9 - Extra 'Tools' menuitem: ImTranslator - {AE436396-55E7-4ec4-AD6D-45E88A530A4C} - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html (HKCU)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll

--
End of file - 3508 bytes
  • 0

#13
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\SYSTEM32\edorelknepgnid.bmp
C:\WINDOWS\SYSTEM32\dobqtob.bmp
C:\Documents and Settings\emil\Application Data\Anti-Virus-Pro.com
C:\Documents and Settings\emil\Application Data\InfeStop.com
C:\Documents and Settings\emil\Application Data\spy-rid.com
C:\WINDOWS\SYSTEM32\wowfx.dll
C:\Documents and Settings\emil\Application Data\EasySpywareCleaner.com
C:\WINDOWS\SYSTEM32\wowfx.dll
Folder::
C:\Program Files\EasySpywareCleaner
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=""
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#14
op684

op684

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
One thing changed: the yellow box in the middle is gone after I did what said.

Heres the ComboFix log:

ComboFix 08-02.05.3 - emil 2008-02-07 20:47:01.4 - NTFSx86
Running from: C:\Documents and Settings\emil\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\emil\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\Documents and Settings\emil\Application Data\Anti-Virus-Pro.com
C:\Documents and Settings\emil\Application Data\EasySpywareCleaner.com
C:\Documents and Settings\emil\Application Data\InfeStop.com
C:\Documents and Settings\emil\Application Data\spy-rid.com
C:\WINDOWS\SYSTEM32\dobqtob.bmp
C:\WINDOWS\SYSTEM32\edorelknepgnid.bmp
C:\WINDOWS\SYSTEM32\wowfx.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\EasySpywareCleaner
C:\WINDOWS\SYSTEM32\dobqtob.bmp
C:\WINDOWS\SYSTEM32\edorelknepgnid.bmp
C:\WINDOWS\SYSTEM32\wowfx.dll
C:\WINDOWS\system32\wowfx.dll . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-01-08 to 2008-02-08 )))))))))))))))))))))))))))))))
.

2008-02-07 14:18 . 2004-08-04 06:00 388,608 --a------ C:\kmd.exe
2008-02-06 00:04 . 2008-02-06 00:04 <DIR> d-------- C:\_OTMoveIt
2008-02-05 23:59 . 2008-02-06 00:00 <DIR> d-------- C:\Documents and Settings\emil\Application Data\AVG7
2008-02-05 23:58 . 2008-02-05 23:58 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-05 23:57 . 2008-02-07 11:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-02-05 22:53 . 2008-02-05 23:51 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2008-02-05 22:53 . 2008-02-05 22:53 30,590 --a------ C:\WINDOWS\SYSTEM32\pavas.ico
2008-02-05 22:53 . 2008-02-05 22:53 2,550 --a------ C:\WINDOWS\SYSTEM32\Uninstall.ico
2008-02-05 22:53 . 2008-02-05 22:53 1,406 --a------ C:\WINDOWS\SYSTEM32\Help.ico
2008-02-05 20:32 . 2008-02-05 20:29 102,664 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2008-02-05 20:29 . 2008-02-05 22:32 <DIR> d-------- C:\Documents and Settings\emil\.housecall6.6
2008-02-05 20:27 . 2008-02-05 20:27 1,158 --a------ C:\WINDOWS\mozver.dat
2008-02-05 19:44 . 2008-02-05 19:44 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-05 16:45 . 2008-02-05 16:45 754 --a------ C:\WINDOWS\WORDPAD.INI
2008-02-05 16:37 . 2008-02-05 16:37 <DIR> d-------- C:\Program Files\CCleaner
2008-02-05 16:32 . 2008-02-05 16:32 <DIR> d-------- C:\Documents and Settings\emil\Application Data\Grisoft
2008-02-05 16:32 . 2008-02-05 23:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-05 16:32 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2008-01-16 16:47 . 2008-01-16 16:47 <DIR> d-------- C:\Documents and Settings\emil\Application Data\Anti-Virus-Pro.com
2008-01-12 21:11 . 2008-01-12 21:11 <DIR> d-------- C:\Documents and Settings\emil\Application Data\InfeStop.com
2008-01-12 16:27 . 2008-01-12 16:27 <DIR> d-------- C:\Documents and Settings\emil\Application Data\spy-rid.com
2008-01-11 13:38 . 2008-01-11 13:38 <DIR> d-------- C:\Documents and Settings\emil\Application Data\EasySpywareCleaner.com
2008-01-11 13:33 . 2005-06-08 13:17 18,944 --a------ C:\WINDOWS\SYSTEM32\wowfx.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-06 04:37 --------- d-----w C:\Program Files\Google
2008-01-26 03:55 --------- d-----w C:\Program Files\eMule
2008-01-26 02:48 --------- d-----w C:\Program Files\TuneUp Utilities 2007
2008-01-26 00:03 --------- d-----w C:\Program Files\Real
2008-01-13 18:16 --------- d-----w C:\Program Files\DivX
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-05 23:57 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\system32\wowfx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, wowfx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
--a------ 2007-06-11 04:25 6731312 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
--a------ 2008-02-07 11:06 579072 C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BufferZone]
C:\Program Files\BufferZone\CLIENTGUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 06:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a--c--- 2004-07-19 07:51 306688 C:\Program Files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a--c--- 2004-08-13 02:05 122939 C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2004-08-23 19:19 57344 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E6TaskPanel]
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2005-10-19 07:59 126976 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2005-10-19 07:59 155648 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
--a------ 2003-09-03 21:12 221184 C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPTBox]
C:\Program Files\Canon\MultiPASS\MPTBox.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MP_STATUS_MONITOR]
C:\Program Files\Canon\MultiPASS\monitr32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MW1HelperStartUp]
C:\PROGRA~1\MAGICW~1\MW1HEL~1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
C:\Program Files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2004-11-22 10:52 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2003-11-19 18:48 32881 C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-11-30 19:42 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-11-14 18:18 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2004-01-07 02:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MPService"=2 (0x2)
"AOL ACS"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"gusvc"=3 (0x3)
"AVGEMS"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"AVG Anti-Spyware Guard"=2 (0x2)

R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 06:00]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

.
Contents of the 'Scheduled Tasks' folder
"2008-01-18 22:15:08 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-07 20:52:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-02-07 20:54:31 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-08 01:54:12
ComboFix2.txt 2008-02-07 19:50:40
ComboFix3.txt 2008-02-06 05:30:08
  • 0

#15
op684

op684

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
HiJack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:09:05, on 07/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R3 - URLSearchHook: (no name) - {292c9657-b39c-41f9-993b-b34170bc9d79} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: ImTranslator - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html
O8 - Extra context menu item: Закачать все при помощи FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Закачать при помощи FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra button: ImTranslator - {AE436396-55E7-4ec4-AD6D-45E88A530A4C} - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html (HKCU)
O9 - Extra 'Tools' menuitem: ImTranslator - {AE436396-55E7-4ec4-AD6D-45E88A530A4C} - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html (HKCU)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll

--
End of file - 3429 bytes
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP