Welcome Guest ( Log In | Join )

Discover the best free computer help!
Learn more about Geeks to Go by taking the tour. Want to ask a question, reply to a topic, or remove all advertising? It's easy, fast and free. Join today!
Spyware, virus, trojan, fake security or privacy alerts? Please start with our malware cleaning guide.
     
2 Pages V   1 2 >  
 Closed TopicStart new topic
help wanted ran all type of malware but unable remove the bagel [RESOL
maverickk
post Aug 8 2008, 01:22 PM
Post #1


New Member
*
Posts: 7
OS: XP

when i run malwarebytes i got the following log file
Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mule_st_key (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Welcome\Application Data\m (Trojan.Agent) -> Delete on reboot.

Files Infected:
C:\Documents and Settings\Welcome\Application Data\m\list.oct (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wintems.exe (Trojan.Spammer) -> Delete on reboot.
C:\Documents and Settings\Welcome\Application Data\m\flec006.exe (Trojan.Agent) -> Delete on reboot.
but nothing happend after re-boot

and the escan says
the system is infect with bagel virus and says that the following files are infected
1.mkdlec.exe
2.soras.sys
3.flec006.exe

every time i run, i am unable to run any updates, download from rapidshare, run any downloaded programs when the downloaded programs run its says its not a win32 application. please help me out

this is the log file got from Deckard's System Scanner on 2008-08-09 00:19:53
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
13: 2008-08-08 18:49:56 UTC - RP231 - Deckard's System Scanner Restore Point
12: 2008-08-08 18:37:40 UTC - RP230 - Printer Driver Nitro PDF Driver 5 Installed
11: 2008-08-08 18:37:17 UTC - RP229 - Printer Driver Nitro PDF Driver 5 Installed
10: 2008-08-08 18:36:55 UTC - RP228 - Printer Driver Nitro PDF Driver 5 Installed
9: 2008-08-06 15:41:44 UTC - RP227 - System Checkpoint


-- First Restore Point --
1: 2008-08-03 09:10:41 UTC - RP219 - Printer Driver Nitro PDF Driver 5 Installed


Backed up registry hives.
Performed disk cleanup.

System Drive C: has 0.81 GiB (less than 15%) free.


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-08-09 00:24:00
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\eScan\Vista\avpmapp.exe
C:\Program Files\eScan\TRAYSSER.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Common Files\MicroWorld\Agent\MWASER.EXE
C:\Program Files\eScan\CONSCTL.EXE
C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\DAP\DAP.exe
C:\Program Files\eScan\TRAYICOS.EXE
C:\Program Files\Common Files\MicroWorld\Agent\MWAGENT.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Tally\tallylicserver.exe
C:\Tally\tally72.exe
C:\Documents and Settings\Welcome\Application Data\m\flec006.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\eScan\Vista\escanmon.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Welcome\My Documents\My Completed Downloads\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {61D176B3-4AE0-4521-9107-741BF4E34403} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [S3Trayp] S3trayp.exe
O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe 1
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKLM\..\Run: [Nitro PDF Printer Monitor] "C:\Program Files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe"
O4 - HKLM\..\Run: [eScan Updater] C:\PROGRA~1\eScan\TRAYICOS.EXE /App
O4 - HKLM\..\Run: [MailScan Dispatcher] "C:\PROGRA~1\eScan\LAUNCH.EXE" /startup
O4 - HKLM\..\Run: [mwavscan_autoscan] "C:\PROGRA~1\eScan\mwavscan.com" /s /AUTORUNBOOT
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - (no file)
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: C:\WINDOWS\system32\nwprovau.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://download.microsoft.com/download/e/4.../OGAControl.cab
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virussca...can_unicode.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://download.microsoft.com/download/8/b...heckControl.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} (Microsoft Genuine Advantage Self Support Tool) - http://download.microsoft.com/download/7/4...helpcontrol.cab
O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object) - http://www.zapak.com/games/87/TriJinx.1.0.0.60.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h20264.www2.hp.com/ediags/dd/instal...nosticsxp2k.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} () - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5036.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1211991369343
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {D410AFBD-4E26-4D5F-840F-0412D6F6BB8D} (CPlayFirstSandScriptControl Object) - http://www.zapak.com/games/332/SandScript.1.0.0.21.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.1.6.cab
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{474274AF-BF53-407F-941A-A876A80E07FD}: NameServer = 61.1.96.69,61.1.96.71
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{FF87A27A-7802-49B4-A223-9638F62C7727}: NameServer = 61.1.96.69,61.1.96.71
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG8\avgwdsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: eScan Monitor Service - MicroWorld Technologies Inc. - C:\Program Files\eScan\Vista\avpmapp.exe
O23 - Service: eScan Server-Updater (eScan-trayicos) - MicroWorld Technologies Inc. - C:\Program Files\eScan\TRAYSSER.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: MWAgent - MicroWorld Technologies Inc. - C:\Program Files\Common Files\MicroWorld\Agent\MWASER.EXE
O23 - Service: NBService - Unknown owner - C:\Program Files\Nero\Nero 7\Nero
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Tally License Server (NT) (Tally License Server) - Unknown owner - C:\Tally\tallylicserver.exe
O24 - Desktop Component 0: - http://l.yimg.com/us.js.yimg.com/lib/pim/r...ailcommonlib.js

--
End of file - 12065 bytes

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - AutoCADScriptFile - shell\open\command - "C:\WINDOWS\notepad.exe" "%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 srosa (Megadrv3) - c:\windows\system32\drivers\srosa.sys
R2 CdaC15BA - c:\windows\system32\drivers\cdac15ba.sys <Not Verified; Macrovision Europe Ltd; Security Windows NT>
R3 ProcObsrves (Process Creation Monitor) - c:\program files\escan\procobsrves.sys <Not Verified; MicroWorld Technologies Inc.; eScan/eConceal>

S3 slnt (Silan SC92031 PCI Fast Ethernet Adapter) - c:\windows\system32\drivers\slnt.sys <Not Verified; Silan Micro-Electronics Inc.; Silan Micro-Electronics Inc.>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 C-DillaCdaC11BA - c:\windows\system32\drivers\cdac11ba.exe <Not Verified; Macrovision; SafeCast Windows NT>
R2 eScan Monitor Service - c:\progra~1\escan\vista\avpmapp.exe <Not Verified; MicroWorld Technologies Inc.; eScan For Windows>
R2 eScan-trayicos (eScan Server-Updater) - c:\progra~1\escan\traysser.exe <Not Verified; MicroWorld Technologies Inc.; eScan for Windows>
R2 MWAgent - c:\program files\common files\microworld\agent\mwaser.exe <Not Verified; MicroWorld Technologies Inc.; eScan for Windows>
R2 Tally License Server (Tally License Server (NT)) - c:\tally\tallylicserver.exe -s

S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: System Interrupt Controller
Device ID: PCI\VEN_1106&DEV_5364&SUBSYS_00000000&REV_00\3&2411E6FE&0&05
Manufacturer:
Name: System Interrupt Controller
PNP Device ID: PCI\VEN_1106&DEV_5364&SUBSYS_00000000&REV_00\3&2411E6FE&0&05
Service:


-- Scheduled Tasks -------------------------------------------------------------

2008-08-03 20:00:02 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2008-06-18 00:12:58 346 --a------ C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1204915249.job


-- Files created between 2008-07-09 and 2008-08-09 -----------------------------

2008-08-08 23:36:41 0 d-------- C:\Program Files\Trend Micro
2008-08-08 22:50:56 0 d-------- C:\327882R2FWJFW
2008-08-08 22:49:31 0 d-------- C:\Combo-Fix
2008-08-08 22:45:56 68349 --a------ C:\WINDOWS\system32\mdelk.exe
2008-08-08 22:37:47 21312 --a------ C:\WINDOWS\choice.exe
2008-08-08 22:37:26 0 d-------- C:\ie-spyad
2008-08-08 22:24:15 0 dr-h----- C:\Documents and Settings\Welcome\Recent
2008-08-07 23:34:14 0 d-------- C:\Documents and Settings\Welcome\Application Data\Malwarebytes
2008-08-07 23:34:10 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-07 23:34:10 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-03 21:33:45 0 d-------- C:\Program Files\CDisplay
2008-08-03 14:45:16 0 d-------- C:\WINDOWS\LastGood.Tmp
2008-08-03 14:26:02 0 d-------- C:\PUB
2008-08-03 14:24:50 136730 --a------ C:\WINDOWS\winsbak2.reg
2008-08-03 14:24:50 14936 --a------ C:\WINDOWS\winsbak.reg
2008-08-03 14:24:49 0 d-------- C:\Documents and Settings\remoteservice\Templates
2008-08-03 14:24:49 0 d-------- C:\Documents and Settings\remoteservice\Start Menu
2008-08-03 14:24:49 0 d-------- C:\Documents and Settings\remoteservice\Favorites
2008-08-03 14:24:49 0 d-------- C:\Documents and Settings\remoteservice\Documents
2008-08-03 14:24:49 0 d-------- C:\Documents and Settings\remoteservice\Desktop
2008-08-03 14:24:49 0 d-------- C:\Documents and Settings\remoteservice\Application Data
2008-08-03 14:24:49 0 d-------- C:\Documents and Settings\LocalService\Templates
2008-08-03 14:24:49 0 d-------- C:\Documents and Settings\LocalService\Start Menu
2008-08-03 14:24:49 0 d-------- C:\Documents and Settings\LocalService\Favorites
2008-08-03 14:24:49 0 d-------- C:\Documents and Settings\LocalService\Documents
2008-08-03 14:24:49 0 d-------- C:\Documents and Settings\LocalService\Desktop
2008-08-03 14:24:48 0 d-------- C:\Documents and Settings\NetworkService\Desktop
2008-08-03 14:24:47 0 d-------- C:\Program Files\Common Files\MicroWorld
2008-08-03 14:24:20 49152 --a------ C:\WINDOWS\killproc.exe <Not Verified; MicroWorld Technologies Inc.; eScan/MailScan/ X-Spam/eConceal>
2008-08-03 14:24:14 509952 --a------ C:\WINDOWS\system32\eInstall.exe <Not Verified; MicroWorld Technologies Inc.; eScan for Windows>
2008-08-03 14:24:13 155648 --a------ C:\WINDOWS\system32\mwnsp.dll <Not Verified; MicroWorld Technologies Inc.; MicroWorld Internet Traffic Scanner>
2008-08-03 14:24:13 1540096 --a------ C:\WINDOWS\system32\contfilt.dll <Not Verified; MicroWorld Technologies Inc.; eScan/WebScan for Windows>
2008-08-03 14:24:12 130560 --a------ C:\WINDOWS\system32\ZIPDLL.DLL <Not Verified; ; BCB/Delphi Zip>
2008-08-03 14:24:12 125440 --a------ C:\WINDOWS\system32\UNZDLL.DLL <Not Verified; ; BCB/Delphi UnZip>
2008-08-03 14:24:12 8464 --a------ C:\WINDOWS\system32\sporder.dll <Not Verified; Microsoft Corporation; Microsoft® Windows ® 2000 Operating System>
2008-08-03 14:24:12 425984 --a------ C:\WINDOWS\system32\mwtsp.dll <Not Verified; MicroWorld Technologies Inc.; MicroWorld Internet Traffic Scanner>
2008-08-03 14:24:12 32768 --a------ C:\WINDOWS\system32\esmxlog.dll
2008-08-03 14:24:12 8192 --a------ C:\WINDOWS\sporder.exe <Not Verified; Microsoft Corporation; Microsoft® Windows NT® Operating System>
2008-08-03 14:24:12 8464 --a------ C:\WINDOWS\sporder.dll <Not Verified; Microsoft Corporation; Microsoft® Windows ® 2000 Operating System>
2008-08-03 14:24:12 97280 --a------ C:\WINDOWS\inst_tspx.exe <Not Verified; MicroWorld Technologies Inc.; eScan/MailScan/eConceal/X-Spam>
2008-08-03 14:24:12 57344 --a------ C:\WINDOWS\inst_tsp.exe <Not Verified; MicroWorld Technologies Inc.; eScan/MailScan/eConceal/X-Spam>
2008-08-03 14:24:10 0 d-------- C:\WINDOWS\system32\FLCSS.EXE
2008-08-03 14:24:10 0 d-------- C:\WINDOWS\system32\ES_SETUP
2008-08-03 14:24:10 0 d-------- C:\Program Files\eScan
2008-08-03 14:24:10 0 d-------- C:\AVPDOS
2008-07-26 00:10:24 0 d-------- C:\Program Files\mIRC
2008-07-18 23:15:52 0 d-------- C:\Documents and Settings\Welcome\.housecall6.6
2008-07-16 00:39:27 0 d-------- C:\Documents and Settings\Welcome\Application Data\Nitro PDF
2008-07-16 00:37:45 0 d-------- C:\Program Files\Nitro PDF
2008-07-16 00:37:45 0 d-------- C:\Program Files\Common Files\Nitro PDF
2008-07-16 00:37:45 0 d-------- C:\Program Files\Common Files\BCL Technologies
2008-07-16 00:37:45 0 d-------- C:\Documents and Settings\All Users\Application Data\Nitro PDF
2008-07-15 22:56:44 0 d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-15 22:56:20 50688 --a------ C:\WINDOWS\system32\wbhelp2.dll <Not Verified; Stardock.Net, Inc; WindowBlinds for Win32 x86 machines>
2008-07-15 22:56:17 0 d-------- C:\Program Files\DAP
2008-07-15 21:46:11 0 d-------- C:\pdfedit2
2008-07-15 21:41:14 0 d-------- C:\pdfedit
2008-07-12 23:39:16 30720 --a------ C:\WINDOWS\system32\rrr.EXE <Not Verified; Microsoft Corporation; Microsoft® Win32 SDK>
2008-07-12 22:28:11 0 d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-07-12 22:22:52 0 d-------- C:\temp
2008-07-12 21:31:58 0 d-------- C:\WINDOWS\system32\Adobe
2008-07-11 21:55:58 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-11 21:55:55 0 d-------- C:\WINDOWS\system32\Kaspersky Lab


-- Find3M Report ---------------------------------------------------------------

2008-07-26 00:19:16 90876 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-07-05 23:07:24 0 d-------- C:\Program Files\Common Files\Ahead
2008-06-23 23:54:38 0 d-------- C:\Program Files\TheLearningPit
2008-06-19 23:37:22 0 d-------- C:\Program Files\Ahead
2008-06-19 22:40:52 1220 --a------ C:\WINDOWS\system32\yybdgMoq.ini2
2008-05-22 21:26:04 0 --a------ C:\WINDOWS\nsreg.dat
2008-05-12 15:23:04 664 --a------ C:\WINDOWS\system32\d3d9caps.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{61D176B3-4AE0-4521-9107-741BF4E34403}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [09/21/2006 04:36 PM C:\WINDOWS\system32\VTTimer.exe]
"S3Trayp"="S3trayp.exe" [02/06/2007 07:30 AM C:\WINDOWS\system32\S3Trayp.exe]
"HDAudDeck"="C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe" [05/11/2007 03:47 PM]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [11/02/2004 08:24 PM]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [01/02/2007 02:52 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [01/31/2008 11:13 PM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [05/24/2008 10:00 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [03/01/2007 03:57 PM]
"SecurDisc"="C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe" [05/15/2007 03:55 PM]
"InCD"="C:\Program Files\Nero\Nero 7\InCD\InCD.exe" [05/15/2007 03:55 PM]
"DownloadAccelerator"="C:\Program Files\DAP\DAP.exe" [07/15/2008 10:56 PM]
"Nitro PDF Printer Monitor"="C:\Program Files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe" [07/10/2008 01:59 PM]
"eScan Updater"="C:\PROGRA~1\eScan\TRAYICOS.exe" [07/11/2008 04:35 PM]
"MailScan Dispatcher"="C:\PROGRA~1\eScan\LAUNCH.exe" [07/16/2008 04:10 PM]
"mwavscan_autoscan"="C:\PROGRA~1\eScan\mwavscan.com /s /AUTORUNBOOT" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 09:54 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [02/28/2006 12:00 PM]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [08/30/2007 05:43 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [5/13/2008 11:54:58 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ClearRecentDocsOnExit"=1 (0x1)
"NoRecentDocsMenu"=1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwprovau C:\WINDOWS\system32\qoMgdbyy

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4ade6824-b6e7-11dc-8001-00e0206049c4}]
AutoRun\command- I:\
explore\Command- I:\RECYCLER\autorun.exe -ExploreCurDir
open\Command- I:\RECYCLER\autorun.exe -OpenCurDir




-- End of Deckard's System Scanner: finished at 2008-08-09 00:24:49 ------------


Attached File(s)
Attached File  main.txt ( 25.91K ) Number of downloads: 1
 
Go to the top of the page
 
+Quote Post
Essexboy
post Aug 8 2008, 01:37 PM
Post #2


Global Moderator
Group Icon
Posts: 10,021
From: Darkest Cornwall
OS: Vista Ultimate
Yep you have bagel so lets try to remove it for you. Please read the following carefully before downloading and running any programme

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Combo-Fix as follows:





  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------
  • Double click on combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**
Go to the top of the page
 
+Quote Post
maverickk
post Aug 11 2008, 10:43 AM
Post #3


New Member
*
Posts: 7
OS: XP
Hi
past two days i am trying to download combofix but i am not able to downoad either the downloaded file stops abruptly or the net dissconects , if downloaded when trying to run it says not valid win32 application..please help me
Go to the top of the page
 
+Quote Post
Essexboy
post Aug 11 2008, 12:13 PM
Post #4


Global Moderator
Group Icon
Posts: 10,021
From: Darkest Cornwall
OS: Vista Ultimate
Hi again - it seems that some variants are now targetting CF so please download and run Bagel fix

This will produce a log at C:\Bagled.txt could you post this
Go to the top of the page
 
+Quote Post
Essexboy
post Aug 16 2008, 03:36 AM
Post #5


Global Moderator
Group Icon
Posts: 10,021
From: Darkest Cornwall
OS: Vista Ultimate
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
Go to the top of the page
 
+Quote Post
admin
post Aug 18 2008, 12:36 PM
Post #6


Site Administrator
Group Icon
Posts: 17,667
From: 127.0.0.1
OS: Windows Vista Ultimate
Reopened at the request of the topic starter.
Go to the top of the page
 
+Quote Post
maverickk
post Aug 18 2008, 12:49 PM
Post #7


New Member
*
Posts: 7
OS: XP
hi Essexboy
i am attaching the beagled.txt and combofix.txt as said by you.. since my internet connection was down for some period due to bad waether i was not able to post you .
Attached File(s)
Attached File  Bagled.txt ( 62bytes ) Number of downloads: 13
Attached File  ComboFix.txt ( 55.73K ) Number of downloads: 17
 
Go to the top of the page
 
+Quote Post
Essexboy
post Aug 18 2008, 01:04 PM
Post #8


Global Moderator
Group Icon
Posts: 10,021
From: Darkest Cornwall
OS: Vista Ultimate
No problems on that. I hope the weather is a bit better now smile.gif

Looks like the dreaded bagle has gone. I would now like to do a deep search to ensure that it hasn't left anything behind. How is your computer behaving now ?

Download OTScanit to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanit folder and double-click on OTScanit.exe to start the program.
  • Check the box that says Scan All User Accounts
  • Check the Radio buttons for Files/Folders Created Within 90 Days and Files/Folders Modified Within 90 Days
  • Under Additional Scans check the following:
    • Reg - BotCheck
    • File - Additional Folder Scans
    • File - Purity Scan
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on to insert the attachment into your post
Go to the top of the page
 
+Quote Post
maverickk
post Aug 18 2008, 01:29 PM
Post #9


New Member
*
Posts: 7
OS: XP
The weather is getting better... rolleyes1.gif


i am attaching the txt file what i got by running the OTscanit

This post has been edited by maverickk: Aug 18 2008, 01:37 PM
Attached File(s)
Attached File  OTScanIt.Txt ( 333.15K ) Number of downloads: 9
 
Go to the top of the page
 
+Quote Post