Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

I don't know what to do

Started by Brewskie , Mar 05 2006 01:11 PM

  • Please log in to reply

#1
Brewskie
Posted 05 March 2006 - 01:11 PM

Brewskie

    New Member

  • Member
  • Pip
  • 6 posts
I have done everything I can think of to get rid of whatever I have on my machine. I don't know what it is, or how to get rid of it. I would appreciate any I can get. AVG is constantly stopping trojan downloaders. I get more pop-ups than I have ever had before. If I leave my computer online for more than 5 minutes the pop-ups are so bad, all I can do is restart.

Logfile of HijackThis v1.99.1
Scan saved at 2:02:51 PM, on 3/5/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\microsloft.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\Mixer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\Program Files\F-Secure\Common\FNRB32.EXE
C:\Program Files\F-Secure\Common\FIH32.EXE
C:\Documents and Settings\Nick.BREWSKIE\Desktop\Hijack This\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: MFCOptimizeClass Object - {C25FA7CE-23EA-4271-A66D-06C4D5C22F78} - C:\WINDOWS\System32\pmnmm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Microsoft Configururation 32] microsloft.exe
O4 - HKLM\..\Run: [winsysupd] C:\\winsysupd12.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MSN MESSENGER] msnme.exe
O4 - HKLM\..\Run: [Microsoft Configure 32] msoftconf.exe
O4 - HKLM\..\Run: [gimmygames] C:\\gimmygames12.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\RunServices: [MSN MESSENGER] msnme.exe
O4 - HKLM\..\RunServices: [Microsoft Configure 32] msoftconf.exe
O4 - HKLM\..\RunServices: [Microsoft Configure12] msoftconf12.exe
O4 - HKLM\..\RunServices: [Microsoft Configururation 32] microsloft.exe
O4 - HKCU\..\Run: [Microsoft Configururation 32] microsloft.exe
O4 - HKCU\..\Run: [Ymjg] C:\Program Files\Common Files\?ymbols\?ttrib.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Configure12] msoftconf12.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1131284017863
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1141574863627
O20 - Winlogon Notify: Extensions - C:\WINDOWS\system32\enr6l19s1.dll
O20 - Winlogon Notify: pmnmm - C:\WINDOWS\System32\pmnmm.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Lsass Windows Xp (LsassXP) - Unknown owner - C:\WINDOWS\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Super AOL instant messenger (supermsg) - Unknown owner - C:\WINDOWS\lsass2.exe (file missing)
O23 - Service: wkssvc (Windows Kernel Serivce) - Unknown owner - C:\WINDOWS\wkssvc.exe (file missing)
  • 0

Advertisements

#2
loophole
Posted 05 March 2006 - 01:49 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi Brewskie :tazz:

This will take a few steps to clean

Go to start >>>>>run and copy and paste the following lines in one at a time pressing enter after each line you paste in

sc stop LsassXP
sc delete LsassXP
sc stop supermsg
sc delete supermsg
sc stop Windows Kernel Serivce
sc delete Windows Kernel Serivce



Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt in your next reply.

After the reboot

Please download Look2Me-Destroyer.exe to your desktop.
  • Close all windows before continuing.
  • Double-click Look2Me-Destroyer.exe to run it.
  • Put a check next to Run this program as a task.
  • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
  • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button.
  • You will receive a Done Scanning message, click OK.
  • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
  • Your computer will then shutdown.
  • Turn your computer back on.
  • Please post the contents of C:\Look2Me-Destroyer.txt in your next reply.
If Look2Me-Destroyer does not reopen automatically, reboot and try again.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive...ib/MSWINSCK.OCX



Post the contents of the C:\Look2Me-Destroyer.txt, The C:\vundofix.txt and a new Hijack log

Thanks
  • 0

#3
Brewskie
Posted 05 March 2006 - 02:19 PM

Brewskie

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Ok, so far so good.

Hijack -This

Logfile of HijackThis v1.99.1
Scan saved at 3:16:19 PM, on 3/5/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\Program Files\F-Secure\Common\FNRB32.EXE
C:\Program Files\F-Secure\Common\FIH32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Nick.BREWSKIE\Desktop\Hijack This\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: MFCOptimizeClass Object - {C25FA7CE-23EA-4271-A66D-06C4D5C22F78} - C:\WINDOWS\System32\pmnmm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\RunServices: [MSN MESSENGER] msnme.exe
O4 - HKLM\..\RunServices: [Microsoft Configure 32] msoftconf.exe
O4 - HKLM\..\RunServices: [Microsoft Configure12] msoftconf12.exe
O4 - HKLM\..\RunServices: [Microsoft Configururation 32] microsloft.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1131284017863
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1141574863627
O17 - HKLM\System\CCS\Services\Tcpip\..\{A1613934-37D6-45B0-94D2-378FA58A3D39}: NameServer = 206.141.193.55 66.73.20.40
O20 - Winlogon Notify: pmnmm - C:\WINDOWS\System32\pmnmm.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: wkssvc (Windows Kernel Serivce) - Unknown owner - C:\WINDOWS\wkssvc.exe (file missing)


VundoFix


VundoFix V4.2.29
Scan started at 1:25:14 PM 3/5/2006

Listing files found while scanning....

C:\WINDOWS\System32\pmnmm.dll
C:\WINDOWS\System32\mmnmp.ini
C:\WINDOWS\System32\mmnmp.bak1
C:\WINDOWS\System32\mmnmp.bak2

C:\WINDOWS\system32\mmnmp.bak1
C:\WINDOWS\system32\mmnmp.bak2
C:\WINDOWS\system32\mmnmp.ini
C:\WINDOWS\system32\pmnmm.dll

VundoFix V4.2.29
Scan started at 3:00:40 PM 3/5/2006

Listing files found while scanning....

C:\WINDOWS\System32\pmnmm.dll
C:\WINDOWS\System32\mmnmp.ini
C:\WINDOWS\System32\mmnmp.bak1
C:\WINDOWS\System32\mmnmp.bak2

C:\WINDOWS\system32\mmnmp.bak1
C:\WINDOWS\system32\mmnmp.bak2
C:\WINDOWS\system32\mmnmp.ini
C:\WINDOWS\system32\pmnmm.dll
Attempting to delete C:\WINDOWS\System32\pmnmm.dll
C:\WINDOWS\System32\pmnmm.dll Could not be deleted.

Attempting to delete C:\WINDOWS\System32\mmnmp.ini
C:\WINDOWS\System32\mmnmp.ini Has been deleted!

Attempting to delete C:\WINDOWS\System32\mmnmp.bak1
C:\WINDOWS\System32\mmnmp.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\System32\mmnmp.bak2
C:\WINDOWS\System32\mmnmp.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmnmm.dll
C:\WINDOWS\system32\pmnmm.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Look2Me


Look2Me-Destroyer V1.0.7

Scanning for infected files.....
Scan started at 3/5/2006 3:11:05 PM

Infected! C:\WINDOWS\system32\r0r60a9sed.dll
Infected! C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP100\A0025918.dll
Infected! C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP100\A0026918.dll
Infected! C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP100\A0026924.dll
Infected! C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP100\A0026932.dll
Infected! C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP100\A0026939.dll
Infected! C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP101\A0026960.dll
Infected! C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP102\A0027012.dll
Infected! C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP102\A0027019.dll
Infected! C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP103\A0027030.dll
Infected! C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP103\A0027037.dll
Infected! C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP103\A0027040.dll
Infected! C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP104\A0027060.dll
Infected! C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP104\A0027062.dll
Infected! C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP104\A0027070.dll
Infected! C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP104\A0027076.dll
Infected! C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0027085.dll
Infected! C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0027086.dll
Infected! C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0028093.dll
Infected! C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0028099.dll
Infected! C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0029104.dll
Infected! C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0029113.dll
Infected! C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0030118.dll
Infected! C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0031123.dll
Infected! C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0032119.dll
Infected! C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0032125.dll
Infected! C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0032132.dll
Infected! C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0032138.dll
Infected! C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0032145.dll
Infected! C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0032151.dll
Infected! C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0033155.dll
Infected! C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0033161.dll
Infected! C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0034162.dll
Infected! C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0034172.dll
Infected! C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0034174.dll
Infected! C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0035178.dll
Infected! C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0035182.dll
Infected! C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0036183.dll
Infected! C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP92\A0015522.dll
Infected! C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP92\A0015532.dll
Infected! C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP92\A0015536.dll
Infected! C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP93\A0016554.dll
Infected! C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP93\A0016560.dll
Infected! C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP93\A0016575.dll
Infected! C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP94\A0016605.dll
Infected! C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP94\A0024801.dll
Infected! C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP94\A0024809.dll
Infected! C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP94\A0025812.dll
Infected! C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP94\A0025817.dll
Infected! C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP95\A0025839.dll
Infected! C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP95\A0025846.dll
Infected! C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP96\A0025851.dll
Infected! C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP96\A0025858.dll
Infected! C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP96\A0025866.dll
Infected! C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP96\A0025868.dll
Infected! C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP97\A0025875.dll
Infected! C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP97\A0025876.dll
Infected! C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP97\A0025883.dll
Infected! C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP97\A0025890.dll
Infected! C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP98\A0025898.dll
Infected! C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP99\A0025911.dll
Infected! C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP99\A0025913.dll
Infected! C:\WINDOWS\system32\cwm.dll
Infected! C:\WINDOWS\system32\cynfmsp.dll
Infected! C:\WINDOWS\system32\dHdpmesh.dll
Infected! C:\WINDOWS\system32\dmlayx.dll
Infected! C:\WINDOWS\system32\dOdim.dll
Infected! C:\WINDOWS\system32\dRnim.dll
Infected! C:\WINDOWS\system32\en24l1fq1.dll
Infected! C:\WINDOWS\system32\en48l1hu1.dll
Infected! C:\WINDOWS\system32\en4sl1h71.dll
Infected! C:\WINDOWS\system32\enjol1131.dll
Infected! C:\WINDOWS\system32\enpsl1771.dll
Infected! C:\WINDOWS\system32\enrql1951.dll
Infected! C:\WINDOWS\system32\fklemgmt.dll
Infected! C:\WINDOWS\system32\g6lmlg3116.dll
Infected! C:\WINDOWS\system32\gpdef.dll
Infected! C:\WINDOWS\system32\hfetcfg.dll
Infected! C:\WINDOWS\system32\hr6605jse.dll
Infected! C:\WINDOWS\system32\hretmon.dll
Infected! C:\WINDOWS\system32\hrls0537e.dll
Infected! C:\WINDOWS\system32\hrn6055se.dll
Infected! C:\WINDOWS\system32\ir00l5dm1.dll
Infected! C:\WINDOWS\system32\k208lcdu1f08.dll
Infected! C:\WINDOWS\system32\kkdcz.dll
Infected! C:\WINDOWS\system32\kt0ul7d91.dll
Infected! C:\WINDOWS\system32\ktp8l77u1.dll
Infected! C:\WINDOWS\system32\ktpsl7771.dll
Infected! C:\WINDOWS\system32\l4p20e7oeh.dll
Infected! C:\WINDOWS\system32\ldhsvc.dll
Infected! C:\WINDOWS\system32\lf32.dll
Infected! C:\WINDOWS\system32\lRprxy.dll
Infected! C:\WINDOWS\system32\lv8209loe.dll
Infected! C:\WINDOWS\system32\lvj0091me.dll
Infected! C:\WINDOWS\system32\maxml2.dll
Infected! C:\WINDOWS\system32\mcprivs.dll
Infected! C:\WINDOWS\system32\mcratelc.dll
Infected! C:\WINDOWS\system32\mdutb.dll
Infected! C:\WINDOWS\system32\mfgsvc.dll
Infected! C:\WINDOWS\system32\mfjava.dll
Infected! C:\WINDOWS\system32\mgvbvm60.dll
Infected! C:\WINDOWS\system32\mrpbde40.dll
Infected! C:\WINDOWS\system32\mthcp.dll
Infected! C:\WINDOWS\system32\n66qlgj516o.dll
Infected! C:\WINDOWS\system32\noprint.dll
Infected! C:\WINDOWS\system32\nztlogon.dll
Infected! C:\WINDOWS\system32\o0pq0a75ed.dll
Infected! C:\WINDOWS\system32\o2lulc391f.dll
Infected! C:\WINDOWS\system32\pyofmap.dll
Infected! C:\WINDOWS\system32\r0r60a9sed.dll
Infected! C:\WINDOWS\system32\soredir.dll
Infected! C:\WINDOWS\system32\sslwoa.dll
Infected! C:\WINDOWS\system32\svbrccsp.dll
Infected! C:\WINDOWS\system32\t08u0al9edq.dll
Infected! C:\WINDOWS\system32\tKembed.dll
Infected! C:\WINDOWS\system32\ucrcntra.dll
Infected! C:\WINDOWS\system32\uprcntra.dll
Infected! C:\WINDOWS\system32\wjnhttp.dll
Infected! C:\WINDOWS\system32\WlhRm.dll
Infected! C:\WINDOWS\system32\xoidvfw.dll
Infected! C:\WINDOWS\system32\zvpfldr.dll

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\r0r60a9sed.dll
C:\WINDOWS\system32\r0r60a9sed.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP100\A0025918.dll
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP100\A0025918.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP100\A0026918.dll
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP100\A0026918.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP100\A0026924.dll
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP100\A0026924.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP100\A0026932.dll
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP100\A0026932.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP100\A0026939.dll
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP100\A0026939.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP101\A0026960.dll
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP101\A0026960.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP102\A0027012.dll
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP102\A0027012.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP102\A0027019.dll
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP102\A0027019.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP103\A0027030.dll
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP103\A0027030.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP103\A0027037.dll
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP103\A0027037.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP103\A0027040.dll
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP103\A0027040.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP104\A0027060.dll
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP104\A0027060.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP104\A0027062.dll
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP104\A0027062.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP104\A0027070.dll
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP104\A0027070.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP104\A0027076.dll
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP104\A0027076.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0027085.dll
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0027085.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0027086.dll
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0027086.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0028093.dll
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0028093.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0028099.dll
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0028099.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0029104.dll
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0029104.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0029113.dll
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0029113.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0030118.dll
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0030118.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0031123.dll
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0031123.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0032119.dll
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0032119.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0032125.dll
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0032125.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0032132.dll
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0032132.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0032138.dll
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0032138.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0032145.dll
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0032145.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0032151.dll
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0032151.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0033155.dll
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0033155.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0033161.dll
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0033161.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0034162.dll
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0034162.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0034172.dll
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0034172.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0034174.dll
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0034174.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0035178.dll
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0035178.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0035182.dll
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0035182.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0036183.dll
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0036183.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP92\A0015522.dll
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP92\A0015522.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP92\A0015532.dll
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP92\A0015532.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP92\A0015536.dll
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP92\A0015536.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP93\A0016554.dll
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP93\A0016554.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP93\A0016560.dll
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP93\A0016560.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP93\A0016575.dll
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP93\A0016575.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP94\A0016605.dll
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP94\A0016605.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP94\A0024801.dll
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP94\A0024801.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP94\A0024809.dll
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP94\A0024809.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP94\A0025812.dll
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP94\A0025812.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP94\A0025817.dll
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP94\A0025817.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP95\A0025839.dll
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP95\A0025839.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP95\A0025846.dll
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP95\A0025846.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP96\A0025851.dll
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP96\A0025851.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP96\A0025858.dll
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP96\A0025858.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP96\A0025866.dll
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP96\A0025866.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP96\A0025868.dll
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP96\A0025868.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP97\A0025875.dll
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP97\A0025875.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP97\A0025876.dll
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP97\A0025876.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP97\A0025883.dll
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP97\A0025883.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP97\A0025890.dll
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP97\A0025890.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP98\A0025898.dll
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP98\A0025898.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP99\A0025911.dll
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP99\A0025911.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP99\A0025913.dll
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP99\A0025913.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\cwm.dll
C:\WINDOWS\system32\cwm.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\cynfmsp.dll
C:\WINDOWS\system32\cynfmsp.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\dHdpmesh.dll
C:\WINDOWS\system32\dHdpmesh.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\dmlayx.dll
C:\WINDOWS\system32\dmlayx.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\dOdim.dll
C:\WINDOWS\system32\dOdim.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\dRnim.dll
C:\WINDOWS\system32\dRnim.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\en24l1fq1.dll
C:\WINDOWS\system32\en24l1fq1.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\en48l1hu1.dll
C:\WINDOWS\system32\en48l1hu1.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\en4sl1h71.dll
C:\WINDOWS\system32\en4sl1h71.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\enjol1131.dll
C:\WINDOWS\system32\enjol1131.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\enpsl1771.dll
C:\WINDOWS\system32\enpsl1771.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\enrql1951.dll
C:\WINDOWS\system32\enrql1951.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\fklemgmt.dll
C:\WINDOWS\system32\fklemgmt.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\g6lmlg3116.dll
C:\WINDOWS\system32\g6lmlg3116.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\gpdef.dll
C:\WINDOWS\system32\gpdef.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\hfetcfg.dll
C:\WINDOWS\system32\hfetcfg.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\hr6605jse.dll
C:\WINDOWS\system32\hr6605jse.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\hretmon.dll
C:\WINDOWS\system32\hretmon.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\hrls0537e.dll
C:\WINDOWS\system32\hrls0537e.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\hrn6055se.dll
C:\WINDOWS\system32\hrn6055se.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\ir00l5dm1.dll
C:\WINDOWS\system32\ir00l5dm1.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\k208lcdu1f08.dll
C:\WINDOWS\system32\k208lcdu1f08.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\kkdcz.dll
C:\WINDOWS\system32\kkdcz.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\kt0ul7d91.dll
C:\WINDOWS\system32\kt0ul7d91.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\ktp8l77u1.dll
C:\WINDOWS\system32\ktp8l77u1.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\ktpsl7771.dll
C:\WINDOWS\system32\ktpsl7771.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\l4p20e7oeh.dll
C:\WINDOWS\system32\l4p20e7oeh.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\ldhsvc.dll
C:\WINDOWS\system32\ldhsvc.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\lf32.dll
C:\WINDOWS\system32\lf32.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\lRprxy.dll
C:\WINDOWS\system32\lRprxy.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\lv8209loe.dll
C:\WINDOWS\system32\lv8209loe.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\lvj0091me.dll
C:\WINDOWS\system32\lvj0091me.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\maxml2.dll
C:\WINDOWS\system32\maxml2.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\mcprivs.dll
C:\WINDOWS\system32\mcprivs.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\mcratelc.dll
C:\WINDOWS\system32\mcratelc.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\mdutb.dll
C:\WINDOWS\system32\mdutb.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\mfgsvc.dll
C:\WINDOWS\system32\mfgsvc.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\mfjava.dll
C:\WINDOWS\system32\mfjava.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\mgvbvm60.dll
C:\WINDOWS\system32\mgvbvm60.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\mrpbde40.dll
C:\WINDOWS\system32\mrpbde40.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\mthcp.dll
C:\WINDOWS\system32\mthcp.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\n66qlgj516o.dll
C:\WINDOWS\system32\n66qlgj516o.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\noprint.dll
C:\WINDOWS\system32\noprint.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\nztlogon.dll
C:\WINDOWS\system32\nztlogon.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\o0pq0a75ed.dll
C:\WINDOWS\system32\o0pq0a75ed.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\o2lulc391f.dll
C:\WINDOWS\system32\o2lulc391f.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\pyofmap.dll
C:\WINDOWS\system32\pyofmap.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\r0r60a9sed.dll
C:\WINDOWS\system32\r0r60a9sed.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\soredir.dll
C:\WINDOWS\system32\soredir.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\sslwoa.dll
C:\WINDOWS\system32\sslwoa.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\svbrccsp.dll
C:\WINDOWS\system32\svbrccsp.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\t08u0al9edq.dll
C:\WINDOWS\system32\t08u0al9edq.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\tKembed.dll
C:\WINDOWS\system32\tKembed.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\ucrcntra.dll
C:\WINDOWS\system32\ucrcntra.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\uprcntra.dll
C:\WINDOWS\system32\uprcntra.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\wjnhttp.dll
C:\WINDOWS\system32\wjnhttp.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\WlhRm.dll
C:\WINDOWS\system32\WlhRm.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\xoidvfw.dll
C:\WINDOWS\system32\xoidvfw.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\zvpfldr.dll
C:\WINDOWS\system32\zvpfldr.dll Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SharedDLLs

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{3A108B52-D4C3-4868-B9FF-7B08FC70AF06}"
HKCR\Clsid\{3A108B52-D4C3-4868-B9FF-7B08FC70AF06}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{A99A418A-08F1-496D-9AED-1113833F94CA}"
HKCR\Clsid\{A99A418A-08F1-496D-9AED-1113833F94CA}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{257473FF-ED24-4A51-A350-7163ED556657}"
HKCR\Clsid\{257473FF-ED24-4A51-A350-7163ED556657}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{89D163ED-E2B8-4C29-9083-C9036B46A1BA}"
HKCR\Clsid\{89D163ED-E2B8-4C29-9083-C9036B46A1BA}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{0ED4E94B-16A5-469D-BC8D-F5B82DE5C268}"
HKCR\Clsid\{0ED4E94B-16A5-469D-BC8D-F5B82DE5C268}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{EFFD06CF-FDB4-448A-8EDD-DEC2BDC6A6D7}"
HKCR\Clsid\{EFFD06CF-FDB4-448A-8EDD-DEC2BDC6A6D7}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{CD689A9C-C0B4-4EAB-81F5-1381E0B67C4D}"
HKCR\Clsid\{CD689A9C-C0B4-4EAB-81F5-1381E0B67C4D}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{EE9EBB68-65DC-4A4C-AFF0-446E99BBE139}"
HKCR\Clsid\{EE9EBB68-65DC-4A4C-AFF0-446E99BBE139}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{AFD8ECA0-982D-45B6-AA5F-91F160FE4524}"
HKCR\Clsid\{AFD8ECA0-982D-45B6-AA5F-91F160FE4524}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded
  • 0

#4
loophole
Posted 05 March 2006 - 02:46 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi Brewskie

OK one big one down but one of the tools failed we will try again in a little bit

Please download ATF Cleaner by Atribune.Save it to the desktop
This program is for XP and Windows 2000 only

Please download * rdrivRem.zip and unzip it to your desktop



Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O4 - HKLM\..\RunServices: [MSN MESSENGER] msnme.exe
O4 - HKLM\..\RunServices: [Microsoft Configure 32] msoftconf.exe
O4 - HKLM\..\RunServices: [Microsoft Configure12] msoftconf12.exe
O4 - HKLM\..\RunServices: [Microsoft Configururation 32] microsloft.exe


Now close all windows other than HiJackThis, then click Fix Checked

Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight "Safe Mode" then hit enter.


Show Hidden Files and Folders
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab. Under the Hidden files and
  • folders heading, select Show hidden files and folders.
  • Uncheck: Hide file extensions for known file types
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.

Please delete the files in red using Windows Explorer(if present):

Hijack doesn't give me the exact location. If you cant find them they are probably gone .They will be in the C:\windows folder or the C:\windows\system32 folder more than likely

msoftconf.exe
msoftconf12.exe
msnme.exe
microsloft.exe

1.) Please go into the rdrivrem folder and double-click rdrivRem.bat to run the program - follow the instructions on the screen. After it's complete, rdriv.txt will be created in the rdrivRem folder.

2.) Double-click ATF-Cleaner.exe to run the program.Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Reboot

Rerun the Vundofix per my previous instructions

Pst the Vundo log , the rdriv.txt in the rdrivRem folder and a new Hijack log

Thanks
  • 0

#5
Brewskie
Posted 05 March 2006 - 04:07 PM

Brewskie

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
I was only able to find microsloft.exe. I renames the file extention so it couldnt be used. Here is the information you requested.

Hijack-This

Logfile of HijackThis v1.99.1
Scan saved at 4:59:57 PM, on 3/5/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\Program Files\F-Secure\Common\FNRB32.EXE
C:\Program Files\F-Secure\Common\FIH32.EXE
C:\Documents and Settings\Nick.BREWSKIE\Desktop\Hijack This\HijackThis.exe

R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1131284017863
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1141574863627
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: wkssvc (Windows Kernel Serivce) - Unknown owner - C:\WINDOWS\wkssvc.exe (file missing)

Vundofix

VundoFix V4.2.29
Scan started at 1:25:14 PM 3/5/2006

Listing files found while scanning....

C:\WINDOWS\System32\pmnmm.dll
C:\WINDOWS\System32\mmnmp.ini
C:\WINDOWS\System32\mmnmp.bak1
C:\WINDOWS\System32\mmnmp.bak2

C:\WINDOWS\system32\mmnmp.bak1
C:\WINDOWS\system32\mmnmp.bak2
C:\WINDOWS\system32\mmnmp.ini
C:\WINDOWS\system32\pmnmm.dll

VundoFix V4.2.29
Scan started at 3:00:40 PM 3/5/2006

Listing files found while scanning....

C:\WINDOWS\System32\pmnmm.dll
C:\WINDOWS\System32\mmnmp.ini
C:\WINDOWS\System32\mmnmp.bak1
C:\WINDOWS\System32\mmnmp.bak2

C:\WINDOWS\system32\mmnmp.bak1
C:\WINDOWS\system32\mmnmp.bak2
C:\WINDOWS\system32\mmnmp.ini
C:\WINDOWS\system32\pmnmm.dll
Attempting to delete C:\WINDOWS\System32\pmnmm.dll
C:\WINDOWS\System32\pmnmm.dll Could not be deleted.

Attempting to delete C:\WINDOWS\System32\mmnmp.ini
C:\WINDOWS\System32\mmnmp.ini Has been deleted!

Attempting to delete C:\WINDOWS\System32\mmnmp.bak1
C:\WINDOWS\System32\mmnmp.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\System32\mmnmp.bak2
C:\WINDOWS\System32\mmnmp.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmnmm.dll
C:\WINDOWS\system32\pmnmm.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V4.2.29
Scan started at 4:58:05 PM 3/5/2006

Listing files found while scanning....

C:\WINDOWS\System32\pmnmm.dll
C:\WINDOWS\System32\mmnmp.ini

Attempting to delete C:\WINDOWS\System32\pmnmm.dll
C:\WINDOWS\System32\pmnmm.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\mmnmp.ini
C:\WINDOWS\System32\mmnmp.ini Has been deleted!

Performing Repairs to the registry.
Done!

Rdriv

RDrivRem Log 16:32:17.17 Sun 03/05/2006


~~~~~~~~~~~~~ Pre-run File Check ~~~~~~~~~~~~~



~~~~~~~~~~~~~ Post run File Check ~~~~~~~~~~~~~
  • 0

#6
loophole
Posted 05 March 2006 - 04:20 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Great. Looks like the tool worked that time

The hard part is over. Lets continue

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R3 - Default URLSearchHook is missing

Now close all windows other than HiJackThis, then click Fix Checked


Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the below service:


wkssvc (Windows Kernel Serivce)


When you find it double click it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok.

Run HiJackThis. Click on "None of the above, just start the program". Now, click on the "Config" button (bottom right), then click on "Misc Tools", then click on "Delete an NT Service" a window will pop up. Enter the below item into that field (copy and paste):


Windows Kernel Serivce

Click ok.

It should pull up information about the service, when it asks if you want to reboot now click YES.


Lets finish up

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
.
  • 0

#7
Brewskie
Posted 05 March 2006 - 05:36 PM

Brewskie

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Kaspersky Virus scan complete.

New Hijack Log

Logfile of HijackThis v1.99.1
Scan saved at 6:32:43 PM, on 3/5/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\Program Files\F-Secure\Common\FNRB32.EXE
C:\Program Files\F-Secure\Common\FIH32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Nick.BREWSKIE\Desktop\Hijack This\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1131284017863
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1141574863627
O17 - HKLM\System\CCS\Services\Tcpip\..\{A1613934-37D6-45B0-94D2-378FA58A3D39}: NameServer = 206.141.193.55 66.73.20.40
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Kaspersky Scan

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Sunday, March 05, 2006 6:32:11 PM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 5/03/2006
Kaspersky Anti-Virus database records: 180328
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 62978
Number of viruses found: 17
Number of infected objects: 124
Number of suspicious objects: 0
Duration of the scan process: 00:49:38

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\ESHNH93D\AGEU_SilentSudokuInstaller[1].exe/data0002/data0006 Infected: Trojan-Dropper.Win32.VB.kk skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\ESHNH93D\AGEU_SilentSudokuInstaller[1].exe/data0002 Infected: Trojan-Dropper.Win32.VB.kk skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\ESHNH93D\AGEU_SilentSudokuInstaller[1].exe NSIS: infected - 2 skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\ESHNH93D\ibycgt[1].cab/titno.exe Infected: not-a-virus:AdWare.Win32.MDH.e skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\ESHNH93D\ibycgt[1].cab CAB: infected - 1 skipped
C:\Documents and Settings\Nick\My Documents\Key Finder.zip/keyfinder.exe/data.rar/xpkey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Documents and Settings\Nick\My Documents\Key Finder.zip/keyfinder.exe/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Documents and Settings\Nick\My Documents\Key Finder.zip/keyfinder.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Documents and Settings\Nick\My Documents\Key Finder.zip/keyfinder.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Documents and Settings\Nick\My Documents\Key Finder.zip ZIP: infected - 4 skipped
C:\Documents and Settings\Nick\My Documents\keyfinder.exe/data.rar/xpkey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Documents and Settings\Nick\My Documents\keyfinder.exe/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Documents and Settings\Nick\My Documents\keyfinder.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Documents and Settings\Nick\My Documents\keyfinder.exe RarSFX: infected - 3 skipped
C:\drsmartload1.exe Infected: Trojan-Downloader.Win32.Adload.u skipped
C:\RECYCLER\S-1-5-21-861567501-484763869-1708537768-500\Dc3.EXE Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\RECYCLER\S-1-5-21-861567501-484763869-1708537768-500\Dc7.exe/data0002/data0006 Infected: Trojan-Dropper.Win32.VB.kk skipped
C:\RECYCLER\S-1-5-21-861567501-484763869-1708537768-500\Dc7.exe/data0002 Infected: Trojan-Dropper.Win32.VB.kk skipped
C:\RECYCLER\S-1-5-21-861567501-484763869-1708537768-500\Dc7.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0030120.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0032127.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0032131.exe Infected: Trojan-Downloader.Win32.PurityScan.bv skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0036184.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0036185.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0036186.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0036187.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0036188.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0036189.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0036190.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0036191.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0036192.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0036193.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0036194.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0036195.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0036196.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0036197.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0036198.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0036199.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0036200.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0036201.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0036202.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0036203.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0036204.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0036205.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0036206.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0036207.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0036208.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0036209.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0036210.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0036211.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0036212.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0036213.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0036214.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0036215.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0036216.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0036217.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0036218.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0036219.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0036220.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0036221.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0036222.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0036223.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0036224.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0036225.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0036226.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0036227.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0036228.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0036229.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0036230.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0036231.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0036232.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0036233.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0036234.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0036235.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0036236.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0036237.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0036238.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0036239.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0036240.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0036311.exe Infected: Backdoor.Win32.Rbot.gen skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP105\A0036314.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.am skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP89\A0015476.exe/winlogon.exe Infected: Trojan-Clicker.Win32.Agent.ap skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP89\A0015476.exe/dr.exe Infected: Trojan-Downloader.Win32.Adload.j skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP89\A0015476.exe/IEXPLO~1.EXE Infected: not-a-virus:RiskTool.Win32.HideWindows skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP89\A0015476.exe/scctd.exe Infected: Trojan-Proxy.Win32.Daemonize.bx skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP89\A0015476.exe CAB: infected - 4 skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP89\A0015477.exe/winlogon.exe Infected: Trojan-Clicker.Win32.Agent.ap skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP89\A0015477.exe/dr.exe Infected: Trojan-Downloader.Win32.Adload.j skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP89\A0015477.exe/IEXPLO~1.EXE Infected: not-a-virus:RiskTool.Win32.HideWindows skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP89\A0015477.exe CAB: infected - 3 skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP91\A0015508.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP91\A0015510.dll Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP91\A0015515.exe/data0001 Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP91\A0015515.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP93\A0016555.exe/dr.exe Infected: Trojan-Downloader.Win32.Adload.o skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP93\A0016555.exe/IEXPLO~1.EXE Infected: not-a-virus:RiskTool.Win32.HideWindows skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP93\A0016555.exe/is396.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.am skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP93\A0016555.exe/scctd.exe Infected: Trojan-Proxy.Win32.Daemonize.bx skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP93\A0016555.exe CAB: infected - 4 skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP93\A0016568.exe/dr.exe Infected: Trojan-Downloader.Win32.Adload.o skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP93\A0016568.exe/IEXPLO~1.EXE Infected: not-a-virus:RiskTool.Win32.HideWindows skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP93\A0016568.exe/is396.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.am skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP93\A0016568.exe/scctd.exe Infected: Trojan-Proxy.Win32.Daemonize.bx skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP93\A0016568.exe CAB: infected - 4 skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP94\A0025823.exe/dr.exe Infected: Trojan-Downloader.Win32.Adload.o skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP94\A0025823.exe/IEXPLO~1.EXE Infected: not-a-virus:RiskTool.Win32.HideWindows skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP94\A0025823.exe/is396.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.am skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP94\A0025823.exe/scctd.exe Infected: Trojan-Proxy.Win32.Daemonize.bx skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP94\A0025823.exe CAB: infected - 4 skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP94\A0025824.EXE Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP94\A0025829.exe/data0002 Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\System Volume Information\_restore{4128E39D-3F0C-4210-AAF5-7A10CDA9B3B1}\RP94\A0025829.exe NSIS: infected - 1 skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UERS_0001_N68M1801NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.d skipped
C:\WINDOWS\Downloaded Program Files\UERS_0001_N68M1801NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.d skipped
C:\WINDOWS\Downloaded Program Files\UWFX6_0001_N68M2301NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.d skipped
C:\WINDOWS\NDNuninstall6_38.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\WINDOWS\system32\DH9013.exe/data0002 Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\WINDOWS\system32\DH9013.exe NSIS: infected - 1 skipped
C:\WINDOWS\system32\gebba.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.am skipped
C:\WINDOWS\system32\hgdbx.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.am skipped
C:\WINDOWS\system32\microsloft.nick Infected: Backdoor.Win32.Rbot.gen skipped
C:\WINDOWS\system32\mmcpxl32.dLL Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\WINDOWS\system32\titno.exe Infected: not-a-virus:AdWare.Win32.MDH.e skipped
C:\WINDOWS\system32\vtsqp.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.am skipped

Scan process completed.
  • 0

#8
loophole
Posted 05 March 2006 - 06:11 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi Brewskie :)

Please download the Killbox by Option^Explicit.


Note: In the event you already have Killbox, this is a new version that I need you to download. Save it to your desktop.


Delete the following folders

C:\Documents and Settings\Nick\My Documents\Key Finder.zip

The above is probably the source of all the mayham

Turn off System Restore.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Check Turn off System Restore.
  • Click Apply, and then click OK.

Pocket Killbox
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):



    C:\WINDOWS\NDNuninstall6_38.exe
    C:\WINDOWS\system32\DH9013.exe
    C:\drsmartload1.exe
    C:\WINDOWS\system32\gebba.dll
    C:\WINDOWS\system32\hgdbx.dll
    C:\WINDOWS\system32\microsloft.nick
    C:\WINDOWS\system32\mmcpxl32.dLL
    C:\WINDOWS\system32\titno.exe
    C:\WINDOWS\system32\vtsqp.dll
    C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UERS_0001_N68M1801NetInstaller.exe C:\WINDOWS\Downloaded Program Files\UERS_0001_N68M1801NetInstaller.exe
    C:\WINDOWS\Downloaded Program Files\UWFX6_0001_N68M2301NetInstaller.exe
    C:\Documents and Settings\Nick\My Documents\keyfinder.exe



  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

After the reboot

Turn ON System Restore.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • UN-Check *Turn off System Restore*.
  • Click Apply, and then click OK.

Lets see one more Hijack log and let me know how things are running :tazz:
  • 0

#9
Brewskie
Posted 05 March 2006 - 06:30 PM

Brewskie

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Thank you very much Loophole. You have been a huge help.

Hijack Log

Logfile of HijackThis v1.99.1
Scan saved at 7:28:04 PM, on 3/5/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\Program Files\F-Secure\Common\FNRB32.EXE
C:\Program Files\F-Secure\Common\FIH32.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Nick.BREWSKIE\Desktop\Hijack This\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1131284017863
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1141574863627
O17 - HKLM\System\CCS\Services\Tcpip\..\{A1613934-37D6-45B0-94D2-378FA58A3D39}: NameServer = 206.141.193.55 66.73.20.40
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
  • 0

#10
loophole
Posted 05 March 2006 - 07:11 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Your welcome

Is the computer back to normal?
  • 0

#11
Brewskie
Posted 05 March 2006 - 07:49 PM

Brewskie

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Runnin' like a champ, thanks again
  • 0

#12
loophole
Posted 05 March 2006 - 09:27 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Great, glad to hear it :)

Congratulations
your system is clean :tazz:

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  • Anti virus- An anti-virus is a must, here are a few good free ones.Please never run more than one ant-virus at a time.

  • Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  • AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  • SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  • SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
  • IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  • ATF Cleaner (by Atribune) - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP