Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Some sort of visual basic virus!

Started by prototype , Jan 24 2007 02:50 AM

  • This topic is locked This topic is locked

#1
prototype
Posted 24 January 2007 - 02:50 AM

prototype

    New Member

  • Member
  • Pip
  • 8 posts
Somebody gave me a link to a so called trainer for a game but it turns out it was a 20kb exe file and me being a big dummy i ran it. my pc locked up on me and if i start up then log on, i cant do anything. it just beeps and freezes up.

im using safe mode with networking right now, and i cant stand this screen resolution >_<

If someone could help me out, that would be splendiferous. :whistling:


hjt log -


Logfile of HijackThis v1.99.1
Scan saved at 12:47:55 AM, on 1/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0B82F5B0-F934-322E-1902-0A2E1B45FB06} - C:\WINDOWS\system32\edhokbd.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [pologi] C:\WINDOWS\PeerNet\pologi.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [sysinter] C:\WINDOWS\system32\adirss.exe
O4 - HKLM\..\Run: [Agent] C:\WINDOWS\system32\alsys.exe
O4 - HKLM\..\Run: [lnwin.exe] C:\WINDOWS\system32\lnwin.exe
O4 - HKLM\..\Run: [dukvihsA] C:\WINDOWS\dukvihsA.exe
O4 - HKCU\..\Run: [µTorrent] "C:\Program Files\uTorrent\utorrent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Agent] C:\WINDOWS\system32\alsys.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MIBF9C~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIBF9C~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)
O23 - Service: Apache2 - Unknown owner - C:\Program Files\xampp\apache\bin\apache.exe" -k runservice (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: PostgreSQL Database Server (pgsql-8.0) - Unknown owner - C:\Program Files\PostgreSQL\8.0\bin\pg_ctl.exe" runservice -N "pgsql-8.0" -D "C:\Program Files\PostgreSQL\8.0\data\ (file missing)
O23 - Service: TCP and UDP Supp0rt - Unknown owner - C:\WINDOWS\system32\tccpip.exe (file missing)
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\dukvihs.exe (file missing)
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe


Thanks in advance
  • 0

Advertisements

#2
Jrenter2
Posted 24 January 2007 - 07:24 AM

Jrenter2

    Member

  • Member
  • PipPipPip
  • 435 posts
Hello Prototype and Welcome to G2Go!.
My name is Joe and I will be helping you with your computer problems today. Please be patient as I am still in training and all my posts are reviewed by our Expert Instructors prior to posting. With this in mind, there may be a little delay between posts.

Please give me a little bit to look over your log. I will post back some instructions as soon as possible.
  • 0

#3
Jrenter2
Posted 24 January 2007 - 07:56 PM

Jrenter2

    Member

  • Member
  • PipPipPip
  • 435 posts
Hello Prototype

Ok, we have got some serious trojans and other nasty infection issues with your machine. While it may be frustrating, please bear with me as we take care of it. Together we will get through this situation. Before we continue, you may wish to print out these instructions for easy reference during the fix, because part of the fix may require you to be in Safe Mode, which will not allow you to access the Web. You can click the Options drop down near the upper right of the topic. Select Print this topic.

You are currently using HijackThis from your desktop. This really needs to be in a seperate directory. HijackThis creates backups that are needed in case of any recovery issues.
Please create a directory on your C:\ drive called C:\HJT, download and unzip or copy HijackThis into that directory. Run the program from that directory from now on.

STEPS For Creating Folder1. Please go to My Computer, open your C:\ drive, Select: New >> Folder and name the folder HJT.

2. Download HijackThis to the new folder:

3. Double Click on 'HijackThis.zip' to extract and install HijackThis.exe to the new folder.

4. Close ALL windows except HJT

5. SCAN with HJT and SAVE LOG. (a notepad window will open with the log in it when you click Save Log) (Ctrl-A to'select all', Ctrl-C to 'copy')

6. POST the log in this thread using 'Add Reply' (Ctrl-V to 'paste')
Please make sure you post the entire log including the top portion:

DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL WE CHECK THE LOG, AS SOME OF THE FILES ARE LEGIT AND VITAL TO THE FUNCTION OF YOUR COMPUTER

Next, I would like to see what programs you have installed on your system. Please provide me with a Uninstall List by doing the following:

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save. (copy and paste the results in your next post.)

Now, Download LSPFix.exe to a convenient location (like your Desktop). Do NOT run this program. This is only to be used if you lose Internet Access after removing NewDotNet.

To Get rid of NewDotNet, go to:

Start > Control Panel > Add or Remove Programs and remove the following:

New.Net Applications or New.Net Domains (anything that says New.Net)

If it is not there, Please run the following tool, NewDotNet Removal tool. (ONLY if you can't find the New.Net in Add/Remove programs).

In the event that you lose Internet access after removing New.Net, please double-click LSPFix.exe that you downloaded earlier. Check the "I know what I'm doing" button. You will see 2 panels. If there is any file listed in the "Remove" panel on the right-side, leave it as is and just click "Finish>>" then reboot your computer and you should now have access to the Internet. If nothing is listed under the "Remove Panel", do NOT do anything - just close the program. You will need to use another computer to come back here for further instructions on what to do.


After you do the above, please post back with:

HJT log
Uninstall List
  • 0

#4
prototype
Posted 24 January 2007 - 08:41 PM

prototype

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Okay, I'm in safe mode with networking again. I ran the HJT scan:

Logfile of HijackThis v1.99.1
Scan saved at 6:37:47 PM, on 1/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\HJT\HijackThis.exe

R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0B82F5B0-F934-322E-1902-0A2E1B45FB06} - C:\WINDOWS\system32\edhokbd.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [pologi] C:\WINDOWS\PeerNet\pologi.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [sysinter] C:\WINDOWS\system32\adirss.exe
O4 - HKLM\..\Run: [Agent] C:\WINDOWS\system32\alsys.exe
O4 - HKLM\..\Run: [lnwin.exe] C:\WINDOWS\system32\lnwin.exe
O4 - HKLM\..\Run: [dukvihsA] C:\WINDOWS\dukvihsA.exe
O4 - HKCU\..\Run: [µTorrent] "C:\Program Files\uTorrent\utorrent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Agent] C:\WINDOWS\system32\alsys.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MIBF9C~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIBF9C~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)
O23 - Service: Apache2 - Unknown owner - C:\Program Files\xampp\apache\bin\apache.exe" -k runservice (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: PostgreSQL Database Server (pgsql-8.0) - Unknown owner - C:\Program Files\PostgreSQL\8.0\bin\pg_ctl.exe" runservice -N "pgsql-8.0" -D "C:\Program Files\PostgreSQL\8.0\data\ (file missing)
O23 - Service: TCP and UDP Supp0rt - Unknown owner - C:\WINDOWS\system32\tccpip.exe (file missing)
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\dukvihs.exe (file missing)
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe






After that, i ran the uninstall manager scan:





µTorrent
7-Zip 4.42
Ad-Aware SE Personal
Adobe Audition 2.0
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 9 ActiveX
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 8
Adobe Stock Photos 1.0
AEVITA Wipe & Delete version 1.03
AIM Invader Pro 1.1.891
AltoMP3 Maker 3.12
AOL Instant Messenger
Apple Software Update
AVG Anti-Spyware 7.5
AVI DVD Burner 2007 ver 2.24
AviSynth 2.5
Babylon
Broadcom 802.11 Network Adapter
Canon iP6210D
CleanUp!
Cole2k Media - Nero Audio Plugin Pack
Cool Edit Pro 2.1
CopyPod (remove only)
DTMF Dial
EarthDesk
eMule
EphPod
Exact Audio Copy 0.95b4
Family Tree Maker
FLAC Installer 1.1.3b (remove only)
Fraps (remove only)
Grand Theft Auto Vice City
GTA San Andreas
HijackThis 1.99.1
Hotfix for Windows XP (KB926239)
ID3-TagIT 3
IMG 1.1
iScrobbler
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 9
K-Lite Codec Pack 2.80 Full
Last.fm 1.1.0.0
LimeWire PRO 4.12.6
Merriam-Webster
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Professional Edition 2003
Microsoft Office Word 2007
Microsoft Office Word MUI (English) 2007
Microsoft SQL Server Desktop Engine (SONY_MEDIAMGR)
Microsoft Text-to-Speech Engine 4.0 (English)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Moo Mapper Beta 0.90 - Uninstall
Mozilla Firefox (2.0.0.1)
MTA: Race for San Andreas 1.1.1
Multi Theft Auto
Nero 7 Ultra Edition
Nero Reloaded PlugIn Pack 2.0.4 by GEAR
NVIDIA Ethernet Driver
Parallel Port Joystick
PiMPStreamer
PostgreSQL 8.0
PSPHost
QuickTime
RealPlayer
Realtek AC'97 Audio
SAM3 (remove only)
SHOUTcast DNAS (remove only)
Skype 3.0
Skype Plugin Manager
Sony Media Manager 2.2
Sony Vegas 7.0
Sound Blaster Audigy
Steam
StepMania (remove only)
StepMania CVS (remove only)
Tag&Rename 3.3
The Rosetta Stone
TightVNC 1.2.9
Trillian
Tunatic
Vice City Mod Manager
VideoLAN VLC media player 0.8.6
Videora PMP Converter 0.90
Viewpoint Media Player
Web Nexus Network
Winamp (remove only)
WinAVIVideoConverter
WindowBlinds
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Overlay Components
WinRAR archiver
WMPTagSupportExtender
XAMPP 1.5.5
Xfire (remove only)
XviD4PSP by Winnydows


Then I proceeded to uninstall NewDotCom.( i didnt see it in the control panel list, so i used the removal tool )


I was able to access websites after that(thus me posting this log), and i did not need to use LSPFix. However i am still keeping just incase.

Thank you for your help so far :whistling: , i thought i was going to have to re-install windows :blink:
  • 0

#5
Jrenter2
Posted 25 January 2007 - 08:34 AM

Jrenter2

    Member

  • Member
  • PipPipPip
  • 435 posts
Hi Prototype

You're welcome thus far...and I don't want to have to go down the road of reinstalling anything if I can help it. :whistling:

Ok, you have a file that I need you to submit for review before I tell you what to do with it Please do the following.

Jotti File Submission:
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page:

    • C:\WINDOWS\PeerNet\pologi.exe
  • Click on the submit button
  • Please post the results in your next reply.
Next,
 run the LSPFix.exe that you have downloaded.
Check the I know what I'm doing box.
In the Keep box you should see one or more instances of newdotnet6_38.dll
Select every instance of newdotnet6_38.dll ll and move each one to the Remove box by clicking the >> button.
When you are done click Finish>>.

Next download SuperAntiSpware....

SUPERAntiSpyware Home Edition (free version) - Download - Home Page
  • Install it and double-click the icon on your desktop to run it.
    It will ask if you want to update the program definitions, click Yes.

    Under Configuration and Preferences, click the Preferences button.
    • Click the Scanning Control tab.
      Under Scanner Options make sure the following are checked:
    • Close browsers before scanning
    • Scan for tracking cookies
    • Terminate memory threats before quarantining.
    • Please leave the others unchecked.
    • Click the Close button to leave the control center screen.
    On the main screen, under Scan for Harmful Software click Scan your computer.
    On the left check C:\Fixed Drive.
    On the right, under Complete Scan, choose Perform Complete Scan.
  • Click Next to start the scan. Please be patient while it scans your computer.
    After the scan is complete a summary box will appear. Click OK.
    Make sure everything in the white box has a check next to it, then click Next.
    It will quarantine what it found and if it asks if you want to reboot, click Yes.
    To retrieve the removal information for me please do the following:
    After reboot, double-click the SUPERAntispyware icon on your desktop.
  • Click Preferences. Click the Statistics/Logs tab.
  • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    It will open in your default text editor (such as Notepad/Wordpad).
  • Please highlight everything in the notepad, then right-click and choose copy.
  • Click close and close again to exit the program.
Save the log information.

Next step will be to re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
O2 - BHO: (no name) - {0B82F5B0-F934-322E-1902-0A2E1B45FB06} - C:\WINDOWS\system32\edhokbd.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [pologi] C:\WINDOWS\PeerNet\pologi.exe
O4 - HKLM\..\Run: [sysinter] C:\WINDOWS\system32\adirss.exe
O4 - HKLM\..\Run: [Agent] C:\WINDOWS\system32\alsys.exe
O4 - HKLM\..\Run: [lnwin.exe] C:\WINDOWS\system32\lnwin.exe
O4 - HKLM\..\Run: [dukvihsA] C:\WINDOWS\dukvihsA.exe
O4 - HKCU\..\Run: [Agent] C:\WINDOWS\system32\alsys.exe
O23 - Service: TCP and UDP Supp0rt - Unknown owner - C:\WINDOWS\system32\tccpip.exe (file missing)
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\dukvihs.exe (file missing)


Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

Windows Overlay Components

Please note any other programs that you dont recognize in that list in your next response

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders(if present):

C:\Program Files\Newdotnet - (If Present)

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files(if present):

C:\WINDOWS\PeerNet\pologi.exe
C:\WINDOWS\system32\adirss.exe
C:\WINDOWS\system32\alsys.exe
C:\WINDOWS\system32\lnwin.exe
C:\WINDOWS\dukvihsA.exe
C:\WINDOWS\system32\alsys.exe
C:\WINDOWS\system32\tccpip.exe
C:\WINDOWS\dukvihs.exe
C:\WINDOWS\system32\edhokbd.dll


After that, Reboot.

When that is all completed post back here with the following:

New HJT log
Jotti Report
SuperAntispware Log
  • 0

#6
prototype
Posted 25 January 2007 - 06:37 PM

prototype

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hey! I followed your steps and tried loading up in normal mode.. now everything seems to be in tip-top shape! I can do everything I could do before.

Thank you so much, it's so hard to express my gratitude just by typing it.

Now i dont have to back up all my data to DVD's.


Once again thankyouthankyouthankyouthankyouthankyouthankyou.
  • 0

#7
Jrenter2
Posted 25 January 2007 - 08:52 PM

Jrenter2

    Member

  • Member
  • PipPipPip
  • 435 posts
Hi Prototype

Glad to hear that you are running good again. Although this is the case, I would really like to take a look at the logs I had requested and make sure that we did indeed get rid of everything we needed to. If you could please supply those items it would be greatly appreciated. I just like to make sure we have done a complete job in the removal of the nasties.
  • 0

#8
prototype
Posted 26 January 2007 - 02:10 AM

prototype

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Done. Looks like I didnt get rid of everything after all..

Heres the superantivirus log followed by the HJT log..

I couldnt get a jotti log because pologi.exe doesnt exist.

Superantivirus log:

SUPERAntiSpyware Scan Log
Generated 01/26/2007 at 00:03 AM

Application Version : 3.5.1016

Core Rules Database Version : 3173
Trace Rules Database Version: 1183

Scan type : Complete Scan
Total Scan Time : 01:49:50

Memory items scanned : 480
Memory threats detected : 0
Registry items scanned : 6263
Registry threats detected : 64
File items scanned : 83403
File threats detected : 121

Trojan.Downloader-Gen
[sysinter] C:\WINDOWS\SYSTEM32\ADIRSS.EXE
C:\WINDOWS\SYSTEM32\ADIRSS.EXE

Trojan.Downloader-LNWIN
[lnwin.exe] C:\WINDOWS\SYSTEM32\LNWIN.EXE
C:\WINDOWS\SYSTEM32\LNWIN.EXE

Trojan.TaskDir
[taskdir] C:\WINDOWS\SYSTEM32\TASKDIR.EXE
C:\WINDOWS\SYSTEM32\TASKDIR.EXE
[taskdir] C:\WINDOWS\SYSTEM32\TASKDIR.EXE
C:\WINDOWS\SYSTEM32\ZLBW.DLL

Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[1].txt
C:\Documents and Settings\Owner\Cookies\owner@2o7[2].txt
C:\Documents and Settings\Owner\Cookies\owner@fastclick[2].txt
C:\Documents and Settings\Owner\Cookies\owner@adtech[2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\owner@hitbox[2].txt
C:\Documents and Settings\Owner\Cookies\owner@trafficmp[1].txt
C:\Documents and Settings\Owner\Cookies\owner@mediaplex[1].txt
C:\Documents and Settings\Owner\Cookies\owner@casalemedia[2].txt
C:\Documents and Settings\Owner\Cookies\owner@atwola[1].txt
C:\Documents and Settings\Owner\Cookies\owner@doubleclick[2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt

Adware.WebNexus
HKLM\Software\qstat
HKLM\Software\qstat#double
HKLM\Software\qstat#brr
HKLM\Software\qstat#unq
HKLM\Software\qstat#lid
HKLM\Software\qstat#stat

Trojan.NewDotNet
HKCR\Tldctl2.URLLink
HKCR\Tldctl2.URLLink\CLSID
HKCR\Tldctl2.URLLink\CurVer
HKCR\Tldctl2.URLLink.1
HKCR\Tldctl2.URLLink.1\CLSID
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP144\A0022348.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP144\A0022349.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP145\A0029566.EXE

Adware.Avenue Media/Internet Optimizer
C:\Program Files\Internet Optimizer\optimize.exe
C:\Program Files\Internet Optimizer

Trojan.Windows Overlay Components/SysMon
HKLM\SYSTEM\CurrentControlSet\Services\Windows Overlay Components
HKLM\SYSTEM\CurrentControlSet\Services\Windows Overlay Components#Type
HKLM\SYSTEM\CurrentControlSet\Services\Windows Overlay Components#Start
HKLM\SYSTEM\CurrentControlSet\Services\Windows Overlay Components#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\Windows Overlay Components#ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\Windows Overlay Components#DisplayName
HKLM\SYSTEM\CurrentControlSet\Services\Windows Overlay Components#ObjectName
HKLM\SYSTEM\CurrentControlSet\Services\Windows Overlay Components\Security
HKLM\SYSTEM\CurrentControlSet\Services\Windows Overlay Components\Security#Security
HKLM\SYSTEM\CurrentControlSet\Services\Windows Overlay Components\Enum
HKLM\SYSTEM\CurrentControlSet\Services\Windows Overlay Components\Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\Windows Overlay Components\Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\Windows Overlay Components\Enum#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS\0000#DeviceDesc
C:\WINDOWS\offun.exe

Trojan.ZenoSearch
C:\WINDOWS\system32\msnav32.ax
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP144\A0022350.EXE

Trojan.Unknown Origin
HKLM\SOFTWARE\Microsoft\MSSMGR
HKLM\SOFTWARE\Microsoft\MSSMGR#Data
HKLM\SOFTWARE\Microsoft\MSSMGR#LSTV

Trojan.BraveSentry
C:\Program Files\BraveSentry\BraveSentry.exe
C:\Program Files\BraveSentry\BraveSentry.lic
C:\Program Files\BraveSentry\BraveSentry0.bs
C:\Program Files\BraveSentry\BraveSentry0.dll
C:\Program Files\BraveSentry\BraveSentry1.bs
C:\Program Files\BraveSentry\BraveSentry1.dll
C:\Program Files\BraveSentry\BraveSentry2.dll
C:\Program Files\BraveSentry\BraveSentry3.dll
C:\Program Files\BraveSentry
C:\Documents and Settings\Owner\Start Menu\Programs\BraveSentry\BraveSentry.lnk
C:\Documents and Settings\Owner\Start Menu\Programs\BraveSentry\Uninstall.lnk
C:\Documents and Settings\Owner\Start Menu\Programs\BraveSentry

Adware.DeluxeCommunications
HKLM\Software\Microsoft\Internet Explorer\URLSearchHooks#{A8BD6820-6ED7-423E-9558-2D1486B0FEEA}
\DeluxeCommunications
C:\DOCUMENTS AND SETTINGS\OWNER\APPLICATION DATA\DXCKNWRD.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP144\A0021339.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP144\A0021340.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP144\A0021341.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP144\A0022352.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP144\A0023485.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP144\A0023486.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP144\A0023487.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP144\A0023493.EXE

Trojan.BHOPlugin/Terp
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TCP_AND_UDP_SUPP0RT
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TCP_AND_UDP_SUPP0RT#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TCP_AND_UDP_SUPP0RT\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TCP_AND_UDP_SUPP0RT\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TCP_AND_UDP_SUPP0RT\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TCP_AND_UDP_SUPP0RT\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TCP_AND_UDP_SUPP0RT\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TCP_AND_UDP_SUPP0RT\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TCP_AND_UDP_SUPP0RT\0000#DeviceDesc
HKLM\SYSTEM\CurrentControlSet\Services\TCP and UDP Supp0rt
HKLM\SYSTEM\CurrentControlSet\Services\TCP and UDP Supp0rt#Type
HKLM\SYSTEM\CurrentControlSet\Services\TCP and UDP Supp0rt#Start
HKLM\SYSTEM\CurrentControlSet\Services\TCP and UDP Supp0rt#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\TCP and UDP Supp0rt#ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\TCP and UDP Supp0rt#DisplayName
HKLM\SYSTEM\CurrentControlSet\Services\TCP and UDP Supp0rt#ObjectName
HKLM\SYSTEM\CurrentControlSet\Services\TCP and UDP Supp0rt#Description
HKLM\SYSTEM\CurrentControlSet\Services\TCP and UDP Supp0rt\Security
HKLM\SYSTEM\CurrentControlSet\Services\TCP and UDP Supp0rt\Security#Security
HKLM\SYSTEM\CurrentControlSet\Services\TCP and UDP Supp0rt\Enum
HKLM\SYSTEM\CurrentControlSet\Services\TCP and UDP Supp0rt\Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\TCP and UDP Supp0rt\Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\TCP and UDP Supp0rt\Enum#NextInstance
C:\PROGRAM FILES\BHO PLUGIN\PLUGIN.DLL
C:\PROGRAM FILES\BHO PLUGIN\PLUGIN1.DLL
C:\PROGRAM FILES\BHO PLUGIN\UNINSTALL.EXE
C:\PROGRAM FILES\BHO PLUGIN\~UNINSTALL.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP144\A0021358.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP144\A0021359.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP144\A0023496.EXE

Trojan.TagASaurus
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\DESKTOP\TAGASAURUS.EXE

Adware.MSUpdate
C:\DOCUMENTS AND SETTINGS\OWNER\APPLICATION DATA\MICROSOFT\INTERNET EXPLORER\QUICK LAUNCH\21.COM.LNK
C:\DOCUMENTS AND SETTINGS\OWNER\FAVORITES\21.COM.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP144\A0021357.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP144\A0022364.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP144\A0022367.LNK

Trojan.ZQuest
C:\PROGRAM FILES\COMMON FILES\QUZA39.DLL
C:\PROGRAM FILES\COMMON FILES\QUZA482.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP144\A0021355.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP144\A0023490.DLL

Adware.k8l
C:\PROGRAM FILES\COMMON FILES\RTEJE.HTML

Trojan.Drop/Gen Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP144\A0020472.EXE

Adware.Avenue Media
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP144\A0022343.EXE

Trojan.Downloader-ADir/TaskDir
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP144\A0022344.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP145\A0024517.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP145\A0030609.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP147\A0031645.DLL

Trojan.VXGame-Gen
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP144\A0022345.EXE
C:\WINDOWS\SYSTEM32\DLH9JKD1Q2.EXE
C:\WINDOWS\SYSTEM32\DLH9JKD1Q6.EXE
C:\WINDOWS\SYSTEM32\DLH9JKD1Q7.EXE
C:\WINDOWS\SYSTEM32\GAME1.EXE
C:\WINDOWS\SYSTEM32\GAME2.EXE
C:\WINDOWS\SYSTEM32\GAME4.EXE
C:\WINDOWS\SYSTEM32\QVX5GAMET2.EXE
C:\WINDOWS\SYSTEM32\QVXGA6MET3.EXE
C:\WINDOWS\SYSTEM32\VXG3AM1ET3.EXE
C:\WINDOWS\SYSTEM32\VXG4AM1ET2.EXE
C:\WINDOWS\SYSTEM32\VXGA1ME4T1.EXE
C:\WINDOWS\SYSTEM32\VXGA4M1ET4.EXE
C:\WINDOWS\SYSTEM32\VXGA4ME1.EXE
C:\WINDOWS\SYSTEM32\VXGA8ME6.EXE
C:\WINDOWS\Prefetch\GAME1.EXE-019BA37F.pf
C:\WINDOWS\Prefetch\GAME2.EXE-382FEAC1.pf
C:\WINDOWS\Prefetch\GAME4.EXE-22FC9B4F.pf

Trojan.VXGame/32
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP144\A0022346.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP144\A0022347.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP144\A0023494.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP144\A0023495.EXE

Adware.RAC
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP144\A0022363.EXE
C:\WINDOWS\PCHEALTH\POLOGI.EXE

Adware.FullContext
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP144\A0023488.EXE

Trojan.ClbBt
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP144\A0023491.DLL

Unclassified.Unknown Origin/System
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP144\A0023492.EXE

Dialer.Dial/Gen Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP144\A0023499.EXE

Adware.SysMon
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP144\A0023541.EXE
C:\WINDOWS\DUKVIHSA.EXE

Trojan.Downloader-WinCom32/Rootkit
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP144\A0023550.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP145\A0023562.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP145\A0024529.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP145\A0029603.SYS
C:\WINDOWS\SYSTEM32\GAME5.EXE
C:\WINDOWS\Prefetch\GAME5.EXE-2C024263.pf

Unclassified.Unknown Origin
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP145\A0024538.EXE

Trojan.Downloader-DoneDU
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP145\A0029557.DLL

Trojan.Downloader-Gen/Win
C:\WINDOWS\SYSTEM32\GAME0.EXE.EXE
C:\WINDOWS\SYSTEM32\GAME5P.EXE.EXE
C:\WINDOWS\SYSTEM32\KERNELS88.EXE

Trojan.Downloader-LDCORE
C:\WINDOWS\SYSTEM32\LDCORE.DLL

Trojan.SpoolSVV/32
C:\WINDOWS\SYSTEM32\SPOOLSVV.EXE

Trojan.Downloader-UPNP
C:\WINDOWS\SYSTEM32\UPNP.EXE

Trojan.Downloader-RS1/Bundles
C:\WINDOWS\SYSTEM32\WA8B6A6A.DLL

Trojan.SmitFraud Variant
C:\WINDOWS\XPUPDATE.EXE





Hijack This log





Logfile of HijackThis v1.99.1
Scan saved at 12:11:34 AM, on 1/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\xampp\apache\bin\apache.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\xampp\apache\bin\apache.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\uTorrent\utorrent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\HJT\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [µTorrent] "C:\Program Files\uTorrent\utorrent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Agent] C:\WINDOWS\system32\alsys.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MIBF9C~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIBF9C~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)
O23 - Service: Apache2 - Unknown owner - C:\Program Files\xampp\apache\bin\apache.exe" -k runservice (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: PostgreSQL Database Server (pgsql-8.0) - Unknown owner - C:\Program Files\PostgreSQL\8.0\bin\pg_ctl.exe" runservice -N "pgsql-8.0" -D "C:\Program Files\PostgreSQL\8.0\data\ (file missing)
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
  • 0

#9
Jrenter2
Posted 27 January 2007 - 10:22 AM

Jrenter2

    Member

  • Member
  • PipPipPip
  • 435 posts
Hi Prototype

Sorry for the delay. Looks like we got rid of a few items in that last run. That's good. You're log is looking better. There appears to have one thing left there we need to get rid of. Please do the following:

Step 1

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system32\alsys.exe
  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Step 2

Download WindPFind

Extract WinPFind.zip to your c:\ folder.

Reboot your computer into Safe Mode

Then open c:\WinPFind and double-click on WinPFind.exe.
When the program is open, click on the Start Scan button to start scanning your computer. Be patient as this scan may take a while.
When it is done, it will show a log and tell you the scan is completed. Reboot your computer back to normal mode and and post the contents of c:\WinPFind\WinPFind.txt as a reply to this topic.

Step 3

Next step will be to re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O4 - HKLM\..\Run: [Agent] C:\WINDOWS\system32\alsys.exe

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis. Reboot.

Step 4

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Step 5

When that is all completed post back here with the following:

New HJT log
WinPFind.txt
Status of your computer now
  • 0

#10
prototype
Posted 27 January 2007 - 04:50 PM

prototype

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Okay. Heres the WinPFind log.

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows sometimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Logfile created on: 1/27/2007 2:45:15 PM
WinPFind v1.5.0 Folder = C:\winPfind\WinPFind\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 6.0.2900.2180)

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 1/22/2007 10:06:24 PM 5120 C:\WINDOWS\comdlg96.dll ()
UPX! 1/22/2007 10:06:10 PM 5632 C:\WINDOWS\sasunx.exe ()

Checking %System% folder...
UPX! 1/27/2007 12:33:38 PM 54218 C:\WINDOWS\SYSTEM32\abc.exe ()
UPX! 1/26/2007 12:11:40 AM 4608 C:\WINDOWS\SYSTEM32\adir.dll ()
WSUD 9/20/2004 3:20:00 PM 16121856 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL (Realtek Semiconductor Corp.)
UPX! 12/30/2006 6:16:36 PM 313344 C:\WINDOWS\SYSTEM32\avisynth.dll (The Public)
PEC2 8/4/2004 4:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc ()
PEC2 10/2/2006 9:04:40 PM 635486 C:\WINDOWS\SYSTEM32\divx.dll (DivX, Inc.)
PECompact2 10/2/2006 9:04:40 PM 635486 C:\WINDOWS\SYSTEM32\divx.dll (DivX, Inc.)
PEC2 8/16/2006 6:13:34 AM 1382280 C:\WINDOWS\SYSTEM32\fftw3.dll ()
UPX! 1/27/2007 5:45:48 AM 54222 C:\WINDOWS\SYSTEM32\game.exe ()
UPX! 1/23/2007 4:58:32 PM 54403 C:\WINDOWS\SYSTEM32\game0.exe ()
UPX! 1/27/2007 10:32:02 AM 50634 C:\WINDOWS\SYSTEM32\game3.exe ()
UPX! 1/25/2004 8:18:34 AM 70656 C:\WINDOWS\SYSTEM32\i420vfw.dll (www.helixcommunity.org)
UPX! 1/25/2007 4:56:18 PM 36462 C:\WINDOWS\SYSTEM32\Ivm6R47.exe ()
UPX! 1/27/2007 10:32:02 AM 35786 C:\WINDOWS\SYSTEM32\M3P3hIo.exe ()
aspack 8/4/2004 4:00:00 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll (Microsoft Corporation)
WSUD 8/4/2004 4:00:00 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl (Microsoft Corporation)
Umonitor 8/4/2004 4:00:00 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll (Microsoft Corporation)
UPX! 1/23/2007 1:34:58 AM 32387 C:\WINDOWS\SYSTEM32\s.exe ()
UPX! 1/22/2007 10:05:24 PM 96256 C:\WINDOWS\SYSTEM32\vcvpygj.dll ()
winsync 8/4/2004 4:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu ()
PEC2 10/18/2006 9:47:20 PM 8231936 C:\WINDOWS\SYSTEM32\wmploc.dll (Microsoft Corporation)
WSUD 10/18/2006 9:47:20 PM 8231936 C:\WINDOWS\SYSTEM32\wmploc.dll (Microsoft Corporation)
UPX! 1/25/2004 8:18:44 AM 70656 C:\WINDOWS\SYSTEM32\yv12vfw.dll (www.helixcommunity.org)

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
1/27/2007 2:41:52 PM S 2048 C:\WINDOWS\bootstat.dat ()
12/6/2006 11:20:04 AM RH 749 C:\WINDOWS\WindowsShell.Manifest ()
12/14/2006 12:10:10 AM RHS 227 C:\WINDOWS\assembly\Desktop.ini ()
12/27/2006 10:52:56 PM RH 0 C:\WINDOWS\assembly\PublisherPolicy.tme ()
12/27/2006 10:52:56 PM RH 0 C:\WINDOWS\assembly\pubpol3.dat ()
12/25/2006 11:36:34 PM RH 0 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\index21.dat ()
12/25/2006 11:36:38 PM RH 0 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\index22.dat ()
12/6/2006 11:20:10 AM H 65 C:\WINDOWS\Downloaded Program Files\desktop.ini ()
12/6/2006 11:20:50 AM HS 67 C:\WINDOWS\Fonts\desktop.ini ()
12/6/2006 11:20:10 AM H 65 C:\WINDOWS\Offline Web Pages\desktop.ini ()
12/6/2006 11:20:32 AM RHS 727 C:\WINDOWS\pchealth\helpctr\PackageStore\package_1.cab ()
12/6/2006 11:20:32 AM RHS 19854 C:\WINDOWS\pchealth\helpctr\PackageStore\package_2.cab ()
12/6/2006 11:20:32 AM RHS 244933 C:\WINDOWS\pchealth\helpctr\PackageStore\package_3.cab ()
12/6/2006 11:21:36 AM H 225280 C:\WINDOWS\repair\ntuser.dat ()
12/6/2006 11:20:04 AM RH 749 C:\WINDOWS\system32\cdplayer.exe.manifest ()
12/6/2006 11:20:10 AM RH 488 C:\WINDOWS\system32\logonui.exe.manifest ()
12/6/2006 11:20:04 AM RH 749 C:\WINDOWS\system32\ncpa.cpl.manifest ()
12/6/2006 11:20:04 AM RH 749 C:\WINDOWS\system32\nwc.cpl.manifest ()
12/6/2006 11:20:04 AM RH 749 C:\WINDOWS\system32\sapi.cpl.manifest ()
12/6/2006 11:20:10 AM RH 488 C:\WINDOWS\system32\WindowsLogon.manifest ()
12/6/2006 11:20:04 AM RH 749 C:\WINDOWS\system32\wuaucpl.cpl.manifest ()
1/27/2007 2:41:50 PM H 8192 C:\WINDOWS\system32\config\default.LOG ()
1/27/2007 2:42:06 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG ()
1/27/2007 2:41:54 PM H 16384 C:\WINDOWS\system32\config\SECURITY.LOG ()
1/27/2007 2:44:56 PM H 184320 C:\WINDOWS\system32\config\software.LOG ()
1/27/2007 2:41:56 PM H 823296 C:\WINDOWS\system32\config\system.LOG ()
12/6/2006 3:06:24 AM H 1024 C:\WINDOWS\system32\config\TempKey.LOG ()
12/6/2006 3:06:26 AM H 1024 C:\WINDOWS\system32\config\userdiff.LOG ()
12/6/2006 3:09:46 AM HS 62 C:\WINDOWS\system32\config\systemprofile\Application Data\desktop.ini ()
12/30/2006 10:24:44 PM S 341 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\303572DF538EDD8B1D606185F1D559B8 ()
12/30/2006 10:24:50 PM S 413 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\79841F8EF00FBA86D33CC5A47696F165 ()
12/30/2006 10:24:42 PM S 574 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\904590238400AD963F77FAAAADC9BAB5 ()
12/15/2006 7:55:30 PM S 1039 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\CFC456E7E410D69E2C6F3E2DB75C7DB3 ()
12/7/2006 11:28:50 AM S 558 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\E6024EAC88E6B6165D49FE3C95ADD735 ()
12/30/2006 10:24:44 PM S 126 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\303572DF538EDD8B1D606185F1D559B8 ()
12/30/2006 10:24:50 PM S 98 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\79841F8EF00FBA86D33CC5A47696F165 ()
12/30/2006 10:24:42 PM S 136 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\904590238400AD963F77FAAAADC9BAB5 ()
12/15/2006 7:55:30 PM S 126 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\CFC456E7E410D69E2C6F3E2DB75C7DB3 ()
12/7/2006 11:28:50 AM S 144 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\E6024EAC88E6B6165D49FE3C95ADD735 ()
12/6/2006 3:09:46 AM HS 62 C:\WINDOWS\system32\config\systemprofile\Local Settings\desktop.ini ()
12/6/2006 11:24:46 AM HS 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\desktop.ini ()
12/6/2006 11:24:46 AM HS 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\desktop.ini ()
12/6/2006 11:24:46 AM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\desktop.ini ()
12/6/2006 11:24:46 AM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini ()
12/6/2006 11:24:46 AM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\01234T6V\desktop.ini ()
12/6/2006 11:24:46 AM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\45UJK9YN\desktop.ini ()
12/6/2006 11:24:46 AM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8LYNODE3\desktop.ini ()
12/6/2006 11:24:46 AM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OPE3GHU7\desktop.ini ()
12/6/2006 11:20:12 AM HS 181 C:\WINDOWS\system32\config\systemprofile\SendTo\desktop.ini ()
12/6/2006 3:09:46 AM HS 62 C:\WINDOWS\system32\config\systemprofile\Start Menu\desktop.ini ()
12/6/2006 11:21:30 AM HS 148 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\desktop.ini ()
12/6/2006 11:21:28 AM HS 482 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\desktop.ini ()
12/6/2006 11:21:28 AM HS 348 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Accessibility\desktop.ini ()
12/6/2006 11:21:28 AM HS 84 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Entertainment\desktop.ini ()
12/6/2006 11:21:28 AM HS 84 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini ()
12/6/2006 12:16:02 PM H 0 C:\WINDOWS\system32\drivers\UMDF\MsftWdf_user_01_00_00.Wdf ()
12/6/2006 12:15:08 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\90c91ab6-17a8-40c8-bb0a-a3edf2099513 ()
12/6/2006 12:15:08 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred ()
12/6/2006 11:24:52 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\a3dea7a7-1b6a-4367-b30a-308550c63f8e ()
12/6/2006 11:24:52 AM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred ()
1/27/2007 2:32:54 PM H 6 C:\WINDOWS\Tasks\SA.DAT ()
12/11/2006 2:44:04 PM HS 113 C:\WINDOWS\Temp\History\History.IE5\desktop.ini ()
12/11/2006 2:44:04 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\desktop.ini ()
12/11/2006 2:44:04 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\C9AZK5QJ\desktop.ini ()
12/11/2006 2:44:04 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\K9A3OT2V\desktop.ini ()
12/11/2006 2:44:04 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\OXUV0LIB\desktop.ini ()
12/11/2006 2:44:04 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\W1Y7CLYR\desktop.ini ()

Checking for CPL files...
8/4/2004 4:00:00 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl (Microsoft Corporation)
9/20/2004 3:20:00 PM 16121856 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL (Realtek Semiconductor Corp.)
8/4/2004 4:00:00 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl (Microsoft Corporation)
12/22/2004 1:32:00 AM 1261676 C:\WINDOWS\SYSTEM32\BCMWLCPL.CPL (Broadcom Corporation)
8/4/2004 4:00:00 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl (Microsoft Corporation)
8/4/2004 4:00:00 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl (Microsoft Corporation)
8/4/2004 4:00:00 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl (Microsoft Corporation)
8/4/2004 4:00:00 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl (Microsoft Corporation)
1/14/2006 6:25:12 AM 81920 C:\WINDOWS\SYSTEM32\ImageDrive.cpl (Nero AG)
8/4/2004 4:00:00 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl (Microsoft Corporation)
8/4/2004 4:00:00 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl (Microsoft Corporation)
8/4/2004 4:00:00 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl (Microsoft Corporation)
8/4/2004 4:00:00 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl (Microsoft Corporation)
11/9/2006 3:07:28 PM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl (Sun Microsystems, Inc.)
8/4/2004 4:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl (Microsoft Corporation)
8/4/2004 4:00:00 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl (Microsoft Corporation)
8/4/2004 4:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl (Microsoft Corporation)
8/4/2004 4:00:00 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl (Microsoft Corporation)
8/4/2004 4:00:00 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl (Microsoft Corporation)
8/4/2004 4:00:00 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl (Microsoft Corporation)
8/4/2004 4:00:00 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl (Microsoft Corporation)
10/24/2004 8:11:24 AM 258048 C:\WINDOWS\SYSTEM32\PPortJoy.cpl ()
8/4/2004 4:00:00 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl (Microsoft Corporation)
8/4/2004 4:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl (Microsoft Corporation)
8/4/2004 4:00:00 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl (Microsoft Corporation)
8/4/2004 4:00:00 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl (Microsoft Corporation)
8/4/2004 4:00:00 AM 162304 C:\WINDOWS\SYSTEM32\wuaucpl.cpl (Microsoft Corporation)
8/4/2004 4:00:00 AM 68608 C:\WINDOWS\SYSTEM32\dllcache\access.cpl (Microsoft Corporation)
8/4/2004 4:00:00 AM 549888 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl (Microsoft Corporation)
8/4/2004 4:00:00 AM 135168 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl (Microsoft Corporation)
8/4/2004 4:00:00 AM 80384 C:\WINDOWS\SYSTEM32\dllcache\firewall.cpl (Microsoft Corporation)
8/4/2004 4:00:00 AM 155136 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl (Microsoft Corporation)
8/4/2004 4:00:00 AM 358400 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl (Microsoft Corporation)
8/4/2004 4:00:00 AM 129536 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl (Microsoft Corporation)
8/4/2004 4:00:00 AM 68608 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl (Microsoft Corporation)
8/4/2004 4:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl (Microsoft Corporation)
8/4/2004 4:00:00 AM 618496 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl (Microsoft Corporation)
8/4/2004 4:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl (Microsoft Corporation)
8/4/2004 4:00:00 AM 25600 C:\WINDOWS\SYSTEM32\dllcache\netsetup.cpl (Microsoft Corporation)
8/4/2004 4:00:00 AM 257024 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl (Microsoft Corporation)
8/4/2004 4:00:00 AM 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl (Microsoft Corporation)
8/4/2004 4:00:00 AM 114688 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl (Microsoft Corporation)
8/4/2004 4:00:00 AM 155648 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl (Microsoft Corporation)
8/4/2004 4:00:00 AM 298496 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl (Microsoft Corporation)
8/4/2004 4:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl (Microsoft Corporation)
8/4/2004 4:00:00 AM 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl (Microsoft Corporation)
8/4/2004 4:00:00 AM 148480 C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl (Microsoft Corporation)
8/4/2004 4:00:00 AM 162304 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl (Microsoft Corporation)

Checking for Downloaded Program Files...
{8AD9C840-044E-11D1-B3E9-00805F499D93} - Java Plug-in 1.5.0_10 - CodeBase = http://java.sun.com/...indows-i586.cab
{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - Java Plug-in 1.5.0_09 - CodeBase = http://java.sun.com/...indows-i586.cab
{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - Java Plug-in 1.5.0_10 - CodeBase = http://java.sun.com/...indows-i586.cab
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - Java Plug-in 1.5.0_10 - CodeBase = http://java.sun.com/...indows-i586.cab
{D27CDB6E-AE6D-11CF-96B8-444553540000} - - CodeBase = http://fpdownload.ma...ash/swflash.cab

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
1/4/2007 9:09:50 PM 1746 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk ()
1/4/2007 9:09:50 PM 1788 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk ()
12/6/2006 11:21:28 AM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini ()

Checking files in %ALLUSERSPROFILE%\Application Data folder...
12/6/2006 3:09:46 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini ()

Checking files in %USERPROFILE%\Startup folder...
12/6/2006 11:21:28 AM HS 84 C:\Documents and Settings\Owner\Start Menu\Programs\Startup\desktop.ini ()

Checking files in %USERPROFILE%\Application Data folder...
12/6/2006 3:09:46 AM HS 62 C:\Documents and Settings\Owner\Application Data\desktop.ini ()
12/6/2006 5:47:48 PM 122 C:\Documents and Settings\Owner\Application Data\iScrobbler.ini ()

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

>>> Internet Explorer Settings <<<


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
\\Start Page - http://www.microsoft...p...ER}&ar=home
\\Search Page - http://www.microsoft...amp;ar=iesearch
\\Default_Page_URL - http://www.microsoft...p...&ar=msnhome
\\Default_Search_URL - http://www.microsoft...amp;ar=iesearch
\\Local Page - %SystemRoot%\system32\blank.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
\\Start Page - http://www.microsoft...p...&ar=msnhome
\\Search Page - http://www.microsoft...amp;ar=iesearch
\\Local Page - C:\WINDOWS\system32\blank.htm

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
\\CustomizeSearch - http://ie.search.msn...st/srchcust.htm
\\SearchAssistant - http://ie.search.msn...st/srchasst.htm


[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
\\{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Microsoft Url Search Hook = %SystemRoot%\system32\shdocvw.dll (Microsoft Corporation)

>>> BHO's <<<
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - = ()
\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - SSVHelper Class = C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll (Sun Microsystems, Inc.)

>>> Internet Explorer Bars, Toolbars and Extensions <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
\{4D5C8C25-D075-11d0-B416-00C04FB90376} - &Tip of the Day = %SystemRoot%\system32\shdocvw.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
\WebBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\system32\browseui.dll (Microsoft Corporation)
\WebBrowser\\{0E5CBF21-D15F-11D0-8301-00AA005B4383} - &Links = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\CmdMapping]
\\{FB5F1910-F110-11d2-BB9E-00C04F795683} - 8192 = Windows Messenger
\\NEXTID - 8196
\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - 8193 = Sun Java Console
\\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - 8194 =
\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} - 8195 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - MenuText: Sun Java Console = C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll (Sun Microsystems, Inc.)
\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - MenuText: Sun Java Console = C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll (Sun Microsystems, Inc.)(HKCU CLSID)
\{92780B25-18CC-41C8-B9BE-3C9C571A8263} - ButtonText: Research =
\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - ButtonText: AIM = C:\Program Files\AIM\aim.exe (America Online, Inc.)
\{FB5F1910-F110-11d2-BB9E-00C04F795683} - ButtonText: Messenger = C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)

>>> Approved Shell Extensions (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
\\{42071714-76d4-11d1-8b24-00a0c9068ff3} - Display Panning CPL Extension = deskpan.dll ()
\\{764BF0E1-F219-11ce-972D-00AA00A14F56} - Shell extensions for file compression = ()
\\{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} - Encryption Context Menu = ()
\\{88895560-9AA2-1069-930E-00AA0030EBC8} - HyperTerminal Icon Ext = C:\WINDOWS\system32\hticons.dll (Hilgraeve, Inc.)
\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} - Taskbar and Start Menu = ()
\\{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} - Autoplay for SlideShow = ()
\\{7A9D77BD-5403-11d2-8785-2E0420524153} - User Accounts = ()
\\{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} - iTunes = C:\Program Files\iTunes\iTunesMiniPlayer.dll (Apple Computer, Inc.)
\\{B41DB860-8EE4-11D2-9906-E49FADC173CA} - WinRAR shell extension = C:\Program Files\WinRAR\rarext.dll ()
\\{2F5AC606-70CF-461C-BFE1-734234536262} - WindowBlinds CPL Extension = C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbui.dll (Stardock.Net, Inc)
\\{7C5E74A0-D5E0-11D0-A9BF-E886A83B9BE5} - Context Menu Shell Extension = C:\PROGRA~1\TAGREN~1\TRshell.dll (Softpointer Inc)
\\{23170F69-40C1-278A-1000-000100020000} - 7-Zip Shell Extension = C:\Program Files\7-Zip\7-zip.dll ()
\\{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} - Shell Extensions for RealOne Player = C:\Program Files\Real\RealPlayer\rpshell.dll (RealNetworks, Inc.)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

>>> Context Menu Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers]
\7-Zip - {23170F69-40C1-278A-1000-000100020000} = C:\Program Files\7-Zip\7-zip.dll ()
\AEVITAWipeDelete - {047234B3-8B93-4396-8EB5-F4DF8CDA1F10} = C:\PROGRA~1\AEVITA~1\WIPEDE~1.DLL ()
\AVG Anti-Spyware - {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll (Anti-Malware Development a.s.)
\TagRename_ContextMenu - {7C5E74A0-D5E0-11D0-A9BF-E886A83B9BE5} = C:\PROGRA~1\TAGREN~1\TRshell.dll (Softpointer Inc)
\WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll ()
\{CA8ACAFA-5FBB-467B-B348-90DD488DE003} - SUPERAntiSpyware Context Menu = C:\Program Files\SUPERAntiSpyware\SASCTXMN.DLL (SUPERAntiSpyware.com)
\{EB4D3CFE-E2AA-4C6E-B2FE-2A749F95D208} - = C:\Program Files\Nero\Nero 7\Nero BackItUp\NBShell.dll (Nero AG)

[HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers]

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers]
\7-Zip - {23170F69-40C1-278A-1000-000100020000} = C:\Program Files\7-Zip\7-zip.dll ()
\AEVITAWipeDelete - {047234B3-8B93-4396-8EB5-F4DF8CDA1F10} = C:\PROGRA~1\AEVITA~1\WIPEDE~1.DLL ()
\AVG Anti-Spyware - {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll (Anti-Malware Development a.s.)
\WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll ()
\{CA8ACAFA-5FBB-467B-B348-90DD488DE003} - SUPERAntiSpyware Context Menu = C:\Program Files\SUPERAntiSpyware\SASCTXMN.DLL (SUPERAntiSpyware.com)

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\BackGround\shellex\ContextMenuHandlers]

[HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers]
\AEVITAWipeDelete - {047234B3-8B93-4396-8EB5-F4DF8CDA1F10} = C:\PROGRA~1\AEVITA~1\WIPEDE~1.DLL ()
\TagRename_ContextMenu - {7C5E74A0-D5E0-11D0-A9BF-E886A83B9BE5} = C:\PROGRA~1\TAGREN~1\TRshell.dll (Softpointer Inc)
\WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll ()
\{EB4D3CFE-E2AA-4C6E-B2FE-2A749F95D208} - = C:\Program Files\Nero\Nero 7\Nero BackItUp\NBShell.dll (Nero AG)

>>> Column Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
\{F9DB5320-233E-11D1-9F84-707F02C10627} - PDF Column Info = C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll (Adobe Systems, Inc.)

>>> Registry Run Keys <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
P17Helper - Rundll32 P17.dll ()
SunJavaUpdateSched - C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe (Sun Microsystems, Inc.)
QuickTime Task - C:\Program Files\QuickTime\qttask.exe (Apple Computer, Inc.)
Broadcom Wireless Manager UI - C:\WINDOWS\system32\WLTRAY.exe (Broadcom Corporation)
CTSysVol - C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe (Creative Technology Ltd)
UpdReg - C:\WINDOWS\UpdReg.EXE (Creative Technology Ltd.)
Babylon Client - C:\Program Files\Babylon\Babylon.exe ()
lnwin.exe - C:\WINDOWS\system32\lnwin.exe ()
KernelFaultCheck - ()

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
µTorrent - C:\Program Files\uTorrent\utorrent.exe ()
ctfmon.exe - C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)
Agent - C:\WINDOWS\system32\alsys.exe ()
AIM - C:\Program Files\AIM\aim.exe -cnetwait.odl ()

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

>>> Startup Links <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Common Startup]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe ()
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini ()

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Startup]
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\desktop.ini ()

>>> MSConfig Disabled Items <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Adobe Gamma.lnk
path C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup C:\WINDOWS\pss\Adobe Gamma.lnkStartup
location Startup
command C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE
item Adobe Gamma

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^LimeWire On Startup.lnk
path C:\Documents and Settings\Owner\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup C:\WINDOWS\pss\LimeWire On Startup.lnkStartup
location Startup
command C:\PROGRA~1\LimeWire\LimeWire.exe -startup
item LimeWire On Startup

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Z_Start.lnk
path C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Z_Start.lnk
backup C:\WINDOWS\pss\Z_Start.lnkStartup
location Startup
command C:\WINDOWS\Temp\stdrun9.exe SKY001
item Z_Start

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AIM
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item aim
hkey HKCU
command C:\Program Files\AIM\aim.exe -cnetwait.odl
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AIMWDInstallFilename
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item AIMWDI~1
hkey HKLM
command C:\PROGRA~1\AIM\AIMWDI~1.EXE
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\DeluxeCommunications
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Dxc
hkey HKLM
command C:\Program Files\DeluxeCommunications\Dxc.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\iTunesHelper
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item iTunesHelper
hkey HKLM
command "C:\Program Files\iTunes\iTunesHelper.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\KernelFaultCheck
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item dumprep 0 -k
hkey HKLM
command %systemroot%\system32\dumprep 0 -k
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MsnMsgr
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item msnmsgr
hkey HKCU
command "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\NeroFilterCheck
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item NeroCheck
hkey HKLM
command C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item qttask
hkey HKLM
command "C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Skype
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Skype
hkey HKCU
command "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Steam
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Steam
hkey HKCU
command "C:\Program Files\Steam\Steam.exe" -silent
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SUPERAntiSpyware
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item SUPERAntiSpyware
hkey HKCU
command C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\TkBellExe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item realsched
hkey HKLM
command "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\UpdReg
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item UpdReg
hkey HKLM
command C:\WINDOWS\UpdReg.EXE
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\vcvpygj.dll
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item vcvpygj
hkey HKLM
command C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\Owner\Local Settings\Application Data\vcvpygj.dll",tidqud
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 2


[All Users Startup Folder Disabled Items]

[Current User Startup Folder Disabled Items]

>>> User Agent Post Platform <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
\\SV1 -

>>> AppInit Dll's <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs]

>>> Image File Execution Options <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
\Your Image File Name Here without a path - Debugger = ntsd -d

>>> Shell Service Object Delay Load <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
\\PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
\\CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
\\WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll (Microsoft Corporation)
\\SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll (Microsoft Corporation)
\\WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} = C:\WINDOWS\system32\WPDShServiceObj.dll (Microsoft Corporation)

>>> Shell Execute Hooks <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} - URL Exec Hook = shell32.dll (Microsoft Corporation)
\\{57B86673-276A-48B2-BAE7-C6DBB3020EB8} - CShellExecuteHookImpl Object = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll (Anti-Malware Development a.s.)
\\{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - SABShellExecuteHook Class = C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)

>>> Shared Task Scheduler <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
\\{438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader = %SystemRoot%\system32\browseui.dll (Microsoft Corporation)
\\{8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon = %SystemRoot%\system32\browseui.dll (Microsoft Corporation)

>>> Winlogon <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
\\UserInit = C:\WINDOWS\system32\userinit.exe,
\\Shell = Explorer.exe
\\System =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
\!SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll = (SUPERAntiSpyware.com)
\crypt32chain - crypt32.dll = (Microsoft Corporation)
\cryptnet - cryptnet.dll = (Microsoft Corporation)
\cscdll - cscdll.dll = (Microsoft Corporation)
\ScCertProp - wlnotify.dll = (Microsoft Corporation)
\Schedule - wlnotify.dll = (Microsoft Corporation)
\sclgntfy - sclgntfy.dll = (Microsoft Corporation)
\SensLogn - WlNotify.dll = (Microsoft Corporation)
\termsrv - wlnotify.dll = (Microsoft Corporation)
\WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll = (Stardock)
\wlballoon - wlnotify.dll = (Microsoft Corporation)

>>> DNS Name Servers <<<
{4FFC8715-EB2B-41E2-AB32-C791615F021C} - (NVIDIA nForce MCP Networking Controller)
{DC596423-3768-4877-BC1E-565E68ACBF0F} - (1394 Net Adapter)

>>> All Winsock2 Catalogs <<<
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries]
\000000000001\\LibraryPath - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation)
\000000000002\\LibraryPath - %SystemRoot%\System32\winrnr.dll (Microsoft Corporation)
\000000000003\\LibraryPath - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries]
\000000000001\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000002\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000003\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000004\\PackedCatalogItem - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation)
\000000000005\\PackedCatalogItem - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation)
\000000000006\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000007\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000008\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000009\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000010\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000011\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000012\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000013\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)

>>> Protocol Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler]
\ipp - ()
\msdaipp - ()
\skype4com - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies)

>>> Protocol Filters (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter]

>>> Selected AddOn's <<<


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»






And heres the HJT log:




Logfile of HijackThis v1.99.1
Scan saved at 2:51:26 PM, on 1/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\HJT\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [lnwin.exe] C:\WINDOWS\system32\lnwin.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [µTorrent] "C:\Program Files\uTorrent\utorrent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Agent] C:\WINDOWS\system32\alsys.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MIBF9C~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIBF9C~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)
O23 - Service: Apache2 - Unknown owner - C:\Program Files\xampp\apache\bin\apache.exe" -k runservice (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: PostgreSQL Database Server (pgsql-8.0) - Unknown owner - C:\Program Files\PostgreSQL\8.0\bin\pg_ctl.exe" runservice -N "pgsql-8.0" -D "C:\Program Files\PostgreSQL\8.0\data\ (file missing)
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe



In HJT i selected Fixed Checked on the ones you told me to do.


And right before I came back to this topic, I booted in Normal mode and it restarted, automatically. I don't know why. But whenever I go back into normal mode now, it restarts automatically.

**EDIT - Now it seems to be fine after i delted alsys.exe..

And I also ran ATFcleaner.

Edited by prototype, 27 January 2007 - 05:01 PM.

  • 0

Advertisements

#11
Jrenter2
Posted 27 January 2007 - 08:02 PM

Jrenter2

    Member

  • Member
  • PipPipPip
  • 435 posts
Hi Prototype,

Could you please verify how things are going with your system? I was a little confused to the message below.


And right before I came back to this topic, I booted in Normal mode and it restarted, automatically. I don't know why. But whenever I go back into normal mode now, it restarts automatically.

**EDIT - Now it seems to be fine after i delted alsys.exe..

And I also ran ATFcleaner.
  • 0

#12
prototype
Posted 27 January 2007 - 08:17 PM

prototype

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
I mean, it's kindof on-offish.

After I deleted alsys.exe using KillBox, I was able to boot into Normal mode.

Before that, whenever I booted into normal mode, it restarted automatically without warning.


Just now, I turned on my computer. As soon as I tried to log-on, it did the strange restart again.

I tried booting into normal mode again, logged on, and was told that Microsoft has recovered from a serious error.

I hit OK and now things are normal.(Or are they?)
  • 0

#13
Jrenter2
Posted 27 January 2007 - 11:20 PM

Jrenter2

    Member

  • Member
  • PipPipPip
  • 435 posts
Hi Prototype,

Well things are moving right along...let's try and finish this up with the following....

Step 1

The first thing we need to do is make a backup of your registry. Please follow the instructions below.

Go to Start > Run and type regedit in the blank. Then click OK. In the left window highlight My Computer at the top.
Go to File > Export
Type in backup for the file name
Leave Save As Type as Registration Files (*.reg)"
Click in All in the Export range box (it should be already checked).
Place your file somewhere safe so you remember where you put it like maybe C:\My Documents.
Click Save and then go to File > Exit.
Ok, that'll take care of your backup in case we need it later. Now, let's deal with getting rid of the problems from your current registry.

Next, please open Notepad again and copy and paste the following text inside the box (including REGEDIT4) and save as MYFIX.REG. Keep Save as type: All Files Save it also to your Desktop.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"lnwin.exe"=-

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Agent"=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Z_Start.lnk]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\DeluxeCommunications]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\vcvpygj.dll]
Now, locate your MYFIX.REG file and double-click on it and allow it to merge with your registry.

Step 2

Finally, please open Notepad and copy and paste the following text inside the box and save as Filesgone.bat. Keep Save as type: All Files Save it to the Desktop.

@Echo off
attrib -s -r -h "C:\WINDOWS\sasunx.exe"
del /q "C:\WINDOWS\sasunx.exe"
attrib -s -r -h "C:\WINDOWS\SYSTEM32\adir.dll"
del /q "C:\WINDOWS\SYSTEM32\adir.dll"
attrib -s -r -h "C:\WINDOWS\SYSTEM32\game.exe"
del /q "C:\WINDOWS\SYSTEM32\game.exe"
attrib -s -r -h "C:\WINDOWS\SYSTEM32\game0.exe"
del /q "C:\WINDOWS\SYSTEM32\game0.exe"
attrib -s -r -h "C:\WINDOWS\SYSTEM32\game3.exe"
del /q "C:\WINDOWS\SYSTEM32\game3.exe"
attrib -s -r -h "C:\WINDOWS\SYSTEM32\s.exe"
del /q "C:\WINDOWS\SYSTEM32\s.exe"
attrib -s -r -h "C:\WINDOWS\system32\lnwin.exe"
del /q "C:\WINDOWS\system32\lnwin.exe"
attrib -s -r -h "C:\WINDOWS\system32\alsys.exe"
del /q "C:\WINDOWS\system32\alsys.exe"
attrib -s -r -h "C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Z_Start.lnk"
del /q "C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Z_Start.lnk"
attrib -s -r -h "C:\WINDOWS\pss\Z_Start.lnkStartup"
del /q "C:\WINDOWS\pss\Z_Start.lnkStartup"
attrib -s -r -h "C:\WINDOWS\Temp\stdrun9.exe"
del /q "C:\WINDOWS\Temp\stdrun9.exe"
attrib -s -r -h "C:\Documents and Settings\Owner\Local Settings\Application Data\vcvpygj.dll"
del /q "C:\Documents and Settings\Owner\Local Settings\Application Data\vcvpygj.dll"
attrib -s -r -h "C:\WINDOWS\SYSTEM32\vcvpygj.dll"
del /q "C:\WINDOWS\SYSTEM32\vcvpygj.dll"
attrib -s -r -h "C:\WINDOWS\SYSTEM32\Ivm6R47.exe"
del /q "C:\WINDOWS\SYSTEM32\Ivm6R47.exe"
attrib -s -r -h "C:\WINDOWS\SYSTEM32\M3P3hIo.exe"
del /q "C:\WINDOWS\SYSTEM32\M3P3hIo.exe"
quit

Step 3

Reboot into Safe Mode

Step 4

Now, find your Filesgone.bat file and double-click on it to run it. After complete, reboot into Normal mode.

Step 5

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Reboot your system.

Please reply back with the following:
Kaspersky Log
New HJT Log
Status of how your computer is running
  • 0

#14
prototype
Posted 28 January 2007 - 07:40 PM

prototype

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Okay. I ran the bat file in safe mode and rebooted.

Heres the Kaspersky log followed by the HJT log.

As of writing this my computer SEEMS to be okay, but Kaspersky thinks otherwise.


***Edit --- My computer restarted again, randomly a few minutes ago.(This is a few hours after my initial post)

EDIT Number 2: It restarted again a few minutes after logging back into normal mode, which is after i posted the above edit^^. It doesnt seem like normal mode wants to cooperate so for now im in Safe mode with networking.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, January 28, 2007 5:41:46 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 29/01/2007
Kaspersky Anti-Virus database records: 262754
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\

Scan Statistics:
Total number of scanned objects: 90544
Number of viruses found: 34
Number of infected objects: 115 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:53:03

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Local Settings\Temp\hsperfdata_Administrator\1988 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.0.2.16\aaaailxe.t Infected: Trojan-Proxy.Win32.Lager.dp skipped
C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.0.2.16\iTunesSetupAdmin.exe Infected: Email-Worm.Win32.Luder.a skipped
C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.0.2.16\myvsnqsr.t Infected: Trojan-Proxy.Win32.Lager.dp skipped
C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.0.2.16\pfukkuaq.t Infected: Trojan-Proxy.Win32.Lager.dp skipped
C:\Documents and Settings\All Users\Application Data\CanonBJ\IJPrinter\CNMWINDOWS\Canon iP6210D Installer\Inst2\aaaaaahw.t Infected: Trojan-Proxy.Win32.Lager.dp skipped
C:\Documents and Settings\All Users\Application Data\CanonBJ\IJPrinter\CNMWINDOWS\Canon iP6210D Installer\Inst2\aaaailcd.t Infected: Trojan-Proxy.Win32.Lager.dp skipped
C:\Documents and Settings\All Users\Application Data\CanonBJ\IJPrinter\CNMWINDOWS\Canon iP6210D Installer\Inst2\jswbqmdw.t Infected: Trojan-Proxy.Win32.Lager.dp skipped
C:\Documents and Settings\All Users\Application Data\CanonBJ\IJPrinter\CNMWINDOWS\Canon iP6210D Installer\Inst2\myvsnqgs.t Infected: Trojan-Proxy.Win32.Lager.dp skipped
C:\Documents and Settings\All Users\Application Data\CanonBJ\IJPrinter\CNMWINDOWS\Canon iP6210D Installer\Inst2\myvsvcbj.t Infected: Trojan-Proxy.Win32.Lager.dp skipped
C:\Documents and Settings\All Users\Application Data\CanonBJ\IJPrinter\CNMWINDOWS\Canon iP6210D Installer\Inst2\sltchyvx.t Infected: Trojan-Proxy.Win32.Lager.dp skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Desktop\sltcpoek.t Infected: Trojan-Proxy.Win32.Lager.dp skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Application Data\AEVITA\aaaaipwl.t Infected: Trojan-Proxy.Win32.Lager.dp skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\1a5c18ks.default\cert8.db Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\1a5c18ks.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\1a5c18ks.default\history.dat Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\1a5c18ks.default\key3.db Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\1a5c18ks.default\parent.lock Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\1a5c18ks.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\1a5c18ks.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Desktop\Video\LITTLEMISSSUNSHINE\Little.Miss.Sunshine[2006]DvDrip[Eng]-aXXo\Little.Miss.Sunshine[2006]DvDrip[Eng]-aXXo.avi Object is locked skipped
C:\Documents and Settings\Owner\Desktop\Video\TRANSPORTER2\Transporter.2[2005]DvDrip[Eng]-aXXo.avi Object is locked skipped
C:\Documents and Settings\Owner\Ii1EBFU.exe Infected: Trojan-Proxy.Win32.Lager.dp skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Last.fm\Client\container.log Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Last.fm\Client\httpinput.log Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Last.fm\Client\metadata.log Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Last.fm\Client\playback.log Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Last.fm\Client\sidebar.log Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Last.fm\Client\skype.log Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Last.fm\Client\transcode.log Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Last.fm\Client\webservice.log Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\1a5c18ks.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\1a5c18ks.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\1a5c18ks.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\1a5c18ks.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012007012820070129\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\snipe\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\snipe\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\snipe\Local Settings\Temporary Internet Files\Content.IE5\9A0RG7F2\abc[2].exe Infected: Email-Worm.Win32.Zhelatin.i skipped
C:\Documents and Settings\snipe\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\snipe\NTUSER.dat.LOG Object is locked skipped
C:\Program Files\AIM Invader\AIMInvader.exe Infected: Flooder.Win32.VB.n skipped
C:\Program Files\PostgreSQL\8.0\data\pg_log\postgresql-2007-01-28_152625.log Object is locked skipped
C:\Program Files\TightVNC\VNCHooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b skipped
C:\Program Files\TightVNC\WinVNC.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.h skipped
C:\Program Files\Trillian\users\default\logs\AIM\Query\tupacsaidshorty.log Object is locked skipped
C:\Program Files\Trillian\users\default\logs\AIM\Query\zaidissofresh.log Object is locked skipped
C:\Program Files\Trillian\users\default\logs\MSN\Query\[email protected] Object is locked skipped
C:\Program Files\xampp\apache\logs\access.log Object is locked skipped
C:\Program Files\xampp\apache\logs\error.log Object is locked skipped
C:\Program Files\xampp\apache\logs\ssl_request.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP132\A0017476.exe/data0002 Infected: Flooder.Win32.VB.n skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP132\A0017476.exe Inno: infected - 1 skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP132\A0017477.exe/data0002 Infected: Flooder.Win32.VB.n skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP132\A0017477.exe Inno: infected - 1 skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP144\A0023497.exe Infected: Packed.Win32.PePatch.dw skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP144\A0023498.exe Infected: Trojan-Proxy.Win32.Lager.dp skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP144\A0023549.exe Infected: Trojan-Proxy.Win32.Lager.dp skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP145\A0024528.exe Infected: Email-Worm.Win32.Luder.a skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP145\A0024534.exe Infected: Trojan-Proxy.Win32.Ranky.gen skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP145\A0024535.exe Infected: Trojan-Proxy.Win32.Ranky.gen skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP145\A0024536.exe Infected: Trojan-Proxy.Win32.Ranky.gen skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP145\A0024537.exe Infected: Trojan-Proxy.Win32.Lager.dp skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP145\A0024549.exe Infected: Trojan-Proxy.Win32.Lager.dp skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP145\A0024550.exe Infected: Trojan-Proxy.Win32.Lager.dp skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP145\A0025541.exe Infected: Email-Worm.Win32.Luder.a skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP145\A0029559.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP145\A0029562.exe Infected: Trojan-Proxy.Win32.Lager.dp skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP145\A0029563.exe Infected: Trojan-Proxy.Win32.Lager.dp skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP145\A0029564.exe Infected: Trojan-Proxy.Win32.Lager.dp skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP145\A0029568.exe Infected: Trojan-Downloader.Win32.Qoologic.c skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP145\A0029598.exe Infected: Trojan-Proxy.Win32.Lager.dp skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP145\A0029599.exe Infected: Trojan-Proxy.Win32.Lager.dp skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP145\A0029600.exe Infected: Trojan-Proxy.Win32.Lager.dp skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP145\A0029601.exe Infected: Trojan-Proxy.Win32.Lager.dp skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP145\A0029602.exe Infected: Trojan-Proxy.Win32.Lager.dp skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP145\A0030573.exe Infected: Trojan-Downloader.Win32.Qoologic.c skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP145\A0030608.exe Infected: Email-Worm.Win32.Banwarum.k skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP145\A0030610.exe Infected: Email-Worm.Win32.Banwarum.k skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP146\A0030621.exe Infected: Email-Worm.Win32.Banwarum.k skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP147\A0031644.exe Infected: Email-Worm.Win32.Banwarum.k skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP147\A0031646.exe Infected: Email-Worm.Win32.Banwarum.k skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP147\A0031667.exe Infected: Packed.Win32.Tibs.l skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP147\A0031668.exe Infected: Packed.Win32.Tibs.l skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP147\A0031669.exe Infected: Trojan-Downloader.Win32.Dyfuca.ey skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP147\A0031675.dll Infected: not-a-virus:FraudTool.Win32.SpySheriff.a skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP147\A0031676.dll Infected: not-a-virus:FraudTool.Win32.SpySheriff.a skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP147\A0031677.dll Infected: not-a-virus:FraudTool.Win32.SpySheriff.a skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP147\A0031678.dll Infected: not-a-virus:FraudTool.Win32.SpySheriff.a skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP147\A0031682.dll Infected: Trojan-Clicker.Win32.Small.ja skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP147\A0031683.dll Infected: Trojan-Clicker.Win32.Small.ja skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP147\A0031684.exe Infected: Trojan-Clicker.Win32.Small.ja skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP147\A0031685.exe Infected: Trojan-Clicker.Win32.Small.ja skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP147\A0031687.exe Infected: Email-Worm.Win32.Luder.a skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP147\A0031692.exe Infected: Trojan-Downloader.Win32.Tibs.ka skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP147\A0031693.exe Infected: Trojan-Downloader.Win32.Tibs.dr skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP147\A0031694.exe Infected: Packed.Win32.Tibs.l skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP147\A0031695.exe Infected: Packed.Win32.Tibs.l skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP147\A0031696.exe Infected: Packed.Win32.Tibs.l skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP147\A0031697.exe Infected: Trojan-Proxy.Win32.Lager.dp skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP147\A0031698.exe Infected: Backdoor.Win32.PcClient.cj skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP147\A0031699.exe Infected: Trojan-Proxy.Win32.Lager.dp skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP147\A0031700.exe Infected: Trojan-Proxy.Win32.Lager.dp skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP147\A0031701.exe Infected: Trojan-Proxy.Win32.Lager.dp skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP147\A0031702.exe Infected: Trojan-Downloader.Win32.Small.dam skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP147\A0031703.exe Infected: Trojan.Win32.Agent.acr skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP147\A0031704.exe Infected: Trojan-Downloader.Win32.Small.cxx skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP147\A0031705.exe Infected: Trojan-Clicker.Win32.VB.is skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP147\A0031706.exe Infected: Trojan-Downloader.Win32.VB.ang skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP147\A0031707.exe Infected: Email-Worm.Win32.Zhelatin.b skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP147\A0031708.exe Infected: Trojan-Proxy.Win32.Lager.dp skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP147\A0031709.exe Infected: Trojan-Proxy.Win32.Lager.dp skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP147\A0031710.exe Infected: Trojan-Proxy.Win32.Lager.dp skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP147\A0031712.dll Infected: Trojan-Downloader.Win32.Small.dxm skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP147\A0031714.exe Infected: Trojan-Downloader.Win32.Small.dam skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP147\A0031715.exe Infected: Trojan-Downloader.Win32.Small.cul skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP147\A0031717.dll Infected: Trojan-Downloader.Win32.Agent.awb skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP147\A0031722.exe Infected: Email-Worm.Win32.Banwarum.k skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP147\A0031734.exe Infected: Email-Worm.Win32.Banwarum.k skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP147\A0031735.dll Infected: Email-Worm.Win32.Banwarum.f skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP148\A0031921.exe Infected: Trojan-Downloader.Win32.Tibs.kc skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP148\A0031924.exe Infected: Email-Worm.Win32.Zhelatin.d skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP148\A0031925.sys Infected: Email-Worm.Win32.Zhelatin.d skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP148\A0032724.exe Infected: Email-Worm.Win32.Banwarum.l skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP148\A0032725.exe Infected: Email-Worm.Win32.Banwarum.l skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP148\A0032726.exe Infected: Email-Worm.Win32.Banwarum.k skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP148\A0032728.exe Infected: Email-Worm.Win32.Banwarum.l skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP148\A0032729.exe Infected: Email-Worm.Win32.Banwarum.l skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP148\A0032730.exe Infected: Email-Worm.Win32.Banwarum.l skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP148\A0033763.exe Infected: Email-Worm.Win32.Banwarum.l skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP148\A0033764.dll Infected: Email-Worm.Win32.Banwarum.f skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP148\A0033813.exe Infected: Email-Worm.Win32.Banwarum.l skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP148\A0034822.exe Infected: Email-Worm.Win32.Banwarum.l skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP148\A0034823.dll Infected: Email-Worm.Win32.Banwarum.f skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP149\A0034944.exe Infected: Email-Worm.Win32.Banwarum.l skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP149\A0035022.exe Infected: Email-Worm.Win32.Banwarum.l skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP149\A0035025.exe Infected: Backdoor.Win32.PcClient.cj skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP149\A0035026.dll Infected: Email-Worm.Win32.Banwarum.f skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP149\A0035027.exe Infected: Trojan-Downloader.Win32.Tibs.kc skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP149\A0035028.exe Infected: Trojan-Proxy.Win32.Lager.dp skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP149\A0035029.exe Infected: Email-Worm.Win32.Banwarum.l skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP149\A0035030.exe Infected: Trojan-Proxy.Win32.Lager.dp skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP149\A0035031.dll Infected: Trojan-Downloader.Win32.Busky.gen skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP149\A0035032.dll Infected: Trojan-Downloader.Win32.Busky.gen skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP149\A0035033.exe Infected: Email-Worm.Win32.Zhelatin.d skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP149\A0035034.exe Infected: Email-Worm.Win32.Zhelatin.f skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP149\A0035067.exe Infected: Email-Worm.Win32.Zhelatin.i skipped
C:\System Volume Information\_restore{2EB6B589-32E6-4314-A02D-F9A90815499E}\RP149\change.log Object is locked skipped
C:\WINDOWS\comdlg96.dll Infected: Backdoor.Win32.PcClient.cj skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\autubeub.exe Infected: Backdoor.Win32.SdBot.baa skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.








Logfile of HijackThis v1.99.1
Scan saved at 5:42:36 PM, on 1/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\xampp\apache\bin\apache.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\xampp\apache\bin\apache.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\uTorrent\utorrent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Last.fm\LastFM.exe
C:\HJT\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon.exe -AutoStart
O4 - HKCU\..\Run: [µTorrent] "C:\Program Files\uTorrent\utorrent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MIBF9C~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIBF9C~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)
O23 - Service: Apache2 - Unknown owner - C:\Program Files\xampp\apache\bin\apache.exe" -k runservice (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: PostgreSQL Database Server (pgsql-8.0) - Unknown owner - C:\Program Files\PostgreSQL\8.0\bin\pg_ctl.exe" runservice -N "pgsql-8.0" -D "C:\Program Files\PostgreSQL\8.0\data\ (file missing)
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

Edited by prototype, 28 January 2007 - 09:45 PM.

  • 0

#15
Jrenter2
Posted 29 January 2007 - 08:35 PM

Jrenter2

    Member

  • Member
  • PipPipPip
  • 435 posts
Hi Prototype,

Well, there is light at the end of the tunnel. Your system restore point and a few other files are infected. Just a little more to do....

Step 1

Please run an on-line virus scan at BitDefender.

Step 2

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Post back with scan report and a new HijackThis log and let me know how things are running.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP