Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

vundo HijackThis log with uninstall_list, SUPERAntiSpyware Scan Log an


  • This topic is locked This topic is locked

#16
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hmm strange, seems like all the malware returned

Delete ComboFix.exe and the folder C:\qoobox then do this

Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

Advertisements


#17
kuraikinzoku

kuraikinzoku

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
ComboFix 08-02.05.3 - Owner 2008-02-08 21:27:51.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.84 [GMT -8:00]
Running from: F:\compfix\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\3_exception.nls

.
((((((((((((((((((((((((( Files Created from 2008-01-09 to 2008-02-09 )))))))))))))))))))))))))))))))
.

2008-02-06 08:51 . 2004-08-12 05:56 388,608 --a------ C:\kmd.exe
2008-02-05 17:40 . 2008-02-05 17:40 <DIR> d-------- C:\WINDOWS\ERUNT
2008-02-04 23:17 . 2008-02-05 18:02 <DIR> d-------- C:\SDFix
2008-02-03 22:21 . 2008-02-03 22:21 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-03 21:54 . 2005-06-28 10:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-02-03 17:29 . 2006-05-05 01:41 453,120 -----c--- C:\WINDOWS\system32\dllcache\mrxsmb.sys
2008-02-03 11:20 . 2008-02-03 17:42 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-03 11:20 . 2008-02-03 17:42 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-03 11:20 . 2008-02-03 17:42 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-03 11:19 . 2008-02-03 18:32 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-02 22:33 . 2008-02-02 22:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-02 22:29 . 2008-02-07 23:00 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-02 22:29 . 2008-02-02 22:29 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-02-02 22:24 . 2008-02-02 22:24 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-02 21:35 . 2008-02-05 01:26 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-02-02 21:30 . 2008-02-02 21:30 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Grisoft
2008-02-02 21:30 . 2007-05-30 04:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-02 21:29 . 2008-02-02 21:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-02 20:37 . 2008-02-08 17:34 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-02 20:37 . 2008-02-02 20:37 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-31 19:05 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-01-31 19:05 . 2004-08-04 00:56 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2008-01-24 18:59 . 2008-02-03 18:28 <DIR> d-------- C:\Program Files\RcvSystem

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-08 00:59 --------- d-----w C:\Program Files\Qbkjqwxd
2008-02-04 02:35 155,648 ----a-w C:\WINDOWS\system32\igfxtray.exe
2008-02-04 02:35 118,784 ----a-w C:\WINDOWS\system32\hkcmd.exe
2008-01-25 03:01 99 ----a-w C:\Documents and Settings\Owner\d.bat
2007-12-16 19:38 19,840 ----a-w C:\WINDOWS\system32\drivers\Mta38.sys
2007-10-08 18:39 126 ----a-w C:\Documents and Settings\Owner\c200.bat
2007-10-05 23:17 123 ----a-w C:\Documents and Settings\Owner\c.bat
2007-08-07 21:46 6,461 --sha-w C:\WINDOWS\system32\wvvwa.bak1
2007-08-11 18:05 1,700,299 --sha-w C:\WINDOWS\system32\wvvwa.bak2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]
"zoku"="C:\PROGRA~1\COMMON~1\zoku\zokum.exe" [ ]
"Sen"="C:\PROGRA~1\COMMON~1\ECURIT~1\services.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 01:25 6731312]
"{34-4F-F5-54-ZN}"="C:\WINDOWS\system32\lodsrngs.exe" [ ]
"wmjwkrfk"="C:\Program Files\Qbkjqwxd\wmjwkrfk.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-08-15 19:15 271672]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 15:50 81920]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 15:50 221184]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2008-02-03 18:35 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2008-02-03 18:35 118784]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2008-02-03 18:33 122880]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 04:59 122880 C:\WINDOWS\BCMSMMSG.exe]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R0 Mta38;Mta38;C:\WINDOWS\system32\drivers\Mta38.sys [2007-12-16 11:38]

.
Contents of the 'Scheduled Tasks' folder
"2007-09-08 17:23:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-08 21:29:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-08 21:30:25
ComboFix-quarantined-files.txt 2008-02-09 05:30:16
ComboFix2.txt 2008-02-06 16:55:10
.
2008-02-05 09:33:32 --- E O F ---




------------------------------------------------------------------------------------------------------------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:31:51 PM, on 2/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\program files\common files\installshield\updateservice\isuspm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [{34-4F-F5-54-ZN}] C:\WINDOWS\system32\lodsrngs.exe CHD003
O4 - HKLM\..\Run: [wmjwkrfk] C:\Program Files\Qbkjqwxd\wmjwkrfk.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [zoku] C:\PROGRA~1\COMMON~1\zoku\zokum.exe
O4 - HKCU\..\Run: [Sen] "C:\PROGRA~1\COMMON~1\ECURIT~1\services.exe" -vt yazb
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...p1.0.0.15-3.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1202104112593
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 3762 bytes
  • 0

#18
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

CLICK THIS TO LINK TO BE SURE YOU CAN VIEW HIDDEN FILES

Please go here:
The Spy Killer Forum
  • Click on "New Topic"
  • Put your name, e-mail address, and this as the title: "C:\WINDOWS\system32\drivers\Mta38.sys"
  • Put a link to this topic in the description box.
  • Then next to the file box, at the bottom, click the browse button, then navigate to this file:


    • C:\WINDOWS\system32\drivers\Mta38.sys

  • Click Open.
  • Click Post.
Thank you!



1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O4 - HKLM\..\Run: [{34-4F-F5-54-ZN}] C:\WINDOWS\system32\lodsrngs.exe CHD003
O4 - HKLM\..\Run: [wmjwkrfk] C:\Program Files\Qbkjqwxd\wmjwkrfk.exe
O4 - HKCU\..\Run: [zoku] C:\PROGRA~1\COMMON~1\zoku\zokum.exe
O4 - HKCU\..\Run: [Sen] "C:\PROGRA~1\COMMON~1\ECURIT~1\services.exe" -vt yazb


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\Documents and Settings\Owner\d.bat
C:\Documents and Settings\Owner\c200.bat
C:\Documents and Settings\Owner\c.bat
C:\WINDOWS\system32\wvvwa.bak1
C:\WINDOWS\system32\wvvwa.bak2

Driver::
Mta38

Folder::
C:\PROGRA~1\COMMON~1\zoku
C:\Program Files\Qbkjqwxd


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall




Reboot and post a new HijackThis log

Edited by Rorschach112, 09 February 2008 - 08:02 AM.

  • 0

#19
kuraikinzoku

kuraikinzoku

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
ComboFix 08-02.05.3 - Owner 2008-02-09 20:29:21.4 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\PROGRA~1\COMMON~1\zoku
C:\PROGRA~1\COMMON~1\zoku\zokua.lck
C:\PROGRA~1\COMMON~1\zoku\zokuh
C:\PROGRA~1\COMMON~1\zoku\zokul.lck
C:\PROGRA~1\COMMON~1\zoku\zokum.lck
C:\Program Files\Qbkjqwxd
C:\WINDOWS\system32\drivers\Hns73.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_HNS73
-------\LEGACY_MTA38
-------\Hns73
-------\Mta38


((((((((((((((((((((((((( Files Created from 2008-01-10 to 2008-02-10 )))))))))))))))))))))))))))))))
.

2008-02-09 20:33 . 2008-02-09 20:33 25,984 --a------ C:\WINDOWS\system32\drivers\Qwc16.sys
2008-02-09 20:33 . 2008-02-09 20:33 8,704 --a------ C:\WINDOWS\system32\LogCrypt.dl_
2008-02-09 20:09 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-02-09 20:09 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-02-09 20:09 . 2008-02-09 20:11 8,704 --a------ C:\WINDOWS\system32\LogCrypt.dll
2008-02-08 21:27 . 2004-08-12 05:56 388,608 --a------ C:\kmd.exe
2008-02-05 17:40 . 2008-02-05 17:40 <DIR> d-------- C:\WINDOWS\ERUNT
2008-02-04 23:17 . 2008-02-05 18:02 <DIR> d-------- C:\SDFix
2008-02-03 22:21 . 2008-02-03 22:21 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-03 21:54 . 2005-06-28 10:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-02-03 17:29 . 2006-05-05 01:41 453,120 -----c--- C:\WINDOWS\system32\dllcache\mrxsmb.sys
2008-02-03 11:20 . 2008-02-03 17:42 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-03 11:20 . 2008-02-03 17:42 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-03 11:20 . 2008-02-03 17:42 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-03 11:19 . 2008-02-03 18:32 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-02 22:33 . 2008-02-02 22:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-02 22:29 . 2008-02-07 23:00 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-02 22:29 . 2008-02-02 22:29 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-02-02 22:24 . 2008-02-02 22:24 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-02 21:35 . 2008-02-09 20:21 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-02-02 21:30 . 2008-02-02 21:30 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Grisoft
2008-02-02 21:30 . 2007-05-30 04:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-02 21:29 . 2008-02-02 21:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-02 20:37 . 2008-02-08 17:34 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-02 20:37 . 2008-02-02 20:37 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-31 19:05 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-01-31 19:05 . 2004-08-04 00:56 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2008-01-24 18:59 . 2008-02-03 18:28 <DIR> d-------- C:\Program Files\RcvSystem

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-25 03:01 99 ----a-w C:\Documents and Settings\Owner\d.bat
2007-12-16 19:38 19,840 ----a-w C:\WINDOWS\system32\drivers\Mta38.sys
2007-10-08 18:39 126 ----a-w C:\Documents and Settings\Owner\c200.bat
2007-10-05 23:17 123 ----a-w C:\Documents and Settings\Owner\c.bat
2007-08-07 21:46 6,461 --sha-w C:\WINDOWS\system32\wvvwa.bak1
2007-08-11 18:05 1,700,299 --sha-w C:\WINDOWS\system32\wvvwa.bak2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 01:25 6731312]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-08-15 19:15 271672]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 15:50 81920]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 15:50 221184]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2008-02-03 18:35 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2008-02-03 18:35 118784]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2008-02-03 18:33 122880]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 04:59 122880 C:\WINDOWS\BCMSMMSG.exe]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LogCrypt]
LogCrypt.dll 2008-02-09 20:11 8704 C:\WINDOWS\system32\LogCrypt.dll

R0 Qwc16;Qwc16;C:\WINDOWS\system32\Drivers\Qwc16.sys [2008-02-09 20:33]

*Newly Created Service* - QWC16
.
Contents of the 'Scheduled Tasks' folder
"2008-02-09 18:23:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-09 20:33:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\LogCrypt.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-02-09 20:39:08 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-10 04:38:25
ComboFix2.txt 2008-02-09 05:30:26
ComboFix3.txt 2008-02-06 16:55:10
.
2008-02-05 09:33:32 --- E O F ---


======================================================


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:52:39 PM, on 2/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...p1.0.0.15-3.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1202104112593
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: LogCrypt - C:\WINDOWS\SYSTEM32\LogCrypt.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 3535 bytes
  • 0

#20
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

CLICK THIS TO LINK TO BE SURE YOU CAN VIEW HIDDEN FILES

Please go here:
The Spy Killer Forum
  • Click on "New Topic"
  • Put your name, e-mail address, and this as the title: "C:\WINDOWS\system32\Drivers\Qwc16.sys"
  • Put a link to this topic in the description box.
  • Then next to the file box, at the bottom, click the browse button, then navigate to this file:


    • C:\WINDOWS\system32\Drivers\Qwc16.sys

  • Click Open.
  • Click Post.
Thank you!



1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\drivers\Qwc16.sys
C:\WINDOWS\system32\LogCrypt.dl_
C:\Documents and Settings\Owner\d.bat
C:\WINDOWS\system32\drivers\Mta38.sys
C:\Documents and Settings\Owner\c200.bat
C:\Documents and Settings\Owner\c.bat
C:\WINDOWS\system32\wvvwa.bak1
C:\WINDOWS\system32\wvvwa.bak2

Folder::
C:\Program Files\RcvSystem

Driver::
Qwc16


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

  • 0

#21
kuraikinzoku

kuraikinzoku

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
ComboFix 08-02.05.3 - Owner 2008-02-10 5:43:04.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.67 [GMT -8:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Program Files\RcvSystem
C:\Program Files\RcvSystem\httpdchk.dll
C:\WINDOWS\system32\drivers\Qwc16.sys

----- BITS: Possible infected sites -----

hxxp://au.download.windowsup
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_QWC16
-------\Qwc16


((((((((((((((((((((((((( Files Created from 2008-01-10 to 2008-02-10 )))))))))))))))))))))))))))))))
.

2008-02-10 05:46 . 2008-02-10 05:46 25,984 --a------ C:\WINDOWS\system32\drivers\Msa64.sys
2008-02-10 05:46 . 2008-02-10 05:46 8,704 --a------ C:\WINDOWS\system32\LogCrypt.dl_
2008-02-10 03:07 . 2008-02-10 03:07 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-02-09 20:27 . 2004-08-12 05:56 388,608 --a------ C:\kmd.exe
2008-02-09 20:09 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-02-09 20:09 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-02-09 20:09 . 2008-02-09 20:44 8,704 --a------ C:\WINDOWS\system32\LogCrypt.dll
2008-02-05 17:40 . 2008-02-05 17:40 <DIR> d-------- C:\WINDOWS\ERUNT
2008-02-04 23:17 . 2008-02-05 18:02 <DIR> d-------- C:\SDFix
2008-02-03 22:21 . 2008-02-03 22:21 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-03 21:54 . 2005-06-28 10:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-02-03 17:29 . 2006-05-05 01:41 453,120 -----c--- C:\WINDOWS\system32\dllcache\mrxsmb.sys
2008-02-03 11:20 . 2008-02-03 17:42 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-03 11:20 . 2008-02-03 17:42 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-03 11:20 . 2008-02-03 17:42 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-03 11:19 . 2008-02-03 18:32 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-02 22:33 . 2008-02-02 22:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-02 22:29 . 2008-02-07 23:00 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-02 22:29 . 2008-02-02 22:29 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-02-02 22:24 . 2008-02-02 22:24 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-02 21:35 . 2008-02-10 03:10 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-02-02 21:30 . 2008-02-02 21:30 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Grisoft
2008-02-02 21:30 . 2007-05-30 04:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-02 21:29 . 2008-02-02 21:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-02 20:37 . 2008-02-10 03:19 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-02 20:37 . 2008-02-02 20:37 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-31 19:05 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-01-31 19:05 . 2004-08-04 00:56 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-25 03:01 99 ----a-w C:\Documents and Settings\Owner\d.bat
2007-12-16 19:38 19,840 ----a-w C:\WINDOWS\system32\drivers\Mta38.sys
2007-10-08 18:39 126 ----a-w C:\Documents and Settings\Owner\c200.bat
2007-10-05 23:17 123 ----a-w C:\Documents and Settings\Owner\c.bat
2007-08-07 21:46 6,461 --sha-w C:\WINDOWS\system32\wvvwa.bak1
2007-08-11 18:05 1,700,299 --sha-w C:\WINDOWS\system32\wvvwa.bak2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 01:25 6731312]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-08-15 19:15 271672]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 15:50 81920]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 15:50 221184]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2008-02-03 18:35 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2008-02-03 18:35 118784]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2008-02-03 18:33 122880]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 04:59 122880 C:\WINDOWS\BCMSMMSG.exe]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LogCrypt]
LogCrypt.dll 2008-02-09 20:44 8704 C:\WINDOWS\system32\LogCrypt.dll


*Newly Created Service* - MSA64
.
Contents of the 'Scheduled Tasks' folder
"2008-02-09 18:23:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-10 05:46:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-02-10 5:53:04 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-10 13:52:31
ComboFix2.txt 2008-02-10 04:39:09
ComboFix3.txt 2008-02-09 05:30:26
ComboFix4.txt 2008-02-06 16:55:10
.
2008-02-10 13:39:32 --- E O F ---
  • 0

#22
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

CLICK THIS TO LINK TO BE SURE YOU CAN VIEW HIDDEN FILES

Please go here:
The Spy Killer Forum
  • Click on "New Topic"
  • Put your name, e-mail address, and this as the title: "C:\WINDOWS\system32\LogCrypt.dll"
  • Put a link to this topic in the description box.
  • Then next to the file box, at the bottom, click the browse button, then navigate to this file:


    • C:\WINDOWS\system32\LogCrypt.dll

  • Click Open.
  • Click Post.
Thank you!



1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\drivers\Msa64.sys
C:\WINDOWS\system32\LogCrypt.dl_
C:\Documents and Settings\Owner\d.bat
C:\WINDOWS\system32\drivers\Mta38.sys
C:\Documents and Settings\Owner\c200.bat
C:\Documents and Settings\Owner\c.bat
C:\WINDOWS\system32\wvvwa.bak1
C:\WINDOWS\system32\wvvwa.bak2
C:\WINDOWS\system32\LogCrypt.dll

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LogCrypt]


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall




Also post a new HijackThis log
  • 0

#23
kuraikinzoku

kuraikinzoku

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
ComboFix 08-02.05.3 - Owner 2008-02-10 6:43:22.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.72 [GMT -8:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\Msa64.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_MSA64
-------\Msa64


((((((((((((((((((((((((( Files Created from 2008-01-10 to 2008-02-10 )))))))))))))))))))))))))))))))
.

2008-02-10 05:42 . 2004-08-12 05:56 388,608 --a------ C:\kmd.exe
2008-02-10 03:07 . 2008-02-10 03:07 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-02-09 20:09 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-02-09 20:09 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-02-09 20:09 . 2008-02-10 05:46 8,704 --a------ C:\WINDOWS\system32\LogCrypt.dll
2008-02-05 17:40 . 2008-02-05 17:40 <DIR> d-------- C:\WINDOWS\ERUNT
2008-02-04 23:17 . 2008-02-05 18:02 <DIR> d-------- C:\SDFix
2008-02-03 22:21 . 2008-02-03 22:21 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-03 21:54 . 2005-06-28 10:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-02-03 17:29 . 2006-05-05 01:41 453,120 -----c--- C:\WINDOWS\system32\dllcache\mrxsmb.sys
2008-02-03 11:20 . 2008-02-03 17:42 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-03 11:20 . 2008-02-03 17:42 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-03 11:20 . 2008-02-03 17:42 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-03 11:19 . 2008-02-03 18:32 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-02 22:33 . 2008-02-02 22:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-02 22:29 . 2008-02-07 23:00 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-02 22:29 . 2008-02-02 22:29 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-02-02 22:24 . 2008-02-02 22:24 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-02 21:35 . 2008-02-10 03:10 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-02-02 21:30 . 2008-02-02 21:30 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Grisoft
2008-02-02 21:30 . 2007-05-30 04:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-02 21:29 . 2008-02-02 21:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-02 20:37 . 2008-02-10 06:51 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-02 20:37 . 2008-02-02 20:37 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-31 19:05 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-01-31 19:05 . 2004-08-04 00:56 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-25 03:01 99 ----a-w C:\Documents and Settings\Owner\d.bat
2007-12-16 19:38 19,840 ----a-w C:\WINDOWS\system32\drivers\Mta38.sys
2007-10-08 18:39 126 ----a-w C:\Documents and Settings\Owner\c200.bat
2007-10-05 23:17 123 ----a-w C:\Documents and Settings\Owner\c.bat
2007-08-07 21:46 6,461 --sha-w C:\WINDOWS\system32\wvvwa.bak1
2007-08-11 18:05 1,700,299 --sha-w C:\WINDOWS\system32\wvvwa.bak2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 01:25 6731312]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-08-15 19:15 271672]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 15:50 81920]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 15:50 221184]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2008-02-03 18:35 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2008-02-03 18:35 118784]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2008-02-03 18:33 122880]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 04:59 122880 C:\WINDOWS\BCMSMMSG.exe]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll


.
Contents of the 'Scheduled Tasks' folder
"2008-02-09 18:23:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-10 06:50:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-02-10 6:55:04 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-10 14:54:40
ComboFix2.txt 2008-02-10 13:53:08
ComboFix3.txt 2008-02-10 04:39:09
ComboFix4.txt 2008-02-09 05:30:26
ComboFix5.txt 2008-02-06 16:55:10
.
2008-02-10 13:39:32 --- E O F ---


--------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:57:41 AM, on 2/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...p1.0.0.15-3.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1202104112593
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 3303 bytes
  • 0

#24
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\system32\LogCrypt.dll
    C:\Documents and Settings\Owner\d.bat
    C:\WINDOWS\system32\drivers\Mta38.sys
    C:\Documents and Settings\Owner\c200.bat
    C:\Documents and Settings\Owner\c.bat
    C:\WINDOWS\system32\wvvwa.bak1
    C:\WINDOWS\system32\wvvwa.bak2
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    purity
  • Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Reboot and post a new DSS log
  • 0

#25
kuraikinzoku

kuraikinzoku

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
DllUnregisterServer procedure not found in C:\WINDOWS\system32\LogCrypt.dll
C:\WINDOWS\system32\LogCrypt.dll NOT unregistered.
C:\WINDOWS\system32\LogCrypt.dll moved successfully.
C:\Documents and Settings\Owner\d.bat moved successfully.
C:\WINDOWS\system32\drivers\Mta38.sys moved successfully.
C:\Documents and Settings\Owner\c200.bat moved successfully.
C:\Documents and Settings\Owner\c.bat moved successfully.
C:\WINDOWS\system32\wvvwa.bak1 moved successfully.
C:\WINDOWS\system32\wvvwa.bak2 moved successfully.
[Custom Input]
< purity >

OTMoveIt2 v1.0.19 log created on 02102008_073827



-----------------------------------------------------------------------------------------



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:49:06 AM, on 2/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...p1.0.0.15-3.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1202104112593
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 3270 bytes
  • 0

Advertisements


#26
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...p1.0.0.15-3.cab

2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



Then post a new DSS log, not HijackThis log
  • 0

#27
kuraikinzoku

kuraikinzoku

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
Deckard's System Scanner v20071014.68
Run by Owner on 2008-02-10 09:10:37
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 255 MiB (512 MiB recommended).


-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:10:39 AM, on 2/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1202104112593
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 3157 bytes

-- Files created between 2008-01-10 and 2008-02-10 -----------------------------

2008-02-10 03:07:48 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-02-05 21:35:37 68096 --a------ C:\WINDOWS\system32\zip.exe
2008-02-05 21:35:37 98816 --a------ C:\WINDOWS\system32\sed.exe
2008-02-05 21:35:37 80412 --a------ C:\WINDOWS\system32\grep.exe
2008-02-05 21:35:37 73728 --a------ C:\WINDOWS\system32\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-02-05 17:40:10 0 d-------- C:\WINDOWS\ERUNT
2008-02-03 22:21:55 0 d-------- C:\Program Files\Trend Micro
2008-02-03 21:54:22 0 d-------- C:\WINDOWS\system32\PreInstall
2008-02-03 11:19:57 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-02-02 22:33:15 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-02 22:29:59 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-02-02 22:29:58 0 d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-02-02 22:24:27 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-02 21:35:38 0 d--h----- C:\WINDOWS\$hf_mig$
2008-02-02 21:30:56 0 d-------- C:\Documents and Settings\Owner\Application Data\Grisoft
2008-02-02 21:29:47 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-02 21:25:38 0 d-------- C:\WINDOWS\pss
2008-02-02 21:21:08 0 d--h----- C:\Documents and Settings\Administrator.USER-0358FF83F2\Templates
2008-02-02 21:21:08 0 dr------- C:\Documents and Settings\Administrator.USER-0358FF83F2\Start Menu
2008-02-02 21:21:08 0 dr-h----- C:\Documents and Settings\Administrator.USER-0358FF83F2\SendTo
2008-02-02 21:21:08 0 d--h----- C:\Documents and Settings\Administrator.USER-0358FF83F2\Recent
2008-02-02 21:21:08 0 d--h----- C:\Documents and Settings\Administrator.USER-0358FF83F2\PrintHood
2008-02-02 21:21:08 0 d--h----- C:\Documents and Settings\Administrator.USER-0358FF83F2\NetHood
2008-02-02 21:21:08 0 d-------- C:\Documents and Settings\Administrator.USER-0358FF83F2\My Documents
2008-02-02 21:21:08 0 d--h----- C:\Documents and Settings\Administrator.USER-0358FF83F2\Local Settings
2008-02-02 21:21:08 0 d-------- C:\Documents and Settings\Administrator.USER-0358FF83F2\Favorites
2008-02-02 21:21:08 0 d-------- C:\Documents and Settings\Administrator.USER-0358FF83F2\Desktop
2008-02-02 21:21:08 0 d---s---- C:\Documents and Settings\Administrator.USER-0358FF83F2\Cookies
2008-02-02 21:21:08 0 dr-h----- C:\Documents and Settings\Administrator.USER-0358FF83F2\Application Data
2008-02-02 21:21:08 0 d---s---- C:\Documents and Settings\Administrator.USER-0358FF83F2\Application Data\Microsoft
2008-02-02 21:21:07 524288 --ah----- C:\Documents and Settings\Administrator.USER-0358FF83F2\NTUSER.DAT
2008-01-24 19:01:38 0 d-------- C:\WINDOWS\system32\SoftwareDistribution


-- Find3M Report ---------------------------------------------------------------

2008-02-09 20:29:46 0 d-------- C:\Program Files\Common Files
2008-02-05 00:24:34 0 d-------- C:\Program Files\Messenger
2008-02-03 18:35:18 155648 --a------ C:\WINDOWS\system32\igfxtray.exe <Not Verified; Intel Corporation; Intel® Common User Interface>
2008-02-03 18:35:13 118784 --a------ C:\WINDOWS\system32\hkcmd.exe <Not Verified; Intel Corporation; Intel® Common User Interface>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 01:25 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06/29/2007 05:24 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [08/15/2007 07:15 PM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [07/27/2004 03:50 PM]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [07/27/2004 03:50 PM]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [02/03/2008 06:35 PM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [02/03/2008 06:35 PM]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [02/03/2008 06:33 PM]
"BCMSMMSG"="BCMSMMSG.exe" [08/29/2003 04:59 AM C:\WINDOWS\BCMSMMSG.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [02/27/2007 11:39 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 02/27/2007 11:39 AM 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Qvb05.sys]
@="Driver"




-- End of Deckard's System Scanner: finished at 2008-02-10 09:11:14 ------------
  • 0

#28
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


Also tell me how your PC is running
  • 0

#29
kuraikinzoku

kuraikinzoku

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
it runs ok but kaspersky says that the computer is infected

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, February 10, 2008 1:00:50 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 10/02/2008
Kaspersky Anti-Virus database records: 556123
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 23316
Number of viruses found: 36
Number of infected objects: 81
Number of suspicious objects: 0
Duration of the scan process: 00:30:14

Infected Object Name / Virus Name / Last Action
C:\Deckard\System Scanner\20080208173230\backup\WINDOWS\temp\ASHeuristic\fuwarxyus_dll.vir Infected: Trojan-Spy.Win32.Delf.bcq skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Desktop\WinPFind35u\MovedFiles\02072008_165906\Documents and Settings\Owner\Application Data\Microsoft\Windows\whlwov.exe Infected: Trojan-Downloader.Win32.Agent.buo skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\Hns73.sys.vir Infected: Trojan-Downloader.Win32.Agent.ici skipped
C:\QooBox\Quarantine\catchme2008-02-09_203330.75.zip/Hns73.sys Infected: Trojan-Downloader.Win32.Agent.ici skipped
C:\QooBox\Quarantine\catchme2008-02-09_203330.75.zip ZIP: infected - 1 skipped
C:\QooBox\Quarantine\catchme2008-02-10_ 54635.73.zip/Qwc16.sys Infected: Trojan-Downloader.Win32.Agent.ici skipped
C:\QooBox\Quarantine\catchme2008-02-10_ 54635.73.zip ZIP: infected - 1 skipped
C:\QooBox\Quarantine\catchme2008-02-10_ 65044.14.zip/Msa64.sys Infected: Trojan-Downloader.Win32.Agent.ici skipped
C:\QooBox\Quarantine\catchme2008-02-10_ 65044.14.zip ZIP: infected - 1 skipped
C:\SDFix\backups\regscan.exe Infected: Trojan-Downloader.Win32.Agent.hlp skipped
C:\SDFix\backups\svchost.exe Infected: Trojan-Downloader.Win32.Agent.gbi skipped
C:\SDFix\backups\UnInstall.exe Infected: not-a-virus:AdWare.Win32.Agent.aaq skipped
C:\SDFix\backups\Words.exe Infected: not-a-virus:AdWare.Win32.Agent.tj skipped
C:\SDFix\backups\WTUninstaller.exe Infected: Trojan-Downloader.Win32.Agent.buo skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP20\A0108528.sys Infected: Rootkit.Win32.Agent.dp skipped
C:\System Volume Information\_restore{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP20\A0108533.exe Infected: Trojan-Downloader.Win32.Agent.buo skipped
C:\System Volume Information\_restore{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP20\A0108536.exe Infected: not-a-virus:AdWare.Win32.Agent.aaq skipped
C:\System Volume Information\_restore{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP20\A0108537.exe Infected: not-a-virus:AdWare.Win32.Agent.tj skipped
C:\System Volume Information\_restore{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP20\A0108538.exe Infected: Trojan-Downloader.Win32.PurityScan.eh skipped
C:\System Volume Information\_restore{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP20\A0108540.exe Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\System Volume Information\_restore{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP20\A0108542.exe Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\System Volume Information\_restore{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP20\A0108546.exe Infected: Trojan-Downloader.Win32.Agent.gbi skipped
C:\System Volume Information\_restore{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP20\A0108551.exe Infected: Trojan-Downloader.Win32.Agent.hlp skipped
C:\System Volume Information\_restore{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP22\A0108563.dll Infected: Trojan-Spy.Win32.Delf.bcq skipped
C:\System Volume Information\_restore{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP23\A0108567.exe:exe.exe:$DATA Infected: Trojan.Win32.Obfuscated.id skipped
C:\System Volume Information\_restore{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP23\A0108570.exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.Agent.vv skipped
C:\System Volume Information\_restore{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP23\A0108570.exe/stream Infected: not-a-virus:AdWare.Win32.Agent.vv skipped
C:\System Volume Information\_restore{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP23\A0108570.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP23\A0108574.exe/data0002 Infected: not-a-virus:AdWare.Win32.Agent.jn skipped
C:\System Volume Information\_restore{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP23\A0108574.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP23\A0108575.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.AdBand.b skipped
C:\System Volume Information\_restore{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP23\A0108575.exe/stream Infected: not-a-virus:AdWare.Win32.AdBand.b skipped
C:\System Volume Information\_restore{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP23\A0108575.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP23\A0108580.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\System Volume Information\_restore{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP23\A0108584.exe Infected: not-a-virus:AdWare.Win32.Agent.adm skipped
C:\System Volume Information\_restore{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP23\A0108599.exe Infected: Trojan-Downloader.Win32.Agent.gbi skipped
C:\System Volume Information\_restore{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP23\A0108618.dll Infected: Trojan.Win32.BHO.hj skipped
C:\System Volume Information\_restore{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP23\A0108625.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP23\A0108627.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP23\A0108628.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP23\A0108629.dll Infected: Trojan.Win32.BHO.hj skipped
C:\System Volume Information\_restore{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP23\A0108630.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP23\A0108631.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.auj skipped
C:\System Volume Information\_restore{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP23\A0108642.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP23\A0108643.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP23\A0108645.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP23\A0108651.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP23\A0108659.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP23\A0108662.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP23\A0108666.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP23\A0108718.exe Infected: not-a-virus:Downloader.Win32.WinFixer.l skipped
C:\System Volume Information\_restore{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP23\A0108719.exe Infected: not-a-virus:Downloader.Win32.WinFixer.l skipped
C:\System Volume Information\_restore{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP25\A0108825.exe Infected: Trojan-Downloader.Win32.TSUpdate.n skipped
C:\System Volume Information\_restore{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP25\A0108826.exe Infected: Trojan-Downloader.Win32.TSUpdate.l skipped
C:\System Volume Information\_restore{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP25\A0108827.exe Infected: Trojan-Downloader.Win32.TSUpdate.r skipped
C:\System Volume Information\_restore{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP25\A0108830.exe Infected: not-a-virus:FraudTool.Win32.UltimateDefender.c skipped
C:\System Volume Information\_restore{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP25\A0108831.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\System Volume Information\_restore{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP25\A0108834.exe Infected: Trojan-Downloader.Win32.TSUpdate.f skipped
C:\System Volume Information\_restore{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP25\A0108835.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\System Volume Information\_restore{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP25\A0108836.dll Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP25\A0108837.exe/stream/data0002/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eh skipped
C:\System Volume Information\_restore{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP25\A0108837.exe/stream/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eh skipped
C:\System Volume Information\_restore{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP25\A0108837.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\System Volume Information\_restore{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP25\A0108837.exe/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\System Volume Information\_restore{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP25\A0108837.exe NSIS: infected - 4 skipped
C:\System Volume Information\_restore{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP25\A0108838.exe Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP25\A0108839.sys Infected: Rootkit.Win32.Agent.dp skipped
C:\System Volume Information\_restore{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP25\A0108840.exe Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
C:\System Volume Information\_restore{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP25\A0108841.exe Infected: Trojan-Downloader.Win32.PurityScan.eh skipped
C:\System Volume Information\_restore{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP25\A0108843.exe Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\System Volume Information\_restore{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP25\A0108845.exe Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\System Volume Information\_restore{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP25\A0108847.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\System Volume Information\_restore{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP25\A0108848.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.aa skipped
C:\System Volume Information\_restore{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP25\A0108849.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.r skipped
C:\System Volume Information\_restore{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP28\A0108964.sys Infected: Trojan-Downloader.Win32.Agent.ici skipped
C:\System Volume Information\_restore{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP29\A0109197.sys Infected: Trojan-Downloader.Win32.Agent.ici skipped
C:\System Volume Information\_restore{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP32\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{A5BCF4EF-3B95-4E0B-AE0B-1F8B0E080A9C}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\AU48iI55.dll Infected: not-a-virus:AdWare.Win32.BHO.fb skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\EK2ljv17.dll Infected: not-a-virus:AdWare.Win32.BHO.fd skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\irO8W7Mm.dll Infected: not-a-virus:AdWare.Win32.BHO.fd skipped
C:\WINDOWS\system32\Vc5bgIb6.dll Infected: not-a-virus:AdWare.Win32.BHO.fd skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\_OTMoveIt\MovedFiles\02102008_073827\WINDOWS\system32\drivers\Mta38.sys Infected: Trojan-Downloader.Win32.Diehard.cp skipped

Scan process completed.
  • 0

#30
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
No need to worry, lot of that is in quarantine

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\system32\AU48iI55.dll
    C:\WINDOWS\system32\EK2ljv17.dll
    C:\WINDOWS\system32\irO8W7Mm.dll
    C:\WINDOWS\system32\Vc5bgIb6.dll
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    purity
  • Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Tell me how your PC is running then
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP