Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

viruses and malware galore [RESOLVED]

Started by shaz , Mar 02 2008 02:46 PM

This topic is locked

#1
shaz

Posted 02 March 2008 - 02:46 PM

Member

Member
147 posts

Im having so many problems with viruses its beyond my control....have done the suggested malware page on forum and not helping. My computer runs slow and im not able to stay connected for long before it shuts down. Please take a look at my hjt log....any suggestions would be greatly appreciated

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:16:31 AM, on 3/03/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Telstra\BigPond Wireless Broadband 2.7.3\BigPond_CM.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\msmsgs.exe
C:\WINDOWS\rundll32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dbsarticles.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Gamburg provider - {59D94AAD-0A67-417e-969B-8311296E8364} - condw32.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: BigPond Wireless Broadband 2.0 Auto Dial - {DB92EC3F-697D-4C3B-9A3B-3ABBD23D4A85} - C:\Program Files\Telstra\BigPond Wireless Broadband 2.7.3\bpwbb2ad.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [BigPondWirelessBroadbandCM] "C:\Program Files\Telstra\BigPond Wireless Broadband 2.7.3\BigPond_CM.exe" -tsr
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [2gb4i3hn] C:\WINDOWS\TEMP\589B7E79.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Oftice] C:\WINDOWS\System32\msmsgs.exe
O4 - HKCU\..\Run: [Microsoft Windows Driver] C:\WINDOWS\rundll32.exe
O4 - HKCU\..\Run: [Microsoft Oftice] C:\WINDOWS\System32\msmsgs.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Microsoft Windows Driver] C:\WINDOWS\rundll32.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Microsoft Oftice] C:\WINDOWS\System32\msmsgs.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab55579.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/...dy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab55579.cab
O16 - DPF: {8C279F4E-917E-4CD2-8DF0-D9C73C0CE763} (ZPA_WheelOfFortune Object) - http://zone.msn.com/...of.cab55579.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games – Texas Holdem Poker) - http://zone.msn.com/...he.cab60231.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/...xy.cab55579.cab
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CS2\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Microsoft usnsvc Service - Unknown owner - C:\WINDOWS\usnsvc.exe (file missing)
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 5880 bytes

#2
andrewuk

Posted 06 March 2008 - 04:47 PM

Trusted Helper

Malware Removal
5,297 posts

Hi shaz

welcome to geekstogo

sorry to keep you waiting. lets do a deeper scan of your machine for me to analyse.

(if your problem has already been resolved, could you just let me know so that i an move onto other logs to help others, thanks)

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

Close all other windows before proceeding.
Double-click on dss.exe and follow the prompts.
When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

you may need to post the logs over 2 replies to ensure all the information is posted.

andrewuk

#3
shaz

Posted 07 March 2008 - 01:27 PM

Member

Topic Starter
Member
147 posts

hi andrew, heres those logs

Deckard's System Scanner v20071014.68
Run by user on 2008-03-08 05:15:17
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; System Restore is disabled (service is not running).

-- Last 5 Restore Point(s) --
12: 2008-03-06 21:47:40 UTC - RP108 - System Checkpoint
11: 2008-03-05 21:10:14 UTC - RP107 - System Checkpoint
10: 2008-03-04 20:49:55 UTC - RP106 - System Checkpoint
9: 2008-03-03 20:10:45 UTC - RP105 - System Checkpoint
8: 2008-03-02 20:06:46 UTC - RP104 - System Checkpoint

-- First Restore Point --
1: 2008-02-11 13:50:30 UTC - RP97 - System Checkpoint

Performed disk cleanup.

Total Physical Memory: 128 MiB (512 MiB recommended).
System Drive C: has 1.03 GiB (less than 15%) free.

-- HijackThis (run as user.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:18:02 AM, on 8/03/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Telstra\BigPond Wireless Broadband 2.7.3\BigPond_CM.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\msmsgs.exe
C:\WINDOWS\rundll32.exe
C:\Program Files\Telstra\BigPond Wireless Broadband 2.7.3\Utility\Application\QMICM.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Documents and Settings\user\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\user.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dbsarticles.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Gamburg provider - {59D94AAD-0A67-417e-969B-8311296E8364} - condw32.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Media Player - {D480850D-85D1-4836-9AEA-86C185CDAE29} - C:\WINDOWS\wmpdxm.dll
O2 - BHO: BigPond Wireless Broadband 2.0 Auto Dial - {DB92EC3F-697D-4C3B-9A3B-3ABBD23D4A85} - C:\Program Files\Telstra\BigPond Wireless Broadband 2.7.3\bpwbb2ad.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [BigPondWirelessBroadbandCM] "C:\Program Files\Telstra\BigPond Wireless Broadband 2.7.3\BigPond_CM.exe" -tsr
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [2gb4i3hn] C:\WINDOWS\TEMP\589B7E79.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Oftice] C:\WINDOWS\System32\msmsgs.exe
O4 - HKCU\..\Run: [Microsoft Windows Driver] C:\WINDOWS\rundll32.exe
O4 - HKCU\..\Run: [Microsoft Oftice] C:\WINDOWS\System32\msmsgs.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Microsoft Windows Driver] C:\WINDOWS\rundll32.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Microsoft Oftice] C:\WINDOWS\System32\msmsgs.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab55579.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/...dy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab55579.cab
O16 - DPF: {8C279F4E-917E-4CD2-8DF0-D9C73C0CE763} (ZPA_WheelOfFortune Object) - http://zone.msn.com/...of.cab55579.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games – Texas Holdem Poker) - http://zone.msn.com/...he.cab60231.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/...xy.cab55579.cab
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CS2\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Microsoft usnsvc Service - Unknown owner - C:\WINDOWS\usnsvc.exe (file missing)
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 6148 bytes

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R1 SASKUTIL - c:\program files\superantispyware\saskutil.sys
R2 ElbyCDIO (ElbyCDIO Driver) - c:\windows\system32\drivers\elbycdio.sys <Not Verified; Elaborate Bytes AG; CDRTools>
R3 AnyDVD - c:\windows\system32\drivers\anydvd.sys <Not Verified; SlySoft, Inc.; AnyDVD>

S3 catchme - c:\docume~1\user\locals~1\temp\catchme.sys (file missing)
S3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 Microsoft usnsvc Service - "c:\windows\usnsvc.exe" (file missing)
S4 aawservice (Ad-Aware 2007 Service) - c:\program files\lavasoft\ad-aware 2007\aawservice.exe <Not Verified; Lavasoft AB; Ad-Aware 2007 Service>
S4 Microsoft wscntfy Service - "c:\windows\wscntfy.exe" (file missing)
S4 MS NET Service - "c:\windows\wiadss.exe" (file missing)

-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {D45B1C18-C8FA-11D1-9F77-0000F805F530}
Description: NT Apm/Legacy Interface Node
Device ID: ROOT\NTAPM\0000
Manufacturer: Microsoft
Name: NT Apm/Legacy Interface Node
PNP Device ID: ROOT\NTAPM\0000
Service: NtApm

-- Scheduled Tasks -------------------------------------------------------------

2008-03-07 17:15:01 374 --a------ C:\WINDOWS\Tasks\1-Click Maintenance.job

-- Files created between 2008-02-08 and 2008-03-08 -----------------------------

2008-03-07 21:34:51 9609 --ahs---- C:\WINDOWS\System32\.exe
2008-03-07 11:27:53 655360 --a------ C:\mguard.exe
2008-03-07 09:43:45 0 d-------- C:\Program Files\Files-Secure
2008-03-07 09:30:41 219648 --a------ C:\WINDOWS\wmpdxm.dll
2008-03-07 09:28:43 81 --a------ C:\WINDOWS\System32\i
2008-03-07 08:55:49 45 --a------ C:\amp.bat
2008-03-05 17:40:20 54784 ---hs---- C:\WINDOWS\System32\a.exe
2008-03-04 19:11:34 54784 ---hs---- C:\WINDOWS\System32\msmsgs.exe
2008-03-03 10:15:16 58 --a------ C:\WINDOWS\System32\o
2008-02-27 12:53:20 53 --a------ C:\WINDOWS\System32\x
2008-02-25 15:26:33 56832 ---hs---- C:\WINDOWS\rundll32.exe
2008-02-25 15:26:31 56832 ---hs---- C:\lo.exe
2008-02-17 22:01:53 28672 --a------ C:\WINDOWS\System32\file.exe
2008-02-16 22:08:31 1 --a------ C:\WINDOWS\System32\rc.dat
2008-02-16 22:08:31 1 --a------ C:\WINDOWS\System32\ps1.dat
2008-02-16 22:08:31 1 --a------ C:\WINDOWS\System32\cs.dat
2008-02-15 08:33:32 53760 --a------ C:\WINDOWS\System32\condw32.dll <Not Verified; Microsoft; Loop>
2008-02-15 03:13:39 53760 --a------ C:\WINDOWS\System32\contrld.dll <Not Verified; Microsoft; Loop>
2008-02-12 11:32:21 52736 --a------ C:\WINDOWS\System32\condt32.dll <Not Verified; Microsoft; Jop>
2008-02-12 10:45:26 54762 --a------ C:\WINDOWS\System32\jkghje.dll
2008-02-12 10:45:22 52736 --a------ C:\WINDOWS\System32\unifff.dll <Not Verified; Microsoft; Jop>
2008-02-12 10:45:22 1 --a------ C:\WINDOWS\System32\conf.dat
2008-02-10 19:09:41 0 --a------ C:\WINDOWS\System32\wmsoft73574.exe

-- Find3M Report ---------------------------------------------------------------

2008-03-07 17:37:42 0 --a------ C:\Documents and Settings\user\Application Data\WGC_Client Preferences
2008-03-07 08:01:12 0 d-------- C:\Documents and Settings\user\Application Data\AVG7
2008-03-01 22:37:37 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-02-16 12:41:04 0 d-------- C:\Program Files\Acoustica MP3 CD Burner
2008-02-14 07:53:50 0 d-------- C:\Documents and Settings\user\Application Data\MSN6
2008-02-04 15:13:18 0 d-------- C:\Program Files\wgcenter
2008-02-04 13:59:23 0 d-------- C:\Program Files\Trend Micro
2008-01-31 10:16:45 0 d-------- C:\Program Files\TuneUp Utilities 2008
2008-01-29 22:12:19 0 d-------- C:\Documents and Settings\user\Application Data\TuneUp Software
2008-01-29 22:07:14 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-24 09:19:18 0 d-------- C:\Program Files\QuickTime
2008-01-15 18:52:39 0 d-------- C:\Program Files\LimeWire
2008-01-14 08:41:16 0 d-------- C:\Program Files\Google
2007-12-30 09:21:30 6959 --ahs---- C:\WINDOWS\System32\npqss.ini2
2007-12-30 03:47:47 4612 --a------ C:\msu32.exe

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{59D94AAD-0A67-417e-969B-8311296E8364}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D480850D-85D1-4836-9AEA-86C185CDAE29}]
07/03/2008 09:30 AM 219648 --a------ C:\WINDOWS\wmpdxm.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [22/12/2007 11:19 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [12/07/2007 04:00 AM]
"BigPondWirelessBroadbandCM"="C:\Program Files\Telstra\BigPond Wireless Broadband 2.7.3\BigPond_CM.exe" [18/09/2007 02:02 PM]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [11/06/2007 07:25 PM]
"2gb4i3hn"="C:\WINDOWS\TEMP\589B7E79.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [24/01/2008 09:19 AM]
"Microsoft Oftice"="C:\WINDOWS\System32\msmsgs.exe" [02/03/2008 12:20 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Windows Driver"="C:\WINDOWS\rundll32.exe" [25/02/2008 03:26 PM]
"Microsoft Oftice"="C:\WINDOWS\System32\msmsgs.exe" [02/03/2008 12:20 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Network Security XP"=C:\WINDOWS\System32\nvsvc86.exe
"OfficeWord Monitors XP"=C:\WINDOWS\System32\mdms.exe
"Microsoft Windows Driver"=C:\WINDOWS\rundll32.exe
"Microsoft Oftice"=C:\WINDOWS\System32\msmsgs.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [20/12/2006 01:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\System32\ssqpn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^user^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^user^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
backup=C:\WINDOWS\pss\Microsoft Find Fast.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^user^Start Menu^Programs^Startup^Office Startup.lnk]
backup=C:\WINDOWS\pss\Office Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Office]
C:\WINDOWS\System32\mdm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Windows Driver]
C:\WINDOWS\rundll32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Network Security XP]
C:\WINDOWS\System32\nvsvc86.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RAMBooster.Net]
C:\Program Files\RAMBooster.Net\RAMBooster.exe -m

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MS NET Service"=2 (0x2)
"gusvc"=3 (0x3)
"aawservice"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Microsoft Windows Driver"=C:\WINDOWS\rundll32.exe
"Microsoft Oftice"=C:\WINDOWS\System32\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
"Windows Networking Monitoring"=C:\WINDOWS\System32\mdm.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

-- End of Deckard's System Scanner: finished at 2008-03-08 05:21:13 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 1.0
Architecture: X86; Language: English

CPU 0: Intel Pentium II processor
Percentage of Memory in Use: 76%
Physical Memory (total/avail): 127.55 MiB / 30.23 MiB
Pagefile Memory (total/avail): 358.05 MiB / 45.18 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1948.95 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 8.03 GiB total, 0.98 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST38410A - 8.03 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 8.03 GiB - C:

-- Security Center -------------------------------------------------------------

AUOptions is disabled.

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\user\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=GX0PICTZSNYEMMO
ComSpec=C:\WINDOWS\system32\cmd.exe
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\user
LOGONSERVER=\\GX0PICTZSNYEMMO
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\WBEM
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 5 Stepping 2, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0502
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\user\LOCALS~1\Temp
TMP=C:\DOCUME~1\user\LOCALS~1\Temp
USERDOMAIN=GX0PICTZSNYEMMO
USERNAME=user
USERPROFILE=C:\Documents and Settings\user
windir=C:\WINDOWS

-- User Profiles ---------------------------------------------------------------

user (admin)
Administrator (admin)

-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
--> C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> C:\WINDOWS\UNRecode.exe /UNINSTALL
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware 2007 --> MsiExec.exe /X{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player ActiveX --> C:\WINDOWS\System32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A80000000002}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Agere Systems PCI Soft Modem --> agrsmdel
AnyDVD --> "C:\Program Files\SlySoft\AnyDVD\AnyDVD-uninst.exe" /D="C:\Program Files\SlySoft\AnyDVD"
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
BigPond ADSL SIK 5.6 Files --> C:\Program Files\Telstra\sikuninst.exe
BigPond Wireless Broadband 2.8.13 --> MsiExec.exe /I{0EEE3193-5E0D-471B-BFB0-0C2034F17B3B}
DX-Ball 1.09 --> C:\PROGRA~1\DX-Ball\UNWISE.EXE C:\PROGRA~1\DX-Ball\INSTALL.LOG
Files Secure --> C:\Program Files\Files-Secure\Uninstall.exe
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar2.dll"
Hijackthis 1.99.1 --> "C:\Program Files\Hijackthis\unins000.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
LimeWire 4.14.12 --> "C:\Program Files\LimeWire\uninstall.exe"
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5 --> "C:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft Office 97, Professional Edition --> C:\Program Files\Microsoft Office\Office\Setup\Acme.exe /w Off97Pro.STF
Nero 7 Essentials --> MsiExec.exe /I{F17F7703-1E72-40C1-A0DD-E5B365661033}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
TuneUp Utilities 2008 --> MsiExec.exe /I{5888428E-699C-4E71-BF71-94EE06B497DA}
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
World Gaming Center Version 2.1.2 with Gamescript Files --> "C:\Program Files\wgcenter\unins000.exe"

-- Application Event Log -------------------------------------------------------

Event Record #/Type2506 / Success
Event Submitted/Written: 03/08/2008 04:40:15 AM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type2505 / Error
Event Submitted/Written: 03/08/2008 01:32:01 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application , version 0.0.0.0, faulting module unknown, version 0.0.0.0, fault address 0x00000000.

Event Record #/Type2502 / Error
Event Submitted/Written: 03/07/2008 09:37:00 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application , version 0.0.0.0, faulting module unknown, version 0.0.0.0, fault address 0x00000000.

Event Record #/Type2495 / Success
Event Submitted/Written: 03/07/2008 03:48:41 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type2490 / Error
Event Submitted/Written: 03/07/2008 01:07:51 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application , version 0.0.0.0, faulting module unknown, version 0.0.0.0, fault address 0x00000000.

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

-- System Event Log ------------------------------------------------------------

Event Record #/Type256 / Error
Event Submitted/Written: 03/07/2008 10:24:23 PM
Event ID/Source: 1002 / Dhcp
Event Description:
The IP address lease 124.186.186.208 for the Network Card with network address 00A0C6000000 has been
denied by the DHCP server 58.165.187.93 (The DHCP Server sent a DHCPNACK message).

Event Record #/Type227 / Error
Event Submitted/Written: 03/07/2008 05:31:09 PM
Event ID/Source: 5000 / LsaSrv
Event Description:
The security package Negotiate generated an exception. The package is now disabled.
The exception information is the data.

Event Record #/Type222 / Error
Event Submitted/Written: 03/07/2008 03:19:03 PM
Event ID/Source: 1002 / Dhcp
Event Description:
The IP address lease 124.177.173.209 for the Network Card with network address 00A0C6000000 has been
denied by the DHCP server 121.222.205.233 (The DHCP Server sent a DHCPNACK message).

Event Record #/Type204 / Error
Event Submitted/Written: 03/07/2008 01:23:46 PM
Event ID/Source: 1002 / Dhcp
Event Description:
The IP address lease 121.218.17.214 for the Network Card with network address 00A0C6000000 has been
denied by the DHCP server 124.177.173.210 (The DHCP Server sent a DHCPNACK message).

Event Record #/Type190 / Error
Event Submitted/Written: 03/07/2008 09:41:03 AM
Event ID/Source: 1002 / Dhcp
Event Description:
The IP address lease 124.186.87.128 for the Network Card with network address 00A0C6000000 has been
denied by the DHCP server 121.218.17.213 (The DHCP Server sent a DHCPNACK message).

-- End of Deckard's System Scanner: finished at 2008-03-08 05:21:13 ------------

#4
andrewuk

Posted 07 March 2008 - 03:21 PM

Trusted Helper

Malware Removal
5,297 posts

Hi Shaz

you have quite an infected machine there and so it will take several posts from myself to clear.

firstly, however, i must bring you attention to the fact that you have a password stealer trojan on your machine. it is highly likely that your passwords have been compromised and therefore i advise as a matter or urgency that you change the passwords to financial websites and other websites from a safe and clean machine (ie not this one) and you take whatever further procautions you deem neccessary. details of the trojan can be found here

i would keep this machine offline as much as possible until we are finished with this fix.

before we move into the fix proper (including removing the above trojan), i want to see if you still have a smitfraud infection, i can see some traces of it.

Please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlog...processutil.htm

andrewuk

#5
shaz

Posted 07 March 2008 - 04:19 PM

Member

Topic Starter
Member
147 posts

hi again, heres that log...thanks for the quick reply

SmitFraudFix v2.300

Scan done at 8:02:01.70, Sat 08/03/2008
Run from C:\Documents and Settings\user\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Telstra\BigPond Wireless Broadband 2.7.3\BigPond_CM.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\msmsgs.exe
C:\WINDOWS\rundll32.exe
C:\Program Files\Telstra\BigPond Wireless Broadband 2.7.3\Utility\Application\QMICM.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\mshearts.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\a.exe FOUND !
C:\WINDOWS\system32\msmsgs.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\user

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\user\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\user\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
+--------------------------------------------------+
[!] Suspicious: wmpdxm.dll
BHO: Windows Media Player - {D480850D-85D1-4836-9AEA-86C185CDAE29}
CLSID: {D480850D-85D1-4836-9AEA-86C185CDAE29}
AppID: {D480850D-85D1-4836-9AEA-86C185CDAE29}
AppID: wmpdxm.dll
Classes: wmpdxm.Video
TypeLib: {74D46BBA-5638-473A-83B6-97E7804A7411}
Interface: {48D78BE5-CFB9-4B66-9AC4-96D4CF21DE06}

»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\PROGRA~1\\Google\\GOOGLE~1\\GOEC62~1.DLL"
"LoadAppInit_DLLs"=dword:00000001

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: 3Com 3C918 Integrated Fast Ethernet Controller (3C905B-TX Compatible) - Packet Scheduler Miniport
DNS Server Search Order: 61.9.211.1
DNS Server Search Order: 61.9.211.33

Description: WAN Driver @ 3GPP (6280) - Packet Scheduler Miniport
DNS Server Search Order: 61.9.195.193
DNS Server Search Order: 61.9.194.49

HKLM\SYSTEM\CCS\Services\Tcpip\..\{07F7E4CB-F844-4DD7-BCBB-05B6D285AE19}: DhcpNameServer=61.9.211.1 61.9.211.33
HKLM\SYSTEM\CCS\Services\Tcpip\..\{483A9FA3-A60A-4D44-9CDB-EA7852BD8CBE}: DhcpNameServer=61.9.195.193 61.9.194.49
HKLM\SYSTEM\CS1\Services\Tcpip\..\{07F7E4CB-F844-4DD7-BCBB-05B6D285AE19}: DhcpNameServer=61.9.211.1 61.9.211.33
HKLM\SYSTEM\CS1\Services\Tcpip\..\{483A9FA3-A60A-4D44-9CDB-EA7852BD8CBE}: DhcpNameServer=61.9.195.193 61.9.194.49
HKLM\SYSTEM\CS2\Services\Tcpip\..\{07F7E4CB-F844-4DD7-BCBB-05B6D285AE19}: DhcpNameServer=61.9.211.1 61.9.211.33
HKLM\SYSTEM\CS2\Services\Tcpip\..\{483A9FA3-A60A-4D44-9CDB-EA7852BD8CBE}: DhcpNameServer=61.9.211.1 61.9.195.193
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=61.9.195.193 61.9.194.49
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=61.9.195.193 61.9.194.49
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=61.9.211.1 61.9.195.193

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

#6
andrewuk

Posted 07 March 2008 - 04:25 PM

Trusted Helper

Malware Removal
5,297 posts

looks like you still have the smitfraud infection, so we will remove it now.

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

Once in Safe Mode, double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

In your next reply could i see:
1. the rapport.txt
2. a new hijackthis log

andrewuk

#7
shaz

Posted 07 March 2008 - 05:19 PM

Member

Topic Starter
Member
147 posts

heres the 2 logs....hope this helps

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:10:23 AM, on 8/03/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Telstra\BigPond Wireless Broadband 2.7.3\BigPond_CM.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\rundll32.exe
C:\Program Files\Telstra\BigPond Wireless Broadband 2.7.3\Utility\Application\QMICM.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dbsarticles.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Gamburg provider - {59D94AAD-0A67-417e-969B-8311296E8364} - condw32.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Media Player - {D480850D-85D1-4836-9AEA-86C185CDAE29} - C:\WINDOWS\wmpdxm.dll (file missing)
O2 - BHO: BigPond Wireless Broadband 2.0 Auto Dial - {DB92EC3F-697D-4C3B-9A3B-3ABBD23D4A85} - C:\Program Files\Telstra\BigPond Wireless Broadband 2.7.3\bpwbb2ad.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [BigPondWirelessBroadbandCM] "C:\Program Files\Telstra\BigPond Wireless Broadband 2.7.3\BigPond_CM.exe" -tsr
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [2gb4i3hn] C:\WINDOWS\TEMP\589B7E79.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Oftice] C:\WINDOWS\System32\msmsgs.exe
O4 - HKCU\..\Run: [Microsoft Windows Driver] C:\WINDOWS\rundll32.exe
O4 - HKCU\..\Run: [Microsoft Oftice] C:\WINDOWS\System32\msmsgs.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Microsoft Windows Driver] C:\WINDOWS\rundll32.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Microsoft Oftice] C:\WINDOWS\System32\msmsgs.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab55579.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/...dy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab55579.cab
O16 - DPF: {8C279F4E-917E-4CD2-8DF0-D9C73C0CE763} (ZPA_WheelOfFortune Object) - http://zone.msn.com/...of.cab55579.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games – Texas Holdem Poker) - http://zone.msn.com/...he.cab60231.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/...xy.cab55579.cab
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CS2\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Microsoft usnsvc Service - Unknown owner - C:\WINDOWS\usnsvc.exe (file missing)
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 6109 bytes

SmitFraudFix v2.300

Scan done at 8:45:07.50, Sat 08/03/2008
Run from C:\Documents and Settings\user\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\a.exe Deleted
C:\WINDOWS\system32\msmsgs.exe Deleted

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
C:\WINDOWS\wmpdxm.dll deleted.

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{07F7E4CB-F844-4DD7-BCBB-05B6D285AE19}: DhcpNameServer=61.9.211.1 61.9.211.33
HKLM\SYSTEM\CCS\Services\Tcpip\..\{483A9FA3-A60A-4D44-9CDB-EA7852BD8CBE}: DhcpNameServer=61.9.195.193 61.9.194.49
HKLM\SYSTEM\CS1\Services\Tcpip\..\{07F7E4CB-F844-4DD7-BCBB-05B6D285AE19}: DhcpNameServer=61.9.211.1 61.9.211.33
HKLM\SYSTEM\CS1\Services\Tcpip\..\{483A9FA3-A60A-4D44-9CDB-EA7852BD8CBE}: DhcpNameServer=61.9.195.193 61.9.194.49
HKLM\SYSTEM\CS2\Services\Tcpip\..\{07F7E4CB-F844-4DD7-BCBB-05B6D285AE19}: DhcpNameServer=61.9.211.1 61.9.211.33
HKLM\SYSTEM\CS2\Services\Tcpip\..\{483A9FA3-A60A-4D44-9CDB-EA7852BD8CBE}: DhcpNameServer=61.9.211.1 61.9.195.193
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=61.9.195.193 61.9.194.49
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=61.9.195.193 61.9.194.49
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=61.9.211.1 61.9.195.193

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

#8
andrewuk

Posted 07 March 2008 - 05:37 PM

Trusted Helper

Malware Removal
5,297 posts

another fix to be done in safe mode...........

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

andrewuk

#9
shaz

Posted 08 March 2008 - 04:53 PM

Member

Topic Starter
Member
147 posts

hi andrew...heres those 2 logs

SDFix: Version 1.154

Run by user on Sun 09/03/2008 at 08:23 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name:
wer32

Path:
\??\C:\WINDOWS\System32\jkghje.dll

wer32 - Deleted

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting

Checking Files :

Trojan Files Found:

C:\WINDOWS\SYSTEM32\WMSOFT~1.EXE - Deleted
C:\WINDOWS\system32\wmsoft73574.exe - Deleted
C:\lo.exe - Deleted
C:\WINDOWS\rundll32.exe - Deleted
C:\WINDOWS\system32\cmds.txt - Deleted
C:\WINDOWS\system32\condt32.dll - Deleted
C:\WINDOWS\system32\condw32.dll - Deleted
C:\WINDOWS\system32\conf.dat - Deleted
C:\WINDOWS\system32\contrld.dll - Deleted
C:\WINDOWS\system32\cs.dat - Deleted
C:\WINDOWS\system32\file.exe - Deleted
C:\WINDOWS\system32\i - Deleted
C:\WINDOWS\system32\msft.txt - Deleted
C:\WINDOWS\system32\o - Deleted
C:\WINDOWS\system32\ps1.dat - Deleted
C:\WINDOWS\system32\rc.dat - Deleted
C:\WINDOWS\system32\unifff.dll - Deleted
C:\WINDOWS\system32\jkghje.dll - Deleted

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-09 08:39:35
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 3

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"wiadss.exe"="wiadss.exe:*:Enabled:SYSTEM"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"wiadss.exe"="wiadss.exe:*:Enabled:SYSTEM"

Remaining Files :

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sat 8 Mar 2008 54,784 ..SH. --- "C:\WINDOWS\system32\a.exe"
Sat 8 Mar 2008 54,784 ..SH. --- "C:\WINDOWS\system32\mdm.exe"
Tue 17 Apr 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 23 Apr 2007 193,024 ...H. --- "C:\Documents and Settings\user\My Documents\~WRL0003.tmp"
Sun 2 Mar 2008 20,992 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\user\LOCALS~1\Temp\~WRL0003.tmp"
Tue 4 Mar 2008 19,968 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\user\LOCALS~1\Temp\~WRL0004.tmp"

Finished!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:50:10 AM, on 9/03/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Telstra\BigPond Wireless Broadband 2.7.3\BigPond_CM.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.freeart1cile.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: BigPond Wireless Broadband 2.0 Auto Dial - {DB92EC3F-697D-4C3B-9A3B-3ABBD23D4A85} - C:\Program Files\Telstra\BigPond Wireless Broadband 2.7.3\bpwbb2ad.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [BigPondWirelessBroadbandCM] "C:\Program Files\Telstra\BigPond Wireless Broadband 2.7.3\BigPond_CM.exe" -tsr
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [2gb4i3hn] C:\WINDOWS\TEMP\589B7E79.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Microsoft Windows Driver] C:\WINDOWS\rundll32.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab55579.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/...dy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab55579.cab
O16 - DPF: {8C279F4E-917E-4CD2-8DF0-D9C73C0CE763} (ZPA_WheelOfFortune Object) - http://zone.msn.com/...of.cab55579.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games – Texas Holdem Poker) - http://zone.msn.com/...he.cab60231.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/...xy.cab55579.cab
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CS2\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Microsoft usnsvc Service - Unknown owner - C:\WINDOWS\usnsvc.exe (file missing)

--
End of file - 5295 bytes

#10
andrewuk

Posted 08 March 2008 - 05:22 PM

Trusted Helper

Malware Removal
5,297 posts

in this post we will clear the other malware i can see and do some scans to see what else is in there.

the scans will likely take 2 hours, quite possibly longer. so just let them run.

====STEP 1====
Please download the OTMoveIt2 by OldTimer and Save it to your desktop.

Do NOT run it yet

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.freeart1cile.com
O4 - HKLM\..\Run: [2gb4i3hn] C:\WINDOWS\TEMP\589B7E79.exe
O4 - HKUS\S-1-5-18\..\Run: [Microsoft Windows Driver] C:\WINDOWS\rundll32.exe (User 'SYSTEM')
O23 - Service: Microsoft usnsvc Service - Unknown owner - C:\WINDOWS\usnsvc.exe (file missing)

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
```
C:\WINDOWS\TEMP\589B7E79.exe
```
Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
```
Purity
```
Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

====STEP 2====
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

====STEP 3====
Download and scan with SUPERAntiSpyware Free for Home Users

Double-click SUPERAntiSpyware.exe and use the default settings for installation.
An icon will be created on your desktop. Double-click that icon to launch the program.
If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
Under "Configuration and Preferences", click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options make sure the following are checked (leave all others unchecked):
- Close browsers before scanning.
- Scan for tracking cookies.
- Terminate memory threats before quarantining.
Click the "Close" button to leave the control center screen.
Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
On the left, make sure you check C:\Fixed Drive.
On the right, under "Complete Scan", choose Perform Complete Scan.
Click "Next" to start the scan. Please be patient while it scans your computer.
After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
Make sure everything has a checkmark next to it and click "Next".
A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
If asked if you want to reboot, click "Yes".
To retrieve the removal information after reboot, launch SUPERAntispyware again.
- Click Preferences, then click the Statistics/Logs tab.
- Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
- If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
- Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.

====STEP 4====
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

====STEP 5====
Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
- Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

In your next reply could i see:
1. the OTMoveIT log
2. the SUPERantispyware log
3. the malwarebytes log
4. the kasperskyscan log
5. a new hijackthis log

there will be a log of information to post in the next reply, so you may have to post the information over more than one reply to ensure it is all posted.

andrewuk

#11
shaz

Posted 09 March 2008 - 11:19 PM

Member

Topic Starter
Member
147 posts

hi andrew, heres those logs cept for the super-antispyware one...i ran the program and after 5 and half hours was only 33% done before the pc shutdown with an error.....if ya still want me to do it then let me know

File/Folder C:\WINDOWS\TEMP\589B7E79.exe not found.
[Custom Input]
< Purity >

OTMoveIt2 v1.0.20 log created on 03102008_144857

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, March 10, 2008 9:20:04 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 9/03/2008
Kaspersky Anti-Virus database records: 618846
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 31566
Number of viruses found: 10
Number of infected objects: 96
Number of suspicious objects: 0
Duration of the scan process: 05:52:34

Infected Object Name / Virus Name / Last Action
C:\Deckard\System Scanner\backup\DOCUME~1\user\LOCALS~1\Temp\file546.exe Object is locked skipped
C:\Deckard\System Scanner\backup\DOCUME~1\user\LOCALS~1\Temp\file723.exe Object is locked skipped
C:\Deckard\System Scanner\backup\DOCUME~1\user\LOCALS~1\Temp\G6-tmp1i.exe Infected: Trojan-Downloader.Win32.Delf.fhp skipped
C:\Documents and Settings\All Users\Application Data\Avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\user\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG Object is locked skipped
C:\Documents and Settings\user\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\user\Desktop\shaz songs\01 Track 1.wma Infected: Trojan-Downloader.WMA.Wimad.l skipped
C:\Documents and Settings\user\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\user\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\user\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\user\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\pending.dat Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_5E74_948F_7494_6C11\dfsr.db Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_5E74_948F_7494_6C11\fsr.log Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_5E74_948F_7494_6C11\fsrtmp.log Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_5E74_948F_7494_6C11\tmp.edb Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows Live Contacts\[email protected]\real\members.stg Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows Live Contacts\[email protected]\shadow\members.stg Object is locked skipped
C:\Documents and Settings\user\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\user\Local Settings\History\History.IE5\MSHist012008031020080311\index.dat Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temp\tbpwbad.log Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temp\~DF13D1.tmp Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temp\~DF13E1.tmp Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temp\~DF186.tmp Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temp\~DF325.tmp Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\user\ntuser.dat Object is locked skipped
C:\Documents and Settings\user\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\user\UserData\index.dat Object is locked skipped
C:\SDFix\backups\backups.zip/backups/lo.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\SDFix\backups\backups.zip/backups/o Infected: Trojan-Downloader.BAT.Ftp.ab skipped
C:\SDFix\backups\backups.zip/backups/rundll32.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\SDFix\backups\backups.zip ZIP: infected - 3 skipped
C:\SDFix\backups\catchme.zip/jkghje.dll Infected: Trojan.Win32.Agent.fgw skipped
C:\SDFix\backups\catchme.zip ZIP: infected - 1 skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP100\A0328839.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP101\A0331852.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP101\A0331857.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP101\A0331858.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP101\A0331865.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP101\A0331871.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP101\A0332876.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP101\A0333876.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP101\A0333887.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP101\A0333888.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP101\A0334876.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP101\A0334880.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP101\A0334886.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP101\A0334887.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP101\A0334893.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP101\A0334898.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP101\A0334906.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP101\A0334907.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP101\A0334908.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP101\A0334909.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP101\A0334910.dll Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP101\A0334911.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP101\A0334912.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP101\A0334918.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP101\A0335918.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP101\A0336918.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP102\A0338918.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP102\A0339918.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP102\A0339922.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP102\A0340919.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP102\A0341918.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP102\A0342918.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP102\A0342919.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP102\A0342927.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP102\A0343927.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP102\A0343928.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP102\A0344927.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP102\A0344928.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP102\A0345927.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP102\A0345933.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP103\A0349944.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP103\A0349945.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP103\A0350940.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP103\A0350945.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP103\A0351944.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP103\A0352944.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP103\A0353944.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP103\A0355944.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP103\A0356944.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP103\A0356945.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP103\A0356946.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP103\A0356950.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP103\A0357944.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP103\A0358944.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP103\A0358952.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP103\A0358956.exe Infected: Backdoor.Win32.IRCBot.bsl skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP103\A0358964.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP103\A0359964.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP103\A0359969.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP103\A0359975.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP104\A0360975.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP104\A0360976.exe Infected: Backdoor.Win32.IRCBot.bsl skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP104\A0360987.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP104\A0360988.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP104\A0360993.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP104\A0360994.exe Infected: Backdoor.Win32.IRCBot.bsl skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP104\A0361995.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP105\A0361996.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP105\A0361997.exe Infected: Backdoor.Win32.IRCBot.bsl skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP105\A0362005.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP105\A0362006.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP105\A0364993.exe Infected: Backdoor.Win32.IRCBot.bsl skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP106\A0364997.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP106\A0364998.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP106\A0364999.exe Infected: Backdoor.Win32.IRCBot.bsl skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP106\A0365989.exe Infected: Backdoor.Win32.IRCBot.bsl skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP106\A0365994.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP106\A0366002.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP106\A0367002.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP107\A0369003.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP107\A0369008.exe Infected: Backdoor.Win32.IRCBot.btm skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP107\A0369016.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP107\A0369017.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP107\A0369018.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP108\A0369024.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP108\A0370024.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP108\A0371024.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP108\A0371025.exe Infected: Backdoor.Win32.IRCBot.btm skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP108\A0372024.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP108\A0372025.exe Infected: Backdoor.Win32.IRCBot.btm skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP108\A0372032.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP108\A0372033.exe Infected: Backdoor.Win32.IRCBot.btm skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP108\A0373032.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP108\A0374032.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP108\A0375032.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP108\A0375033.exe Infected: Backdoor.Win32.IRCBot.btm skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP108\A0376032.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP108\A0376035.exe Infected: Backdoor.Win32.IRCBot.btm skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP108\A0376037.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP108\A0376038.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP108\A0376047.exe Infected: Backdoor.Win32.IRCBot.btm skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP108\A0376048.exe Infected: Backdoor.Win32.IRCBot.bsl skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP108\A0376050.dll Infected: Trojan-Downloader.Win32.Delf.fhp skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP109\A0378063.exe Infected: Backdoor.Win32.IRCBot.bvp skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP110\A0379266.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP110\A0379267.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP110\A0379281.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP110\A0379282.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP110\change.log Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP97\A0310750.vbs Infected: Trojan-Downloader.VBS.Small.az skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP97\A0311757.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP97\A0312757.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP97\A0313758.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP97\A0314757.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP98\A0318754.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP98\A0318761.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP98\A0318765.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP98\A0318766.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP98\A0318767.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP98\A0319759.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP98\A0321762.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP98\A0321763.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP98\A0321764.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP98\A0322764.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP98\A0322765.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP98\A0322766.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP98\A0323764.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP98\A0323765.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP98\A0325792.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP98\A0325793.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP98\A0325794.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP98\A0325799.exe Object is locked skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_Data Modem @ 3GPP (6280).txt Object is locked skipped
C:\WINDOWS\system32\2k3.exe Object is locked skipped
C:\WINDOWS\system32\a.exe Infected: Backdoor.Win32.IRCBot.bvp skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\SJUX07MN\54200_netapi[1].exe Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\SJUX07MN\arr[1].jpg Infected: Backdoor.Win32.IRCBot.btm skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\SJUX07MN\mixit[1].exe Infected: Backdoor.Win32.IRCBot.btm skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\SJUX07MN\mmdmm[1].exe Infected: Backdoor.Win32.IRCBot.bsl skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\W1UBWLEZ\mumie[1].exe Infected: Backdoor.Win32.IRCBot.bvp skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\WXMRO5A3\84785_redworld[1].exe Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\WXMRO5A3\mmdmm[3].exe Infected: Backdoor.Win32.IRCBot.btm skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\i Infected: Trojan-Downloader.BAT.Ftp.ab skipped
C:\WINDOWS\system32\mdm.exe Infected: Backdoor.Win32.IRCBot.bvp skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

Scan process completed.

Malwarebytes' Anti-Malware 1.07
Database version: 460

Scan type: Quick Scan
Objects scanned: 26278
Time elapsed: 21 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\npqss.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\npqss.ini2 (Malware.Trace) -> Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:19:08 PM, on 10/03/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Telstra\BigPond Wireless Broadband 2.7.3\BigPond_CM.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Telstra\BigPond Wireless Broadband 2.7.3\Utility\Application\QMICM.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: BigPond Wireless Broadband 2.0 Auto Dial - {DB92EC3F-697D-4C3B-9A3B-3ABBD23D4A85} - C:\Program Files\Telstra\BigPond Wireless Broadband 2.7.3\bpwbb2ad.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [BigPondWirelessBroadbandCM] "C:\Program Files\Telstra\BigPond Wireless Broadband 2.7.3\BigPond_CM.exe" -tsr
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab55579.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/...dy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab55579.cab
O16 - DPF: {8C279F4E-917E-4CD2-8DF0-D9C73C0CE763} (ZPA_WheelOfFortune Object) - http://zone.msn.com/...of.cab55579.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games – Texas Holdem Poker) - http://zone.msn.com/...he.cab60231.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/...xy.cab55579.cab
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CS2\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

--
End of file - 5319 bytes

#12
andrewuk

Posted 10 March 2008 - 02:15 PM

Trusted Helper

Malware Removal
5,297 posts

hi shaz

heres those logs cept for the super-antispyware one...i ran the program and after 5 and half hours was only 33% done before the pc shutdown with an error.....if ya still want me to do it then let me know

dont worry.

in this post we will remove the infection the kaspersky scan found - it is a tricky one to remove.

also, we will also make sure your security programs are running and up to date - i suspect this infection is creeping back in at times.

====STEP 1====

Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

C:\WINDOWS\system32\a.exe
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\SJUX07MN\arr[1].jpg
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\SJUX07MN\mixit[1].exe
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\SJUX07MN\mmdmm[1].exe
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\W1UBWLEZ\mumie[1].exe
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\WXMRO5A3\mmdmm[3].exe
C:\WINDOWS\system32\i
C:\WINDOWS\system32\mdm.exe

Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
Click the red Moveit! button.
A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

====STEP 2====
could you ensure your AVG antivirus is on, updated and running.

could you also ensure you have a firewall active.

====STEP 3====
click on Start, click on Run
copy and paste the following in bold in the open window and then click OK
"%userprofile%\desktop\dss.exe" /config
This will open up DSS configuration
click on Check All
click Scan
DSS will now run again when finished
Please post back both logs that open in notepad
Main txt and extra txt

In your next reply could i see:
1. the OTMoveIT log
2. confirmation that your AVG is running and updated, and that you are running a firewall
3. the 2 DSS logs (though those will also tell me if your security programs are running).

there will be a lot of information to post in the next reply, therefore you may need to post the information over more than one reply to ensure it is all posted.

we may have to come back and redo STEP 1 and we will certainly in a later post need to re-run the kaspersky scan to ensure that the infection is gone.

andrewuk

#13
shaz

Posted 10 March 2008 - 09:42 PM

Member

Topic Starter
Member
147 posts

hi andrew...hope i got all this right, heres the logs and i have made sure anti vrius is up to dat..also firewall turned on

C:\WINDOWS\system32\a.exe moved successfully.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\SJUX07MN\arr[1].jpg moved successfully.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\SJUX07MN\mixit[1].exe moved successfully.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\SJUX07MN\mmdmm[1].exe moved successfully.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\W1UBWLEZ\mumie[1].exe moved successfully.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\WXMRO5A3\mmdmm[3].exe moved successfully.
C:\WINDOWS\system32\i moved successfully.
C:\WINDOWS\system32\mdm.exe moved successfully.

OTMoveIt2 v1.0.20 log created on 03112008_111746

Deckard's System Scanner v20071014.68
Run by user on 2008-03-11 13:14:30
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
16: 2008-03-11 03:15:06 UTC - RP112 - Deckard's System Scanner Restore Point
15: 2008-03-10 00:12:13 UTC - RP111 - System Checkpoint
14: 2008-03-08 11:52:52 UTC - RP110 - Removed TuneUp Utilities 2008
13: 2008-03-08 00:31:10 UTC - RP109 - System Checkpoint
12: 2008-03-06 21:47:40 UTC - RP108 - System Checkpoint

-- First Restore Point --
1: 2008-02-11 13:50:30 UTC - RP97 - System Checkpoint

Performed disk cleanup.

Percentage of Memory in Use: 79% (more than 75%).
Total Physical Memory: 128 MiB (512 MiB recommended).

-- HijackThis (run as user.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:18:43 PM, on 11/03/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Telstra\BigPond Wireless Broadband 2.7.3\BigPond_CM.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Telstra\BigPond Wireless Broadband 2.7.3\Utility\Application\QMICM.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\user\desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\user.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: BigPond Wireless Broadband 2.0 Auto Dial - {DB92EC3F-697D-4C3B-9A3B-3ABBD23D4A85} - C:\Program Files\Telstra\BigPond Wireless Broadband 2.7.3\bpwbb2ad.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [BigPondWirelessBroadbandCM] "C:\Program Files\Telstra\BigPond Wireless Broadband 2.7.3\BigPond_CM.exe" -tsr
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab55579.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/...dy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab55579.cab
O16 - DPF: {8C279F4E-917E-4CD2-8DF0-D9C73C0CE763} (ZPA_WheelOfFortune Object) - http://zone.msn.com/...of.cab55579.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games – Texas Holdem Poker) - http://zone.msn.com/...he.cab60231.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/...xy.cab55579.cab
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CS2\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5861 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080309-100022-318 O23 - Service: Microsoft usnsvc Service - Unknown owner - C:\WINDOWS\usnsvc.exe (file missing)
backup-20080309-100022-612 O4 - HKLM\..\Run: [2gb4i3hn] C:\WINDOWS\TEMP\589B7E79.exe
backup-20080309-100022-695 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.freeart1cile.com
backup-20080309-100022-923 O4 - HKUS\S-1-5-18\..\Run: [Microsoft Windows Driver] C:\WINDOWS\rundll32.exe (User 'SYSTEM')

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.reg - regfile - shell\open\command - "%1" %*
.scr - scrfile - shell\open\command - "%1" %*

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R1 SASKUTIL - c:\program files\superantispyware\saskutil.sys
R2 ElbyCDIO (ElbyCDIO Driver) - c:\windows\system32\drivers\elbycdio.sys <Not Verified; Elaborate Bytes AG; CDRTools>
R3 AnyDVD - c:\windows\system32\drivers\anydvd.sys <Not Verified; SlySoft, Inc.; AnyDVD>

S3 catchme - c:\docume~1\user\locals~1\temp\catchme.sys (file missing)
S3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S4 aawservice (Ad-Aware 2007 Service) - c:\program files\lavasoft\ad-aware 2007\aawservice.exe <Not Verified; Lavasoft AB; Ad-Aware 2007 Service>
S4 Microsoft usnsvc Service - "c:\windows\usnsvc.exe" (file missing)
S4 Microsoft wscntfy Service - "c:\windows\wscntfy.exe" (file missing)
S4 MS NET Service - "c:\windows\wiadss.exe" (file missing)

-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {D45B1C18-C8FA-11D1-9F77-0000F805F530}
Description: NT Apm/Legacy Interface Node
Device ID: ROOT\NTAPM\0000
Manufacturer: Microsoft
Name: NT Apm/Legacy Interface Node
PNP Device ID: ROOT\NTAPM\0000
Service: NtApm

-- Process Modules -------------------------------------------------------------

C:\WINDOWS\explorer.exe (pid 1420)
2006-12-20 13:55:48 77824 --a------ C:\Program Files\SUPERAntiSpyware\SASSEH.DLL <Not Verified; SuperAdBlocker.com; SuperAntiSpyware>

-- Scheduled Tasks -------------------------------------------------------------

2008-03-07 17:15:01 374 --a------ C:\WINDOWS\Tasks\1-Click Maintenance.job

-- Files created between 2008-02-11 and 2008-03-11 -----------------------------

2008-03-11 12:48:30 0 d-------- C:\Program Files\ZoneAlarmSB
2008-03-11 12:37:13 0 d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-03-11 12:35:55 4212 ---h----- C:\WINDOWS\System32\zllictbl.dat
2008-03-11 12:35:15 11264 --a------ C:\WINDOWS\System32\SpOrder.dll <Not Verified; Microsoft Corporation; Microsoft® Windows NT™ Operating System>
2008-03-11 12:30:19 0 d-------- C:\WINDOWS\System32\ZoneLabs
2008-03-11 12:21:34 0 d-------- C:\WINDOWS\Internet Logs
2008-03-11 07:13:30 16384 -ra------ C:\WINDOWS\System32\TFTP2972
2008-03-10 22:55:13 0 -ra------ C:\WINDOWS\System32\TFTP2848
2008-03-10 22:54:48 0 -ra------ C:\WINDOWS\System32\TFTP1056
2008-03-10 22:53:39 0 -ra------ C:\WINDOWS\System32\TFTP3940
2008-03-10 20:01:40 0 -ra------ C:\WINDOWS\System32\TFTP2216
2008-03-10 19:58:41 0 --a------ C:\WINDOWS\System32\setup_56458.exe
2008-03-10 13:38:24 1138688 --a------ C:\WINDOWS\System32\hqghumea.dll
2008-03-10 10:39:31 245760 --a------ C:\WINDOWS\System32\wmsoft11721.exe
2008-03-10 10:35:24 439296 --a------ C:\WINDOWS\System32\f4.exe
2008-03-10 10:27:41 194048 --a------ C:\WINDOWS\System32\27031_redworld.exe
2008-03-09 17:49:04 0 -ra------ C:\WINDOWS\System32\TFTP456
2008-03-09 17:49:03 0 -ra------ C:\WINDOWS\System32\TFTP104
2008-03-09 17:09:21 0 -ra------ C:\WINDOWS\System32\TFTP3424
2008-03-09 14:55:32 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-09 14:16:24 0 d-------- C:\Documents and Settings\user\Application Data\Malwarebytes
2008-03-09 14:16:00 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-09 14:15:57 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-08 08:03:21 1292 --a------ C:\WINDOWS\System32\tmp.reg
2008-03-07 09:43:45 0 d-------- C:\Program Files\Files-Secure
2008-03-07 08:55:49 45 --a------ C:\amp.bat

-- Find3M Report ---------------------------------------------------------------

2008-03-11 11:17:22 0 d-------- C:\Documents and Settings\user\Application Data\AVG7
2008-03-10 22:51:02 0 --a------ C:\Documents and Settings\user\Application Data\WGC_Client Preferences
2008-03-09 10:22:47 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-03-08 21:55:04 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-16 12:41:04 0 d-------- C:\Program Files\Acoustica MP3 CD Burner
2008-02-14 07:53:50 0 d-------- C:\Documents and Settings\user\Application Data\MSN6
2008-02-04 15:13:18 0 d-------- C:\Program Files\wgcenter
2008-02-04 13:59:23 0 d-------- C:\Program Files\Trend Micro
2008-01-29 22:12:19 0 d-------- C:\Documents and Settings\user\Application Data\TuneUp Software
2008-01-24 09:19:18 0 d-------- C:\Program Files\QuickTime
2008-01-15 18:52:39 0 d-------- C:\Program Files\LimeWire
2008-01-14 08:41:16 0 d-------- C:\Program Files\Google
2007-12-30 03:47:47 4612 --a------ C:\msu32.exe

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
11/03/2008 12:48 PM 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [22/12/2007 11:19 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [12/07/2007 04:00 AM]
"BigPondWirelessBroadbandCM"="C:\Program Files\Telstra\BigPond Wireless Broadband 2.7.3\BigPond_CM.exe" [18/09/2007 02:02 PM]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [11/06/2007 07:25 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [24/01/2008 09:19 AM]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [14/11/2007 04:05 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Network Security XP"=C:\WINDOWS\System32\nvsvc86.exe
"OfficeWord Monitors XP"=C:\WINDOWS\System32\mdms.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [20/12/2006 01:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\System32\ssqpn.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^user^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^user^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
backup=C:\WINDOWS\pss\Microsoft Find Fast.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^user^Start Menu^Programs^Startup^Office Startup.lnk]
backup=C:\WINDOWS\pss\Office Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Office]
C:\WINDOWS\System32\mdm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Windows Driver]
C:\WINDOWS\rundll32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Network Security XP]
C:\WINDOWS\System32\nvsvc86.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RAMBooster.Net]
C:\Program Files\RAMBooster.Net\RAMBooster.exe -m

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MS NET Service"=2 (0x2)
"gusvc"=3 (0x3)
"aawservice"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Microsoft Windows Driver"=C:\WINDOWS\rundll32.exe
"Microsoft Oftice"=C:\WINDOWS\System32\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
"Windows Networking Monitoring"=C:\WINDOWS\System32\mdm.exe

*Newly Created Service* - SRESCAN
*Newly Created Service* - VSMON

-- End of Deckard's System Scanner: finished at 2008-03-11 13:23:56 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 1.0
Architecture: X86; Language: English

CPU 0: Intel Pentium II processor
Percentage of Memory in Use: 82%
Physical Memory (total/avail): 127.55 MiB / 22.16 MiB
Pagefile Memory (total/avail): 339.97 MiB / 42.2 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1924.73 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 8.03 GiB total, 2.57 GiB free.
D: is CDROM (Unformatted)

\\.\PHYSICALDRIVE0 - ST38410A - 8.03 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 8.03 GiB - C:

-- Security Center -------------------------------------------------------------

AUOptions is disabled.

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\user\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=GX0PICTZSNYEMMO
ComSpec=C:\WINDOWS\system32\cmd.exe
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\user
LOGONSERVER=\\GX0PICTZSNYEMMO
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\WBEM
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 5 Stepping 2, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0502
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\user\LOCALS~1\Temp
TMP=C:\DOCUME~1\user\LOCALS~1\Temp
tvdumpflags=8
USERDOMAIN=GX0PICTZSNYEMMO
USERNAME=user
USERPROFILE=C:\Documents and Settings\user
windir=C:\WINDOWS

-- User Profiles ---------------------------------------------------------------

user (admin)
Administrator (admin)

-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
--> C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> C:\WINDOWS\UNRecode.exe /UNINSTALL
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware 2007 --> MsiExec.exe /X{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player ActiveX --> C:\WINDOWS\System32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A80000000002}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Agere Systems PCI Soft Modem --> agrsmdel
AnyDVD --> "C:\Program Files\SlySoft\AnyDVD\AnyDVD-uninst.exe" /D="C:\Program Files\SlySoft\AnyDVD"
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
BigPond ADSL SIK 5.6 Files --> C:\Program Files\Telstra\sikuninst.exe
BigPond Wireless Broadband 2.8.13 --> MsiExec.exe /I{0EEE3193-5E0D-471B-BFB0-0C2034F17B3B}
DX-Ball 1.09 --> C:\PROGRA~1\DX-Ball\UNWISE.EXE C:\PROGRA~1\DX-Ball\INSTALL.LOG
Files Secure --> C:\Program Files\Files-Secure\Uninstall.exe
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar2.dll"
Hijackthis 1.99.1 --> "C:\Program Files\Hijackthis\unins000.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Kaspersky Online Scanner --> C:\WINDOWS\System32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
LimeWire 4.14.12 --> "C:\Program Files\LimeWire\uninstall.exe"
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5 --> "C:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft Office 97, Professional Edition --> C:\Program Files\Microsoft Office\Office\Setup\Acme.exe /w Off97Pro.STF
Nero 7 Essentials --> MsiExec.exe /I{F17F7703-1E72-40C1-A0DD-E5B365661033}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
World Gaming Center Version 2.1.2 with Gamescript Files --> "C:\Program Files\wgcenter\unins000.exe"
ZoneAlarm --> C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe
ZoneAlarm Spy Blocker --> rundll32 C:\PROGRA~1\ZONEAL~1\bar\1.bin\SpyBlock.dll,O

-- Application Event Log -------------------------------------------------------

Event Record #/Type2678 / Success
Event Submitted/Written: 03/11/2008 01:12:22 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type2675 / Warning
Event Submitted/Written: 03/11/2008 00:59:27 PM
Event ID/Source: 4362 / EventSystem
Event Description:
The COM+ Event System detected a corrupt IEventSubscription object. The COM+ Event System has removed object ID {7539DCAF-3D51-4208-A533-500C17BB2D8C}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}. The subscriber will no longer be notified when the event occurs.

Event Record #/Type2666 / Error
Event Submitted/Written: 03/11/2008 11:37:19 AM
Event ID/Source: 100 / AVG7
Event Description:
2008-03-11 01:37:19,848 GX0PICTZSNYEMMO [001648:001684] ERROR 000 AVG7.WTS.CAvgAmWts ProcessIdToSessionId(1068) call failed with WIN32 error 87, returning session id is 0

Event Record #/Type2661 / Warning
Event Submitted/Written: 03/11/2008 06:15:04 AM
Event ID/Source: 4362 / EventSystem
Event Description:
The COM+ Event System detected a corrupt IEventSubscription object. The COM+ Event System has removed object ID {4C08452D-62FB-4F07-8BA5-271915502101}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}. The subscriber will no longer be notified when the event occurs.

Event Record #/Type2660 / Error
Event Submitted/Written: 03/11/2008 06:13:08 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application , version 0.0.0.0, faulting module unknown, version 0.0.0.0, fault address 0x00000000.

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

-- System Event Log ------------------------------------------------------------

Event Record #/Type682 / Error
Event Submitted/Written: 03/11/2008 01:06:21 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The TrueVector Internet Monitor service failed to start due to the following error:
%%1053

Event Record #/Type681 / Error
Event Submitted/Written: 03/11/2008 01:06:21 PM
Event ID/Source: 7009 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for the TrueVector Internet Monitor service to connect.

Event Record #/Type675 / Error
Event Submitted/Written: 03/11/2008 01:05:41 PM
Event ID/Source: 7011 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for a transaction response from the WZCSVC service.

Event Record #/Type672 / Error
Event Submitted/Written: 03/11/2008 01:04:30 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The TrueVector Internet Monitor service failed to start due to the following error:
%%1053

Event Record #/Type671 / Error
Event Submitted/Written: 03/11/2008 01:04:29 PM
Event ID/Source: 7009 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for the TrueVector Internet Monitor service to connect.

-- End of Deckard's System Scanner: finished at 2008-03-11 13:23:56 ------------

#14
andrewuk

Posted 11 March 2008 - 02:52 PM

Trusted Helper

Malware Removal
5,297 posts

in this post we will remvoe the rest of the malware i can see.

we will also do a rootkit scan to see if there is one hiding in there, and then we will do another kaspersky scan to make sure we picked everything up.

====STEP 1====

Save it to your desktop.
Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

C:\WINDOWS\System32\TFTP2972
C:\WINDOWS\System32\TFTP2848
C:\WINDOWS\System32\TFTP1056
C:\WINDOWS\System32\TFTP3940
C:\WINDOWS\System32\TFTP2216
C:\WINDOWS\System32\setup_56458.exe
C:\WINDOWS\System32\hqghumea.dll
C:\WINDOWS\System32\wmsoft11721.exe
C:\WINDOWS\System32\f4.exe
C:\WINDOWS\System32\27031_redworld.exe
C:\WINDOWS\System32\TFTP456
C:\WINDOWS\System32\TFTP104
C:\WINDOWS\System32\TFTP3424
C:\msu32.exe
C:\WINDOWS\System32\nvsvc86.exe
C:\WINDOWS\System32\mdms.exe
C:\WINDOWS\System32\mdm.exe
C:\WINDOWS\rundll32.exe

Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
Click the red Moveit! button.
A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

====STEP 2====
in this step we will be making some changes directly to your registry, so we will back it up first. Better safe than sorry!

Go to Start > Run
Type:regedit
Click OK.

On the leftside, click to highlight My Computer at the top.
Go up to "File > Export"
- Make sure in that window there is a tick next to "All" under Export Branch. <= important!
  Leave the "Save As Type" as "Registration Files".
  Under "Filename" put backup
Choose to save it to C:\ or somewhere else safe so that you will remember where you put it (don't put it on the desktop!)
Click save and then go to File > Exit.

This is so the registry can be restored to this point if we need it. It may take a minute. Just let it go until it's done.

Next, lets remove the unwanted items.

Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

Please copy the contents of the code box below into the notepad. To do this highlight the contents of the box and right click on it.

Save it to your desktop has fixit.reg (filetype = any)

REGEDIT4

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Network Security XP"=-
"OfficeWord Monitors XP"=-

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Office]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Windows Driver]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Network Security XP]

NOTICE: This file was written specifically for this user, for use on that particular machine.
Running this on another machine may cause damage to your operating sysytem

Locate fixit.reg on your Desktop and double-click on it.
You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
Answer "Yes" and wait for a message to appear similar to "Merged Successfully".

Please reply back letting me know if it merged correctly.

(In case you are unsure how to create a reg file, take a look here with screenshots.)

====STEP 3====
Please download the Sophos Anti-Rootkit Scanner and save it to your desktop.

You will need to enter your name, e-mail address and location in order to access the download page.

Once you have downloaded the file, double click the sarsfx icon
Review the licence agreement and click on the Accept button
The scanner will prompt you to extract the files to C:\SOPHTEMP - DO NOT change this location, simply click the Install button
Once the files have been extracted; using Windows Explorer, navigate to C:\SOPHTEMP and double click on the blue shield icon called sargui
Ensure that there are checkmarks next to Running processes, Windows registry and Local hard drives, then click Start scan
Allow the program to scan your computer - please be patient as it may take some time
Once the scan has completed a window will pop-up with the results of the scan - click OK to this
In the main window, you will see each of the entries found by the scan (if any)
- If the scanner generated any warning messages, please click on each warning and copy and paste the text of it into this thread for me to review
- Once you have posted any warning messages here, you can close the scanner and wait for me to get back to you
If you have not had any warnings, any entries which can be cleaned up by the scanner will have a box with a green checkmark in it next to the entry
To clean up these entries click on the Clean up checked items button
If you accidentally check a file NOT recommended for clean up, you will get a warning message and if necessary can re-select the entries you want to clean up
Once you have cleaned the selected files, you will be prompted to re-boot your computer - please do so

Thanks

====STEP 4====
Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
- Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

In your next reply could i see:
1. the OTMoveIT log
2. confirmation that the Registry Merge went ok.
3. the Sophos rootkit log, if any
4. the kaspersky scan log

andrewuk

#15
shaz

Posted 11 March 2008 - 04:11 PM

Member

Topic Starter
Member
147 posts

hi andrew....im stuck on step 2...trying to open file and get an error msg saying, fixit.reg is not a valid win32 application, not sure if i should move on to other steps while waiting to see what to do about the fixit.reg thingy..ive downloaded the sopho file but wont run it until got confirmation is ok to do....i followed step 2 and re-did it 3 times to make sure i done it right but still get same error msg.