Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

help I have a serious bug - Viundo? ++ [CLOSED]


  • This topic is locked This topic is locked

#1
rogerisright69

rogerisright69

    Member

  • Member
  • PipPip
  • 15 posts
two days ago i picked up a nasty bug on serials.ws ...this is the second time this same creature has gotten me in two weeks ... it started with the CMD.exe and command.exe loading onto my system with all of the 1st premier bankcard pop ups etc. and has evolved into something that sits in my temp folder and replicates itself and spins off thousands of files ...I can delete all but two of them (mother and father?) ..it has slowed my system to a standstill ...it will not let me start any anti virus software without having to go in and change the names first...and even that does not work with hi jack this ...I am posting my hijack this from the 6th when it worked and I have already run Vundo fixx (yes there was one in my system 32 folder ...and i can't delete it no matter what I do or what I throw at it ...after the vundifixx scan and a reboot it came right back I have run ewido and adaware and after every cleaning its right back ...i reformatted the last time and I refuse to have to do it again .....I want to beat this crap plus I don't know if I can convincmicrosoft that all of these reinstalls are legit and they may not let me put my offic2007 suite back on again ...anyone have any thoughts ??? when I try to dopwnload and run anything it's like the virus gets pissed off at me and and goes a little crazy...Help! I have run ewido, and super spyware and atf cleaner and vundofixx and smithfraud and have dss.exe and some others you recommened ...my computer doesn't want to go into safe mode at all and locks up during the initial startup scroll of .sys files,,,...any help will be much appreciated. ewido just found another downloader called "downloader .agent.hym" I would like to have 10 minutes in the same room with the guy who put these up ..roger

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:03:19 PM, on 3/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Airlink101\AWLH5025\WLService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Airlink101\AWLH5025\AWLH5025.exe
C:\WINDOWS\system32\wpabaln.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas1.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy1\TeaTimer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Aware2007.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Common Files\HijammmmkThis.exe

O2 - BHO: (no name) - {022A7437-E6AA-45A6-877F-32E42DA93FA8} - (no file)
O2 - BHO: (no name) - {55806BD6-7C07-4086-861C-6001899B1255} - (no file)
O2 - BHO: (no name) - {6D56C2A2-C973-448B-8123-7D2718446D0C} - C:\WINDOWS\system32\awvtu.dll
O2 - BHO: (no name) - {ED120D76-BF31-412C-A99B-783C6676E128} - (no file)
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATICustomerCare] "C:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas1.exe" /minimized
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy1\TeaTimer.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O20 - AppInit_DLLs: cru629.dat
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: MIMO XR TM PCI Adapter WLService (MIMO XR TM PCI WLService) - Unknown owner - C:\Program Files\Airlink101\AWLH5025\WLService.exe

--
End of file - 6246 bytes



SMIT FRAUD

SmitFraudFix v2.300

Scan done at 19:05:39.09, Fri 03/07/2008
Run from C:\Documents and Settings\Bobby Fischer\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Airlink101\AWLH5025\WLService.exe
C:\Program Files\Airlink101\AWLH5025\AWLH5025.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\CURITY~1\taskmgr.exe
C:\WINDOWS\system32\wpabaln.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

hosts file corrupted !

127.0.0.1 www.legal-at-spybot.info
127.0.0.1 legal-at-spybot.info

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Bobby Fischer


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Bobby Fischer\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\BOBBYF~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="cru629.dat"


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Airlink101 MIMO XR PCI Adapter - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{E23DB08D-ABB3-4C8B-8A7F-9011516BFDBB}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{E23DB08D-ABB3-4C8B-8A7F-9011516BFDBB}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

Edited by rogerisright69, 08 March 2008 - 11:25 PM.

  • 0

Advertisements


#2
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Hi rogerisright69

welcome to geekstogo :)

i can see the vundo in your logs, and i can see a trojan.

given you have already tried vundofix, we will go down another route.

see if you can download this:

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

andrewuk
  • 0

#3
rogerisright69

rogerisright69

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
okay I am with you ...the combo fix is coming down at a sizzling 373 bytes/second ...and I did get over to the "turn off your antivirus etc. page and have disabled all of those ...i have 16% of combo fix now and I think it's stuck ...thanks for the speedy response I appreciate it ra
  • 0

#4
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
do you think you will be able to download combofix?

and do you still have Deckard System Scan on your machine?

andrewuk
  • 0

#5
rogerisright69

rogerisright69

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
very weird i had the file and dbl clicked it and the blue screen opened up for a few seconds then it gobbled up over 1/2 of my desktop icons and now the little red circle with the X on it is no where to be found and nothing is running and I responded to no prompts ???
  • 0

#6
rogerisright69

rogerisright69

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
very weird i had the file and dbl clicked it and the blue screen opened up for a few seconds then it gobbled up over 1/2 of my desktop icons and now the little red circle with the X on it is no where to be found and nothing is running and I responded to no prompts ???
  • 0

#7
rogerisright69

rogerisright69

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
combo fix is down but won't run and I am getting deckard back down again now how do you want me to fire up combofix?
  • 0

#8
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
if you can get combofix to run, the run it and post the combofix log and a hijackthis log.

if it has run, you will find the log here: C:\ComboFix.txt

if you cant, the run the DSS scan and post that log.

andrewuk

Edited by andrewuk, 09 March 2008 - 12:46 AM.

  • 0

#9
rogerisright69

rogerisright69

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
HERE IS THE DSS.EXE
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:03:19 PM, on 3/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Airlink101\AWLH5025\WLService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Airlink101\AWLH5025\AWLH5025.exe
C:\WINDOWS\system32\wpabaln.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas1.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy1\TeaTimer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Aware2007.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Common Files\HijammmmkThis.exe

O2 - BHO: (no name) - {022A7437-E6AA-45A6-877F-32E42DA93FA8} - (no file)
O2 - BHO: (no name) - {55806BD6-7C07-4086-861C-6001899B1255} - (no file)
O2 - BHO: (no name) - {6D56C2A2-C973-448B-8123-7D2718446D0C} - C:\WINDOWS\system32\awvtu.dll
O2 - BHO: (no name) - {ED120D76-BF31-412C-A99B-783C6676E128} - (no file)
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATICustomerCare] "C:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas1.exe" /minimized
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy1\TeaTimer.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O20 - AppInit_DLLs: cru629.dat
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: MIMO XR TM PCI Adapter WLService (MIMO XR TM PCI WLService) - Unknown owner - C:\Program Files\Airlink101\AWLH5025\WLService.exe

--
End of file - 6246 bytes

Deckard's System Scanner v20071014.68
Run by Bobby Fischer on 2008-03-09 01:16:47
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Drive C: has 0.38 GiB (less than 15%) free.


-- HijackThis (run as Bobby Fischer.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:16:58 AM, on 3/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas1.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Airlink101\AWLH5025\WLService.exe
C:\Program Files\Airlink101\AWLH5025\AWLH5025.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wpabaln.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Bobby Fischer\Desktop\dss333.exe
C:\PROGRA~1\COMMON~1\Bobby Fischer.exe

O2 - BHO: (no name) - {221B2B91-8B68-49B4-BE31-0FCC8412DC37} - C:\WINDOWS\system32\awvtu.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas1.exe" /minimized
O4 - HKLM\..\Run: [braviax] braviax.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O20 - AppInit_DLLs: cru629.dat
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: MIMO XR TM PCI Adapter WLService (MIMO XR TM PCI WLService) - Unknown owner - C:\Program Files\Airlink101\AWLH5025\WLService.exe

--
End of file - 5003 bytes

-- Files created between 2008-02-09 and 2008-03-09 -----------------------------

2008-03-09 01:16:48 396288 --a------ C:\Program Files\Common Files\Bobby Fischer.exe <Not Verified; Trend Micro Inc.; HijackThis>
2008-03-09 00:41:57 6656 --a------ C:\WINDOWS\system32\users32.dat
2008-03-08 21:01:31 396288 --a------ C:\Program Files\Common Files\HijammmmkThis.exe <Not Verified; Trend Micro Inc.; HijackThis>
2008-03-08 21:00:52 0 d-------- C:\Program Files\Common Files\New Folder
2008-03-08 16:46:32 24576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe <Not Verified; Atribune.org; Vundofix Service>
2008-03-08 13:44:05 92224 --a------ C:\WINDOWS\system32\eevnobxc.dll
2008-03-08 13:41:47 87104 --a------ C:\WINDOWS\system32\qpqttlmx.dll
2008-03-08 13:41:03 149056 --a------ C:\WINDOWS\system32\kxhinmjr.dll
2008-03-08 02:52:33 0 d-------- C:\Documents and Settings\Bobby Fischer\Application Data\Grisoft
2008-03-08 02:28:40 0 d-------- C:\Program Files\Lavasoft
2008-03-08 02:28:39 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-08 02:26:20 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-08 02:13:55 0 d-------- C:\Program Files\Spybot - Search & Destroy1
2008-03-08 02:08:37 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-07 13:40:59 87104 --a------ C:\WINDOWS\system32\wfpknlhb.dll
2008-03-07 13:40:31 90688 --a------ C:\WINDOWS\system32\chciqvjq.dll
2008-03-07 13:40:16 149056 --a------ C:\WINDOWS\system32\wqaggrsq.dll
2008-03-07 13:39:55 149056 --a------ C:\WINDOWS\system32\phmedked.dll
2008-03-07 12:30:42 0 d-------- C:\WINDOWS\system32\LogFiles
2008-03-06 22:43:36 308712 --a------ C:\WINDOWS\system32\winivstr.exe
2008-03-06 22:39:10 6144 --a------ C:\WINDOWS\system32\cru629.dat
2008-03-06 22:39:10 6144 --a------ C:\WINDOWS\cru629.dat
2008-03-06 22:39:10 16384 --a------ C:\WINDOWS\braviax.exe
2008-03-06 22:37:45 16384 --a------ C:\WINDOWS\system32\braviax.exe
2008-03-06 20:14:30 0 d-------- C:\Program Files\Trend Micro
2008-03-06 20:08:35 1696 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-06 20:08:03 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-03-06 20:08:03 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-03-06 20:08:03 86016 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-03-06 20:08:03 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-03-06 20:08:03 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-03-06 20:08:03 82432 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-03-06 20:08:03 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-03-06 13:39:25 96320 --a------ C:\WINDOWS\system32\vdpivdqe.dll
2008-03-06 13:38:49 149056 --a------ C:\WINDOWS\system32\bvkmbrqp.dll
2008-03-06 13:37:56 172282 --ahs---- C:\WINDOWS\system32\utvwa.ini2
2008-03-06 13:37:50 324160 --a------ C:\WINDOWS\system32\awvtu.dll
2008-03-06 12:38:29 0 d-------- C:\Documents and Settings\Bobby Fischer\Application Data\W?nSxS
2008-03-06 12:27:14 19915 --a------ C:\WINDOWS\system32\drivers\AegisP.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.4.0.1>
2008-03-06 12:27:13 40960 --a------ C:\WINDOWS\system32\AWLH5025.dll
2008-03-06 12:27:12 94208 --a------ C:\WINDOWS\system32\GTW32N50.dll
2008-03-06 12:27:12 15872 --a------ C:\WINDOWS\system32\GTNDIS5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
2008-03-06 12:27:12 0 d-------- C:\Program Files\Airlink101
2008-03-05 22:48:08 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-05 10:10:09 0 d-------- C:\kav
2008-03-05 09:58:51 0 d-------- C:\WINDOWS\system32\appmgmt
2008-03-05 09:21:10 17236 --a------ C:\WINDOWS\system32\ddcyy.dll
2008-03-05 09:16:37 0 d--hs---- C:\WINDOWS\Um9nZXI
2008-03-05 09:16:13 86016 --a------ C:\WINDOWS\system32\drivers\ipfltdrvv.sys
2008-03-05 09:16:10 0 d-------- C:\WINDOWS\system32\x3
2008-03-05 09:16:10 0 d-------- C:\WINDOWS\system32\s7
2008-03-05 09:16:10 0 d-------- C:\WINDOWS\system32\k8
2008-03-05 09:16:10 0 d-------- C:\WINDOWS\system32\c4
2008-03-05 09:16:10 0 d-------- C:\Program Files\??curity
2008-03-05 09:16:04 0 d-------- C:\WINDOWS\system32\iDlo01
2008-03-05 05:37:57 36864 --a------ C:\WINDOWS\system32\eetransx.exe <Not Verified; evidence-eliminator.com; Evidence Eliminator ™>
2008-03-05 05:37:57 61440 --a------ C:\WINDOWS\system32\Eeshellx.dll <Not Verified; evidence-eliminator.com; Evidence Eliminator ™>
2008-03-05 05:37:57 118784 --a------ C:\WINDOWS\system32\EEGenFn1.dll <Not Verified; Robin Hood Software Ltd; EEGenfn1>
2008-03-05 05:37:55 368912 --a------ C:\WINDOWS\system32\vbar332.dll <Not Verified; Microsoft Corporation; Microsoft Visual Basic for Applications>
2008-03-05 05:37:55 0 d-------- C:\Program Files\Evidence Eliminator
2008-03-05 02:35:02 0 d-------- C:\WINDOWS\pss
2008-03-04 19:58:15 0 d-------- C:\WINDOWS\system32\NtmsData
2008-03-04 19:45:42 0 d-------- C:\Documents and Settings\Bobby Fischer\Application Data\TrueSwitch
2008-03-04 19:12:13 73216 --a------ C:\WINDOWS\ST6UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2008-03-04 19:01:19 0 d-------- C:\Documents and Settings\All Users\Application Data\PC Drivers Headquarters
2008-03-04 14:42:16 0 d-------- C:\Program Files\VeryPDF PDF Editor v2.2
2008-03-03 21:29:57 0 d-------- C:\Program Files\Download Direct
2008-03-03 21:07:44 634880 --a------ C:\WINDOWS\system32\GSPROP32.DLL <Not Verified; Bits Per Second Ltd; GSPROP>
2008-03-03 21:07:44 59392 --a------ C:\WINDOWS\system32\fce32.DLL
2008-03-03 21:07:26 0 d-------- C:\Program Files\FLSPlan
2008-03-03 06:08:55 0 d-------- C:\Program Files\VeryPDF Form Filler v3.0
2008-03-02 17:00:36 0 d-------- C:\Documents and Settings\Bobby Fischer\Application Data\ATI
2008-03-02 17:00:36 0 d-------- C:\Documents and Settings\All Users\Application Data\ATI
2008-03-02 16:52:31 0 d-------- C:\Documents and Settings\Bobby Fischer\Application Data\Leadertech
2008-03-02 01:57:24 0 d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-03-02 00:25:21 0 d-------- C:\Program Files\Common Files\Adobe
2008-03-02 00:25:20 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-03-02 00:25:11 0 d-------- C:\WINDOWS\Downloaded Installations
2008-03-01 22:58:07 0 d-------- C:\Documents and Settings\Bobby Fischer\Application Data\Google
2008-03-01 22:55:45 0 d-------- C:\Documents and Settings\Bobby Fischer\Application Data\Macromedia
2008-03-01 22:55:42 0 d-------- C:\Documents and Settings\Bobby Fischer\Application Data\Adobe
2008-03-01 22:55:39 0 d-------- C:\Documents and Settings\All Users\Application Data\Google
2008-03-01 22:55:32 0 d-------- C:\Program Files\Google
2008-03-01 19:32:08 0 d---s---- C:\Documents and Settings\Bobby Fischer\UserData
2008-03-01 19:24:39 0 d-------- C:\Documents and Settings\All Users\Application Data\RoboForm
2008-03-01 19:24:17 0 d-------- C:\Program Files\Siber Systems
2008-03-01 17:35:32 0 d-------- C:\WINDOWS\system32\ReinstallBackups
2008-03-01 17:35:17 593920 -----n--- C:\WINDOWS\system32\ati2sgag.exe <Not Verified; ; ATI Smart>
2008-03-01 17:34:42 0 d-------- C:\Program Files\ATI Technologies
2008-03-01 17:33:28 0 d-------- C:\ATI
2008-03-01 17:32:24 49152 --a------ C:\WINDOWS\system32\ChCfg.exe
2008-03-01 17:31:59 4127488 -ra------ C:\WINDOWS\system32\drivers\alcxwdm.sys <Not Verified; Realtek Semiconductor Corp.; Windows ® WDM driver for Realtek AC'97 Audio(HRTF data Copyright 1994 by MIT Media Lab)>
2008-03-01 17:31:18 0 d-------- C:\Program Files\Realtek AC97
2008-03-01 17:31:13 10528768 --a------ C:\WINDOWS\system32\RTLCPL.exe <Not Verified; Realtek Semiconductor Corp.; Realtek Audio Sound Effect Manager>
2008-03-01 17:31:06 577536 --a------ C:\WINDOWS\soundman.exe <Not Verified; Realtek Semiconductor Corp.; Realtek Sound Manager>
2008-03-01 17:31:05 147456 --a------ C:\WINDOWS\system32\RtlCPAPI.dll <Not Verified; ; RtlCPAPI Module>
2008-03-01 17:31:05 315392 --a------ C:\WINDOWS\alcupd.exe <Not Verified; Realtek Semiconductor Corp.; Realtek AC'97 Update driver Tool>
2008-03-01 17:31:05 217088 --a------ C:\WINDOWS\Alcrmv.exe <Not Verified; Realtek Semiconductor Corp.; Realtek AC'97 Removing driver Tool>
2008-03-01 17:18:04 0 d-------- C:\Program Files\PC Drivers HeadQuarters
2008-03-01 12:43:44 0 d-------- C:\Program Files\Microsoft Works
2008-03-01 12:43:03 0 d-------- C:\Program Files\MSBuild
2008-03-01 12:36:19 0 d-------- C:\WINDOWS\SHELLNEW
2008-03-01 12:33:39 0 d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-01 12:08:17 319104 --a------ C:\WINDOWS\system32\drivers\RT61.sys <Not Verified; Ralink Technology Inc.; Ralink 802.11 Wireless Adapters>
2008-03-01 12:08:17 8192 --a------ C:\WINDOWS\system32\drivers\RT2661.bin
2008-03-01 12:08:17 8192 --a------ C:\WINDOWS\system32\drivers\rt2561s.bin
2008-03-01 12:08:17 8192 --a------ C:\WINDOWS\system32\drivers\RT2561.bin
2008-03-01 12:08:15 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-01 12:08:00 0 d-------- C:\Program Files\Common Files\InstallShield
2008-03-01 12:05:32 0 d-------- C:\Documents and Settings\Bobby Fischer\Application Data\Identities
2008-03-01 12:05:06 0 dr------- C:\Documents and Settings\Bobby Fischer\Favorites
2008-03-01 12:05:06 0 d-------- C:\Documents and Settings\Bobby Fischer\Desktop
2008-03-01 12:05:06 0 d---s---- C:\Documents and Settings\Bobby Fischer\Cookies
2008-03-01 12:05:06 0 dr-h----- C:\Documents and Settings\Bobby Fischer\Application Data
2008-03-01 12:05:05 0 d--h----- C:\Documents and Settings\Bobby Fischer\Templates
2008-03-01 12:05:05 0 dr------- C:\Documents and Settings\Bobby Fischer\Start Menu
2008-03-01 12:05:05 0 dr-h----- C:\Documents and Settings\Bobby Fischer\SendTo
2008-03-01 12:05:05 0 dr-h----- C:\Documents and Settings\Bobby Fischer\Recent
2008-03-01 12:05:05 0 d--h----- C:\Documents and Settings\Bobby Fischer\PrintHood
2008-03-01 12:05:05 2621440 --ah----- C:\Documents and Settings\Bobby Fischer\NTUSER.DAT
2008-03-01 12:05:05 0 d--h----- C:\Documents and Settings\Bobby Fischer\NetHood
2008-03-01 12:05:05 0 dr------- C:\Documents and Settings\Bobby Fischer\My Documents
2008-03-01 12:05:05 0 d--h----- C:\Documents and Settings\Bobby Fischer\Local Settings
2008-03-01 12:01:28 0 d-------- C:\WINDOWS\SoftwareDistribution
2008-03-01 12:01:10 0 d-------- C:\WINDOWS\Prefetch
2008-03-01 12:01:09 0 d---s---- C:\WINDOWS\system32\Microsoft
2008-03-01 12:01:08 0 d--h----- C:\Documents and Settings\LocalService\Local Settings
2008-03-01 12:01:08 0 d---s---- C:\Documents and Settings\LocalService\Cookies
2008-03-01 12:01:08 0 d-------- C:\Documents and Settings\LocalService\Application Data
2008-03-01 12:01:08 0 d---s---- C:\Documents and Settings\LocalService\Application Data\Microsoft
2008-03-01 12:01:07 262144 --ah----- C:\Documents and Settings\LocalService\NTUSER.DAT
2008-03-01 11:59:32 229376 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT
2008-03-01 11:59:32 0 d--h----- C:\Documents and Settings\NetworkService\Local Settings
2008-03-01 11:59:32 0 d---s---- C:\Documents and Settings\NetworkService\Cookies
2008-03-01 11:59:32 0 d-------- C:\Documents and Settings\NetworkService\Application Data
2008-03-01 11:59:32 0 d---s---- C:\Documents and Settings\NetworkService\Application Data\Microsoft
2008-03-01 11:53:18 0 d-------- C:\WINDOWS\system32\xircom
2008-03-01 11:53:18 0 d-------- C:\Program Files\microsoft frontpage
2008-03-01 11:51:34 229376 ---h----- C:\Documents and Settings\Default User\NTUSER.DAT
2008-03-01 11:51:20 0 -rahs---- C:\MSDOS.SYS
2008-03-01 11:51:20 0 -rahs---- C:\IO.SYS
2008-03-01 11:51:20 0 --a------ C:\CONFIG.SYS
2008-03-01 11:51:20 0 --a------ C:\AUTOEXEC.BAT
2008-03-01 11:48:45 0 d--hs---- C:\Documents and Settings\All Users\DRM
2008-03-01 11:48:24 0 dr------- C:\WINDOWS\Offline Web Pages
2008-03-01 11:48:24 0 d---s---- C:\WINDOWS\Downloaded Program Files
2008-03-01 11:48:00 0 d--h----- C:\Program Files\WindowsUpdate
2008-03-01 11:47:25 0 d-------- C:\WINDOWS\system32\DirectX
2008-03-01 11:46:39 0 d---s---- C:\WINDOWS\Tasks
2008-03-01 11:46:37 0 d-------- C:\Program Files\Common Files\MSSoap
2008-03-01 11:46:31 0 d-------- C:\WINDOWS\srchasst
2008-03-01 11:46:30 0 d-------- C:\WINDOWS\system32\Macromed
2008-03-01 11:46:06 0 d-------- C:\WINDOWS\system32\Restore
2008-03-01 04:24:00 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-03-01 04:23:29 0 d-------- C:\WINDOWS\Registration
2008-03-01 04:23:13 0 d-------- C:\Program Files\Online Services
2008-03-01 04:21:40 0 d-------- C:\Program Files\Windows Plus
2008-03-01 04:21:02 0 d-------- C:\Program Files\Movie Maker
2008-03-01 04:18:21 0 d-------- C:\Program Files\Messenger
2008-03-01 04:18:15 0 d-------- C:\Program Files\MSN Gaming Zone
2008-03-01 04:17:10 0 d-------- C:\Program Files\Windows NT
2008-03-01 04:17:06 0 d-------- C:\WINDOWS\system32\MsDtc
2008-03-01 04:17:04 0 d-------- C:\WINDOWS\system32\Com
2008-02-29 20:07:34 0 d--hs---- C:\WINDOWS\Installer
2008-02-29 20:07:32 0 d-------- C:\Program Files\Common Files\ODBC
2008-02-29 20:07:26 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-02-29 20:07:25 0 dr------- C:\Program Files
2008-02-29 20:07:25 0 d-------- C:\Program Files\Common Files
2008-02-29 20:06:55 0 d--h----- C:\Documents and Settings\All Users\Templates
2008-02-29 20:06:55 0 dr------- C:\Documents and Settings\All Users\Start Menu
2008-02-29 20:06:55 0 d-------- C:\Documents and Settings\All Users\Favorites
2008-02-29 20:06:55 0 dr------- C:\Documents and Settings\All Users\Documents
2008-02-29 20:06:55 0 d-------- C:\Documents and Settings\All Users\Desktop
2008-02-29 20:06:54 0 d--h----- C:\Documents and Settings\Default User\Templates
2008-02-29 20:06:54 0 dr------- C:\Documents and Settings\Default User\Start Menu
2008-02-29 20:06:54 0 dr-h----- C:\Documents and Settings\Default User\SendTo
2008-02-29 20:06:54 0 d--h----- C:\Documents and Settings\Default User\Recent
2008-02-29 20:06:54 0 d--h----- C:\Documents and Settings\Default User\PrintHood
2008-02-29 20:06:54 0 d--h----- C:\Documents and Settings\Default User\NetHood
2008-02-29 20:06:54 0 d-------- C:\Documents and Settings\Default User\My Documents
2008-02-29 20:06:54 0 dr-h----- C:\Documents and Settings\Default User\Local Settings
2008-02-29 20:06:54 0 d-------- C:\Documents and Settings\Default User\Favorites
2008-02-29 20:06:54 0 d-------- C:\Documents and Settings\Default User\Desktop
2008-02-29 20:06:54 0 d---s---- C:\Documents and Settings\Default User\Cookies
2008-02-29 20:06:26 0 d-------- C:\WINDOWS\system32\CatRoot2
2008-02-29 20:06:26 0 d-------- C:\WINDOWS\system32\CatRoot
2008-02-29 20:06:20 0 dr-h----- C:\Documents and Settings\Default User\Application Data
2008-02-29 20:06:20 0 d---s---- C:\Documents and Settings\Default User\Application Data\Microsoft
2008-02-29 20:06:19 0 dr-h----- C:\Documents and Settings\All Users\Application Data
2008-02-29 20:06:19 0 d---s---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-02-29 20:05:47 0 d-------- C:\Documents and Settings
2008-02-29 20:05:46 0 d--hs---- C:\System Volume Information
2008-02-29 19:56:49 0 d-------- C:\WINDOWS
2008-02-29 19:56:49 0 d-------- C:\WINDOWS\WinSxS
2008-02-29 19:56:49 0 dr------- C:\WINDOWS\Web
2008-02-29 19:56:49 0 d-------- C:\WINDOWS\twain_32
2008-02-29 19:56:49 0 d-------- C:\WINDOWS\system32
2008-02-29 19:56:49 0 d-------- C:\WINDOWS\system32\wins
2008-02-29 19:56:49 0 d-------- C:\WINDOWS\system32\wbem
2008-02-29 19:56:49 0 d-------- C:\WINDOWS\system32\usmt
2008-02-29 19:56:49 0 d-------- C:\WINDOWS\system32\spool
2008-02-29 19:56:49 0 d-------- C:\WINDOWS\system32\ShellExt
2008-02-29 19:56:49 0 d-------- C:\WINDOWS\system32\Setup
2008-02-29 19:56:49 0 d-------- C:\WINDOWS\system32\ras
2008-02-29 19:56:49 0 d-------- C:\WINDOWS\system32\oobe
2008-02-29 19:56:49 0 d-------- C:\WINDOWS\system32\npp
2008-02-29 19:56:49 0 d-------- C:\WINDOWS\system32\mui
2008-02-29 19:56:49 0 d-------- C:\WINDOWS\system32\inetsrv
2008-02-29 19:56:49 0 d-------- C:\WINDOWS\system32\IME
2008-02-29 19:56:49 0 d-------- C:\WINDOWS\system32\icsxml
2008-02-29 19:56:49 0 d-------- C:\WINDOWS\system32\ias
2008-02-29 19:56:49 0 d-------- C:\WINDOWS\system32\export
2008-02-29 19:56:49 0 d-------- C:\WINDOWS\system32\drivers
2008-02-29 19:56:49 0 d-------- C:\WINDOWS\system32\drivers\etc
2008-02-29 19:56:49 0 d-------- C:\WINDOWS\system32\drivers\disdn
2008-02-29 19:56:49 0 dr-hs--c- C:\WINDOWS\system32\dllcache
2008-02-29 19:56:49 0 d-------- C:\WINDOWS\system32\dhcp
2008-02-29 19:56:49 0 d-------- C:\WINDOWS\system32\config
2008-02-29 19:56:49 0 d-------- C:\WINDOWS\system32\3com_dmi
2008-02-29 19:56:49 0 d-------- C:\WINDOWS\system32\3076
2008-02-29 19:56:49 0 d-------- C:\WINDOWS\system32\2052
2008-02-29 19:56:49 0 d-------- C:\WINDOWS\system32\1054
2008-02-29 19:56:49 0 d-------- C:\WINDOWS\system32\1042
2008-02-29 19:56:49 0 d-------- C:\WINDOWS\system32\1041
2008-02-29 19:56:49 0 d-------- C:\WINDOWS\system32\1037
2008-02-29 19:56:49 0 d-------- C:\WINDOWS\system32\1033
2008-02-29 19:56:49 0 d-------- C:\WINDOWS\system32\1031
2008-02-29 19:56:49 0 d-------- C:\WINDOWS\system32\1028
2008-02-29 19:56:49 0 d-------- C:\WINDOWS\system32\1025
2008-02-29 19:56:49 0 d-------- C:\WINDOWS\system
2008-02-29 19:56:49 0 d-------- C:\WINDOWS\security
2008-02-29 19:56:49 0 d-------- C:\WINDOWS\Resources
2008-02-29 19:56:49 0 d-------- C:\WINDOWS\repair
2008-02-29 19:56:49 0 d-------- C:\WINDOWS\Provisioning
2008-02-29 19:56:49 0 d-------- C:\WINDOWS\PeerNet
2008-02-29 19:56:49 0 d-------- C:\WINDOWS\pchealth
2008-02-29 19:56:49 0 d-------- C:\WINDOWS\mui
2008-02-29 19:56:49 0 d-------- C:\WINDOWS\msapps
2008-02-29 19:56:49 0 d-------- C:\WINDOWS\msagent
2008-02-29 19:56:49 0 d-------- C:\WINDOWS\Media
2008-02-29 19:56:49 0 d-------- C:\WINDOWS\java
2008-02-29 19:56:49 0 d--h----- C:\WINDOWS\inf
2008-02-29 19:56:49 0 d-------- C:\WINDOWS\ime
2008-02-29 19:56:49 0 d-------- C:\WINDOWS\Help
2008-02-29 19:56:49 0 dr--s---- C:\WINDOWS\Fonts
2008-02-29 19:56:49 0 d-------- C:\WINDOWS\ehome
2008-02-29 19:56:49 0 d-------- C:\WINDOWS\Driver Cache
2008-02-29 19:56:49 0 d-------- C:\WINDOWS\Debug
2008-02-29 19:56:49 0 d-------- C:\WINDOWS\Cursors
2008-02-29 19:56:49 0 d-------- C:\WINDOWS\Connection Wizard
2008-02-29 19:56:49 0 d-------- C:\WINDOWS\Config
2008-02-29 19:56:49 0 d-------- C:\WINDOWS\AppPatch
2008-02-29 19:56:49 0 d-------- C:\WINDOWS\addins


-- Find3M Report ---------------------------------------------------------------

2008-03-09 01:16:58 5004 --a------ C:\Program Files\Common Files\hijackthis.log
2008-03-08 08:09:04 0 d-------- C:\Documents and Settings\Bobby Fischer\Application Data\W?nSxS
2008-03-08 06:40:46 0 d-------- C:\Program Files\??curity
2008-02-29 20:06:54 62 --ahs---- C:\Documents and Settings\Bobby Fischer\Application Data\desktop.ini


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{221B2B91-8B68-49B4-BE31-0FCC8412DC37}]
03/06/2008 01:37 PM 324160 --a------ C:\WINDOWS\system32\awvtu.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [08/10/2004 04:04 AM]
"SoundMan"="SOUNDMAN.EXE" [04/16/2007 03:28 PM C:\WINDOWS\soundman.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas1.exe" [06/11/2007 01:25 AM]
"braviax"="braviax.exe" [03/09/2008 12:34 AM C:\WINDOWS\system32\braviax.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [03/08/2008 02:44 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 04:00 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLowDiskSpaceChecks"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=cru629.dat

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\awvtu.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Bobby Fischer^Start Menu^Programs^Startup^TrueAssistant.lnk]
path=C:\Documents and Settings\Bobby Fischer\Start Menu\Programs\Startup\TrueAssistant.lnk
backup=C:\WINDOWS\pss\TrueAssistant.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\b843e7d8]
rundll32.exe "C:\WINDOWS\system32\hjutrqnd.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bhte]
"C:\PROGRA~1\CURITY~1\taskmgr.exe" -vt yazb

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\braviax]
C:\WINDOWS\system32\braviax.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLD.EXE]
C:\Program Files\Download Direct\DLD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dlkpdj]
C:\WINDOWS\system32\??mantec\m?hta.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Evidence Eliminator]
C:\Program Files\Evidence Eliminator\ee.exe /m

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Imst]
"C:\Documents and Settings\Bobby Fischer\Application Data\W?nSxS\r?ndll.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
"C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"




-- End of Deckard's System Scanner: finished at 2008-03-09 01:18:06 ------------

AND HERE IS THE HJT LOG
  • 0

#10
rogerisright69

rogerisright69

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
HERE IS THE DSS.EXE
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:03:19 PM, on 3/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Airlink101\AWLH5025\WLService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Airlink101\AWLH5025\AWLH5025.exe
C:\WINDOWS\system32\wpabaln.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas1.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy1\TeaTimer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Aware2007.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Common Files\HijammmmkThis.exe

O2 - BHO: (no name) - {022A7437-E6AA-45A6-877F-32E42DA93FA8} - (no file)
O2 - BHO: (no name) - {55806BD6-7C07-4086-861C-6001899B1255} - (no file)
O2 - BHO: (no name) - {6D56C2A2-C973-448B-8123-7D2718446D0C} - C:\WINDOWS\system32\awvtu.dll
O2 - BHO: (no name) - {ED120D76-BF31-412C-A99B-783C6676E128} - (no file)
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATICustomerCare] "C:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas1.exe" /minimized
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy1\TeaTimer.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O20 - AppInit_DLLs: cru629.dat
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: MIMO XR TM PCI Adapter WLService (MIMO XR TM PCI WLService) - Unknown owner - C:\Program Files\Airlink101\AWLH5025\WLService.exe

--
End of file - 6246 bytes

Deckard's System Scanner v20071014.68
Run by Bobby Fischer on 2008-03-09 01:16:47
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Drive C: has 0.38 GiB (less than 15%) free.


-- HijackThis (run as Bobby Fischer.exe) ------
  • 0

Advertisements


#11
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
your machine has taken quite a battering, but lets see what we can do.

we will remove the malware i can see which will require us to make changes direct to the Registry, hence we will be backing up the Registry part way through the fix.

====STEP 1====
Please download the OTMoveIt2 by OldTimer and Save it to your desktop.

Do NOT run it yet


Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {221B2B91-8B68-49B4-BE31-0FCC8412DC37} - C:\WINDOWS\system32\awvtu.dll
O20 - AppInit_DLLs: cru629.dat

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.


  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\system32\users32.dat
    C:\WINDOWS\system32\eevnobxc.dll
    C:\WINDOWS\system32\qpqttlmx.dll
    C:\WINDOWS\system32\kxhinmjr.dll
    C:\WINDOWS\system32\wfpknlhb.dll
    C:\WINDOWS\system32\chciqvjq.dll
    C:\WINDOWS\system32\wqaggrsq.dll
    C:\WINDOWS\system32\phmedked.dll
    C:\WINDOWS\system32\winivstr.exe
    C:\WINDOWS\system32\cru629.dat
    C:\WINDOWS\cru629.dat
    C:\WINDOWS\braviax.exe
    C:\WINDOWS\system32\braviax.exe
    C:\WINDOWS\system32\vdpivdqe.dll
    C:\WINDOWS\system32\bvkmbrqp.dll
    C:\WINDOWS\system32\utvwa.ini2
    C:\WINDOWS\system32\awvtu.dll
    C:\WINDOWS\system32\ddcyy.dll
    C:\WINDOWS\system32\drivers\ipfltdrvv.sys
    C:\WINDOWS\system32\x3
    C:\WINDOWS\system32\s7
    C:\WINDOWS\system32\k8
    C:\WINDOWS\system32\c4
    C:\WINDOWS\system32\iDlo01
    C:\WINDOWS\system32\hjutrqnd.dll
    C:\PROGRA~1\CURITY~1\taskmgr.exe
    C:\WINDOWS\mrofinu572.exe
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Purity
  • Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


====STEP 2====
in this step we will be making direct changes to the Registry, so we will back it up. Better safe than sorry!

Go to Start > Run
Type:regedit
Click OK.
  • On the leftside, click to highlight My Computer at the top.
  • Go up to "File > Export"
    • Make sure in that window there is a tick next to "All" under Export Branch. <= important!
      Leave the "Save As Type" as "Registration Files".
      Under "Filename" put backup
  • Choose to save it to C:\ or somewhere else safe so that you will remember where you put it (don't put it on the desktop!)
  • Click save and then go to File > Exit.
This is so the registry can be restored to this point if we need it. It may take a minute. Just let it go until it's done.



Next, lets remove the unwanted items.

Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
Please copy the contents of the code box below into the notepad. To do this highlight the contents of the box and right click on it.

Save it to your desktop has fixit.reg (filetype = any)

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=-
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\b843e7d8]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bhte]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\braviax]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dlkpdj]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Imst]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]

NOTICE: This file was written specifically for this user, for use on that particular machine.
Running this on another machine may cause damage to your operating sysytem


Locate fixit.reg on your Desktop and double-click on it.
You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
Answer "Yes" and wait for a message to appear similar to "Merged Successfully".

Please reply back letting me know if it merged correctly.

(In case you are unsure how to create a reg file, take a look here with screenshots.)


====STEP 3====
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


In your next reply can i see:
1. the OTMoveIT log
2. confirmation that the Registry Merge went through ok
3. the Malwarebytes log
4. a new Hijackthis log

there may be a lot of information to post in the next reply, therefore you may need to post the information over more than one reply to ensure it is all posted.

andrewuk
  • 0

#12
rogerisright69

rogerisright69

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
I AM BACK WITH YOU ANDREW ..
  • 0

#13
rogerisright69

rogerisright69

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
hah i read in one of your geek's threads to try downloading combofix by saving as combo-fix and running it that way which i did and it bypassed the blockade here are the results

ComboFix 08-03-09.1 - Bobby Fischer 2008-03-09 12:25:56.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1038 [GMT -8:00]
Running from: C:\Documents and Settings\Bobby Fischer\Desktop\Combo-Fix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\dllcache\beep.sys
C:\WINDOWS\system32\drivers\beep.sys
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\Bobby Fischer\Application Data\WNSXS~1
C:\Documents and Settings\Bobby Fischer\Favorites\Online Security Guide.lnk
C:\Program Files\curity~1
C:\Program Files\curity~1\??curity\
C:\WINDOWS\braviax.exe
C:\WINDOWS\cru629.dat
C:\WINDOWS\system32\awvtu.dll
C:\WINDOWS\system32\bhlnkpfw.ini
C:\WINDOWS\system32\braviax.exe
C:\WINDOWS\system32\bvkmbrqp.dll
C:\WINDOWS\system32\c4
C:\WINDOWS\system32\c4\np89104.exe
C:\WINDOWS\system32\ccuayjfg.dllbox
C:\WINDOWS\system32\chciqvjq.dll
C:\WINDOWS\system32\cru629.dat
C:\WINDOWS\system32\ddcyy.dll
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\ipfltdrvv.sys
C:\WINDOWS\system32\eevnobxc.dll
C:\WINDOWS\system32\iDlo01
C:\WINDOWS\system32\k8
C:\WINDOWS\system32\kxhinmjr.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\phmedked.dll
C:\WINDOWS\system32\qpqttlmx.dll
C:\WINDOWS\system32\s7
C:\WINDOWS\system32\s7\gbsu011.exe
C:\WINDOWS\system32\users32.dat
C:\WINDOWS\system32\utvwa.ini
C:\WINDOWS\system32\utvwa.ini2
C:\WINDOWS\system32\vdpivdqe.dll
C:\WINDOWS\system32\wfpknlhb.dll
C:\WINDOWS\system32\winivstr.exe
C:\WINDOWS\system32\wqaggrsq.dll
C:\WINDOWS\system32\wqaggrsq.dllbox
C:\WINDOWS\system32\x3
C:\WINDOWS\system32\xhppweme.dllbox
C:\WINDOWS\system32\xmlttqpq.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\LEGACY_CMDSERVICE
-------\LEGACY_IPFLTDRVV
-------\LEGACY_NETWORK_MONITOR
-------\ipfltdrvv


((((((((((((((((((((((((( Files Created from 2008-02-09 to 2008-03-09 )))))))))))))))))))))))))))))))
.

2008-03-09 01:16 . 2008-03-09 01:16 <DIR> d-------- C:\Deckard
2008-03-09 01:16 . 2008-03-08 21:01 396,288 --a------ C:\Program Files\Common Files\Bobby Fischer.exe
2008-03-08 21:01 . 2008-03-08 21:01 396,288 --a------ C:\Program Files\Common Files\HijammmmkThis.exe
2008-03-08 21:00 . 2008-03-08 21:00 <DIR> d-------- C:\Program Files\Common Files\New Folder
2008-03-08 16:46 . 2008-03-08 16:46 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-03-08 13:41 . 2008-03-08 13:41 149,056 --a------ C:\WINDOWS\system32\xhppweme.dll.vir
2008-03-08 02:52 . 2008-03-08 02:52 <DIR> d-------- C:\Documents and Settings\Bobby Fischer\Application Data\Grisoft
2008-03-08 02:28 . 2008-03-08 02:28 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-08 02:28 . 2008-03-08 02:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-08 02:26 . 2008-03-08 02:26 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-08 02:13 . 2008-03-08 22:56 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy1
2008-03-08 02:08 . 2008-03-08 02:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-08 02:08 . 2007-05-30 04:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-03-07 12:30 . 2008-03-07 12:30 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-03-07 11:41 . 2008-03-08 02:09 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-06 20:14 . 2008-03-06 20:14 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-06 13:39 . 2008-03-06 14:26 414 ---hs---- C:\WINDOWS\system32\dnqrtujh.ini
2008-03-06 12:27 . 2008-03-06 12:27 <DIR> d-------- C:\Program Files\Airlink101
2008-03-06 12:27 . 2003-10-13 15:30 94,208 --a------ C:\WINDOWS\system32\GTW32N50.dll
2008-03-06 12:27 . 2004-04-30 15:12 40,960 --a------ C:\WINDOWS\system32\AWLH5025.dll
2008-03-06 12:27 . 2003-09-25 23:28 31,930 --a------ C:\WINDOWS\system32\GTNDIS3.VXD
2008-03-06 12:27 . 2008-03-06 12:27 19,915 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2008-03-06 12:27 . 2003-09-25 22:15 15,872 --a------ C:\WINDOWS\system32\GTNDIS5.sys
2008-03-05 23:10 . 2008-03-06 19:28 1,018 --a------ C:\WINDOWS\wininit.ini
2008-03-05 22:48 . 2008-03-08 22:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-05 10:10 . 2008-03-05 10:10 <DIR> d-------- C:\kav
2008-03-05 09:16 . 2008-03-08 03:14 <DIR> d--hs---- C:\WINDOWS\Um9nZXI
2008-03-05 05:37 . 2008-03-05 05:38 <DIR> d-------- C:\Program Files\Evidence Eliminator
2008-03-05 05:37 . 1998-04-24 00:00 368,912 --a------ C:\WINDOWS\system32\vbar332.dll
2008-03-05 05:37 . 2007-07-12 12:52 118,784 --a------ C:\WINDOWS\system32\EEGenFn1.dll
2008-03-05 05:37 . 1999-05-29 21:33 114,696 --a------ C:\WINDOWS\system32\Fablock6.ocx
2008-03-05 05:37 . 2007-04-24 16:21 61,440 --a------ C:\WINDOWS\system32\Eeshellx.dll
2008-03-05 05:37 . 2007-08-13 15:24 36,864 --a------ C:\WINDOWS\system32\eetransx.exe
2008-03-05 05:37 . 1996-05-03 23:05 28,672 --a------ C:\WINDOWS\system32\MSGHOO32.OCX
2008-03-04 19:58 . 2008-03-05 09:25 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-03-04 19:45 . 2008-03-04 19:45 <DIR> d-------- C:\Documents and Settings\Bobby Fischer\Application Data\TrueSwitch
2008-03-04 19:12 . 2008-03-04 19:12 249,856 --------- C:\WINDOWS\Setup1.exe
2008-03-04 19:12 . 2008-03-04 19:12 73,216 --a------ C:\WINDOWS\ST6UNST.EXE
2008-03-04 19:01 . 2008-03-04 19:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Drivers Headquarters
2008-03-04 14:42 . 2008-03-05 04:08 <DIR> d-------- C:\Program Files\VeryPDF PDF Editor v2.2
2008-03-03 21:29 . 2008-03-05 10:01 <DIR> d-------- C:\Program Files\Download Direct
2008-03-03 21:07 . 2008-03-03 21:10 <DIR> d-------- C:\Program Files\FLSPlan
2008-03-03 21:07 . 1998-11-23 07:50 634,880 --a------ C:\WINDOWS\system32\GSPROP32.DLL
2008-03-03 21:07 . 1998-11-11 07:50 423,016 --a------ C:\WINDOWS\system32\Gsw32.exe
2008-03-03 21:07 . 1999-01-12 16:46 242,816 --a------ C:\WINDOWS\system32\GSWAG32.DLL
2008-03-03 21:07 . 1998-11-11 07:50 152,688 --a------ C:\WINDOWS\system32\GSWDLL32.DLL
2008-03-03 21:07 . 2004-08-26 09:22 59,392 --a------ C:\WINDOWS\system32\fce32.DLL
2008-03-03 06:08 . 2008-03-03 06:08 <DIR> d-------- C:\Program Files\VeryPDF Form Filler v3.0
2008-03-02 17:00 . 2008-03-02 17:00 <DIR> d-------- C:\Documents and Settings\Bobby Fischer\Application Data\ATI
2008-03-02 17:00 . 2008-03-02 17:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ATI
2008-03-02 16:52 . 2008-03-02 16:52 <DIR> d-------- C:\Documents and Settings\Bobby Fischer\Application Data\Leadertech
2008-03-02 01:57 . 2008-03-02 01:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-03-02 00:25 . 2008-03-02 00:25 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-03-02 00:25 . 2008-03-02 00:27 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-03-01 22:55 . 2008-03-02 16:59 <DIR> d-------- C:\Program Files\Google
2008-03-01 19:32 . 2008-03-07 01:31 <DIR> d---s---- C:\Documents and Settings\Bobby Fischer\UserData
2008-03-01 19:24 . 2008-03-01 19:24 <DIR> d-------- C:\Program Files\Siber Systems
2008-03-01 19:24 . 2008-03-01 19:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\RoboForm
2008-03-01 17:35 . 2007-12-05 14:17 593,920 --------- C:\WINDOWS\system32\ati2sgag.exe
2008-03-01 17:34 . 2008-03-01 17:38 <DIR> d-------- C:\Program Files\ATI Technologies
2008-03-01 17:32 . 2006-08-01 15:02 49,152 --a------ C:\WINDOWS\system32\ChCfg.exe
2008-03-01 17:31 . 2008-03-01 17:31 <DIR> d-------- C:\Program Files\Realtek AC97
2008-03-01 17:31 . 2006-11-17 05:40 18,804,736 --a------ C:\WINDOWS\system32\alsndmgr.cpl
2008-03-01 17:31 . 2006-12-08 15:20 10,528,768 --a------ C:\WINDOWS\system32\RTLCPL.exe
2008-03-01 17:31 . 2008-01-24 16:36 4,127,488 -ra------ C:\WINDOWS\system32\drivers\alcxwdm.sys
2008-03-01 17:31 . 2007-04-16 15:28 577,536 --a------ C:\WINDOWS\soundman.exe
2008-03-01 17:31 . 2006-07-31 11:19 315,392 --a------ C:\WINDOWS\alcupd.exe
2008-03-01 17:31 . 2006-07-31 11:27 217,088 --a------ C:\WINDOWS\Alcrmv.exe
2008-03-01 17:31 . 2006-10-18 02:53 147,456 --a------ C:\WINDOWS\system32\RtlCPAPI.dll
2008-03-01 17:31 . 2002-02-05 13:54 141,016 --a------ C:\WINDOWS\system32\alsndmgr.wav
2008-03-01 17:18 . 2008-03-01 17:18 <DIR> d-------- C:\Program Files\PC Drivers HeadQuarters
2008-03-01 12:43 . 2008-03-01 12:43 <DIR> d-------- C:\Program Files\MSBuild
2008-03-01 12:43 . 2008-03-01 12:43 <DIR> d-------- C:\Program Files\Microsoft Works
2008-03-01 12:36 . 2008-03-01 12:41 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-03-01 12:33 . 2008-03-06 23:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-01 12:08 . 2008-03-01 17:37 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-03-01 12:08 . 2008-03-01 17:36 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-03-01 12:08 . 2005-06-04 20:07 319,104 --a------ C:\WINDOWS\system32\drivers\RT61.sys
2008-03-01 12:08 . 2005-06-14 15:35 36,864 --a------ C:\WINDOWS\system32\ss.dll
2008-03-01 12:08 . 2005-06-17 13:48 19,968 --a------ C:\WINDOWS\system32\drivers\ss.sys
2008-03-01 12:08 . 2005-06-22 10:44 8,192 --a------ C:\WINDOWS\system32\drivers\RT2661.bin
2008-03-01 12:08 . 2005-06-22 10:44 8,192 --a------ C:\WINDOWS\system32\drivers\rt2561s.bin
2008-03-01 12:08 . 2005-06-22 10:44 8,192 --a------ C:\WINDOWS\system32\drivers\RT2561.bin
2008-03-01 12:01 . 2008-03-01 12:01 <DIR> d---s---- C:\WINDOWS\system32\Microsoft
2008-03-01 04:24 . 2008-03-01 04:24 21,640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-03-01 04:23 . 2008-03-01 04:23 37 --a------ C:\WINDOWS\vbaddin.ini
2008-03-01 04:23 . 2008-03-01 04:23 36 --a------ C:\WINDOWS\vb.ini
2008-03-01 04:21 . 2008-03-08 02:49 <DIR> d-------- C:\Program Files\Windows Plus
2008-03-01 04:19 . 2004-07-01 02:06 10,604,352 --a--c--- C:\WINDOWS\system32\dllcache\ehcir.ird
2008-03-01 04:18 . 2004-08-10 04:00 2,178,131 --a--c--- C:\WINDOWS\system32\dllcache\shvlres.dll
2008-03-01 04:17 . 2008-03-01 04:23 <DIR> d-------- C:\WINDOWS\system32\MsDtc
2008-03-01 04:16 . 2004-08-10 04:00 1,352,192 --a--c--- C:\WINDOWS\system32\dllcache\cimwin32.dll
2008-02-29 20:13 . 2004-08-03 15:07 171,776 --a------ C:\WINDOWS\system32\drivers\kmixer.sys
2008-02-29 20:13 . 2004-08-03 14:39 142,464 --a------ C:\WINDOWS\system32\drivers\aec.sys
2008-02-29 20:13 . 2004-08-03 15:15 82,944 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys
2008-02-29 20:13 . 2001-08-17 06:00 54,272 --a------ C:\WINDOWS\system32\drivers\swmidi.sys
2008-02-29 20:13 . 2004-08-03 15:07 6,400 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2008-02-29 20:13 . 2004-08-03 14:58 4,992 --a------ C:\WINDOWS\system32\drivers\MSPQM.sys
2008-02-29 20:13 . 2004-08-03 15:07 2,944 --a------ C:\WINDOWS\system32\drivers\drmkaud.sys
2008-02-29 20:12 . 2004-08-03 14:58 207,360 --a------ C:\WINDOWS\system32\drivers\Dot4.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-09 09:16 5,004 ----a-w C:\Program Files\Common Files\hijackthis.log
2008-03-06 06:29 82,432 ----a-w C:\WINDOWS\system32\IEDFix.exe
2008-03-02 07:12 86,016 ----a-w C:\WINDOWS\system32\VACFix.exe
2008-03-01 19:53 --------- d-----w C:\Program Files\microsoft frontpage
2007-12-14 19:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
.
Files Infected - Win32.Agent.zb
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-03-08 02:44 160592]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 04:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-10 04:04 59392]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 15:28 577536 C:\WINDOWS\soundman.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas1.exe" [2007-06-11 01:25 6731312]
"braviax"="braviax.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[HKLM\~\startupfolder\C:^Documents and Settings^Bobby Fischer^Start Menu^Programs^Startup^TrueAssistant.lnk]
path=C:\Documents and Settings\Bobby Fischer\Start Menu\Programs\Startup\TrueAssistant.lnk
backup=C:\WINDOWS\pss\TrueAssistant.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\b843e7d8]
C:\WINDOWS\system32\hjutrqnd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bhte]
C:\PROGRA~1\CURITY~1\taskmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\braviax]
C:\WINDOWS\system32\braviax.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLD.EXE]
C:\Program Files\Download Direct\DLD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dlkpdj]
C:\WINDOWS\system32\??mantec\m?hta.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Evidence Eliminator]
--a------ 2008-01-11 16:07 920222 C:\Program Files\Evidence Eliminator\ee.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Imst]
C:\Documents and Settings\Bobby Fischer\Application Data\W?nSxS\r?ndll.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\mrofinu572.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2006-11-10 12:35 90112 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=

R0 SI3112r;ATI-437A Serial ATA Controller;C:\WINDOWS\system32\DRIVERS\SI3112r.sys [2006-08-08 06:19]
R2 MIMO XR TM PCI WLService;MIMO XR TM PCI Adapter WLService;C:\Program Files\Airlink101\AWLH5025\WLService.exe [2004-03-29 16:08]
R3 epstw2k;SCM Parallel Port SCSI Driver;C:\WINDOWS\system32\DRIVERS\epstw2k.sys [2001-08-17 05:50]
R3 scsiscan;SCSI Scanner Driver;C:\WINDOWS\system32\DRIVERS\scsiscan.sys [2001-08-17 05:53]
R3 StreamSurge;StreamSurge Driver (miniport);C:\WINDOWS\system32\DRIVERS\ss.sys [2005-06-17 13:48]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-09 12:49:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Airlink101\AWLH5025\AWLH5025.exe
C:\WINDOWS\system32\wpabaln.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wscntfy.exe
C:\\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2008-03-09 12:52:42 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-09 20:51:56
  • 0

#14
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
ok, lets get back on track as to where we would be:

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\users32.dat
C:\WINDOWS\system32\hjutrqnd.dll
C:\PROGRA~1\CURITY~1\taskmgr.exe
C:\WINDOWS\mrofinu572.exe

Registry::
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=-
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\b843e7d8]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bhte]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\braviax]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dlkpdj]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Imst]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]



3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

andrewuk
  • 0

#15
rogerisright69

rogerisright69

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
just saw your last post in tyhe mean time i did a full scan with ewido post combo fix and here is that log
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 3:44:33 PM 3/9/2008
+ Scan result:
C:\QooBox\Quarantine\C\WINDOWS\system32\users32.dat.vir -> Not-A-Virus.Adware.Agent : No action taken.
C:\QooBox\Quarantine\catchme2008-03-09_124752.83.zip/ipfltdrvv.sys -> Rootkit.Agent.to : No action taken.
C:\Documents and Settings\Bobby Fischer\Cookies\bobby [email protected][2].txt -> TrackingCookie.Dealtime : No action taken.
C:\Documents and Settings\Bobby Fischer\Cookies\bobby [email protected][1].txt -> TrackingCookie.Dealtime : No action taken.
C:\Documents and Settings\Bobby Fischer\Cookies\bobby [email protected][1].txt -> TrackingCookie.Doubleclick : No action taken.
C:\Documents and Settings\Bobby Fischer\Cookies\bobby [email protected][1].txt -> TrackingCookie.Findwhat : No action taken.
C:\Documents and Settings\Bobby Fischer\Cookies\bobby [email protected][1].txt -> TrackingCookie.Statcounter : No action taken.
C:\Documents and Settings\Bobby Fischer\Cookies\bobby [email protected][2].txt -> TrackingCookie.Tacoda : No action taken.
C:\Documents and Settings\Bobby Fischer\Cookies\bobby [email protected][2].txt -> TrackingCookie.Webtrendslive : No action taken.


::Report end


i will now do what you have asked above
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP