Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Malware Problem [RESOLVED]


  • This topic is locked This topic is locked

#1
UBS

UBS

    Member

  • Member
  • PipPip
  • 36 posts
Hello there!

I used my friend's pendrive and a malware has embedded itself in my PC.

When I try to open up firefox, the below pop-up appears and crashes firefox.

Try something else, IE and Opera are not so bad...!
-SAM-


When I press ctrl+alt+delete to view the processes, a pop up says the following and shuts the task manager down instantly.

What's wrong with the processes?
-SAM-


I was able to end the process by using AVG antispyware program. However, the problem would come back after rebooting.

I suppose the malware has embedded itself in the registry.

It would would be great if you could provide me with a complete and permanent solution to this.

Thank you.

NOTE: Please find attached my hijackThis log file along with this post for your reference.

Attached File  hijackthis_log_file.txt   8.28KB   99 downloads
  • 0

Advertisements


#2
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello UBS

Welcome to G2Go. :)
=====================
Please post these logs instead of attaching them thanks.

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

#3
UBS

UBS

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
Hello Kahdah!

Thank you for the prompt reply. I was unable to post a reply on time due to some internet problems for which I apologise.

I did what you had asked me to but I just got the main.txt file. I didn't receive any file called extra.txt even after trying several times. Please find below the contents of the main.txt file.

Thank you.



Deckard's System Scanner v20071014.68
Run by Admin on 2008-03-18 21:36:04
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 446 MiB (512 MiB recommended).
System Drive C: has 0.7 GiB (less than 15%) free.


-- HijackThis (run as Admin.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:36:10 PM, on 3/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UTSCSI.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\alg.exe
C:\Config\system.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Admin\Desktop\Utility shortcuts\autoshutdown2\autoshutdown2.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Documents and Settings\Admin\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Admin.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {140BD8E3-C167-11D4-B4A3-080000180323} - (no file)
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.5.19.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AutoShutdown] C:\Documents and Settings\Admin\Desktop\Utility shortcuts\autoshutdown2\autoshutdown2.exe
O4 - HKCU\..\Policies\Explorer\Run: [winlogon] C:\Config\system.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Palo Alto Software Update Manager 8.0.lnk = C:\Program Files\Common Files\Palo Alto Software\8.0\PAS8_Update.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1193518333187
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{68834CFC-BE08-4BA4-9CC9-1B9C01BE8ED0}: NameServer = 202.88.130.67,202.88.130.15,202.88.130.5
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: USBest Service Zero (UTSCSI) - USBest - C:\WINDOWS\system32\UTSCSI.EXE
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Admin/LOCALS~1/Temp/msohtml1/01/clip_image001.jpg

--
End of file - 8492 bytes

-- Files created between 2008-02-18 and 2008-03-18 -----------------------------

2008-03-17 22:29:57 0 dr-h----- C:\Documents and Settings\Admin\Recent
2008-03-15 00:53:07 44928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS <Not Verified; Panda Software; Panda® Antivirus>
2008-03-14 22:26:54 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-03-14 10:20:53 0 d-------- C:\Program Files\PeerGuardian2
2008-03-14 03:07:58 0 drahs---- C:\autorun.inf
2008-03-14 03:07:13 103802 --a------ C:\Flash_Disinfector.exe
2008-03-14 01:07:55 0 d-------- C:\Program Files\Trend Micro
2008-03-14 00:07:51 203393 -rahs---- C:\system.exe
2008-03-14 00:07:51 0 dr-hs---- C:\Config
2008-03-11 23:02:27 0 d-------- C:\Black And White {www.desibbrg.com} ~ Da Xclusives
2008-03-10 22:28:02 0 dr-h----- C:\Documents and Settings\Admin\Application Data\SecuROM
2008-03-10 22:26:57 0 d-------- C:\Program Files\Hasbro
2008-03-09 00:17:43 0 d-------- C:\Married.With.Children.S01.COMPLETE.DVDRip.XviD-SCC
2008-03-07 23:35:03 0 d-------- C:\Program Files\DAEMON Tools
2008-03-06 02:51:38 0 d-------- C:\Documents and Settings\Admin\Application Data\Grisoft
2008-03-06 02:31:36 0 d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-03-06 02:25:40 0 d-------- C:\AVG_Anti-Spyware_Plus_7.5.1.43
2008-03-06 00:46:22 0 d-------- C:\Program Files\Infogrames Interactive
2008-03-04 23:01:53 0 d-------- C:\NEW DOWNLOADED MOVIES
2008-03-04 22:55:49 0 d-------- C:\Documents and Settings\All Users\Application Data\iWin Games
2008-03-02 01:27:23 0 d-------- C:\Documents and Settings\Admin\Application Data\HTML Executable
2008-03-02 01:27:08 0 d-------- C:\Program Files\Common Files\HTML Executable Viewer
2008-03-02 00:23:43 0 d-------- C:\Monopoly 2008 [English][PC]
2008-02-28 21:49:48 0 d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2008-02-22 00:58:36 0 d-------- C:\Program Files\Rapidown
2008-02-21 00:17:10 0 d-------- C:\Program Files\Karen's Alarm Clock
2008-02-19 01:48:23 691545 --a------ C:\WINDOWS\unins000.exe
2008-02-19 01:48:23 3440 --a------ C:\WINDOWS\unins000.dat


-- Find3M Report ---------------------------------------------------------------

2008-02-10 01:23:16 533 --a------ C:\WINDOWS\eReg.dat
2008-02-10 00:07:12 0 --a------ C:\WINDOWS\PowerReg.dat
2008-02-09 20:35:44 0 d-------- C:\Program Files\Pocket Tanks Deluxe
2008-01-05 03:28:50 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-01-05 03:27:22 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-01-05 03:27:22 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-01-05 03:27:12 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2008-01-05 03:27:10 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-01-05 03:27:10 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2008-01-05 03:27:10 682496 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2008-01-05 03:26:24 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{140BD8E3-C167-11D4-B4A3-080000180323}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [08/12/2005 02:43 PM]
"RTHDCPL"="RTHDCPL.EXE" [01/11/2006 10:53 PM C:\WINDOWS\RTHDCPL.exe]
"Alcmtr"="ALCMTR.EXE" [05/04/2005 12:13 AM C:\WINDOWS\Alcmtr.exe]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [02/13/2007 11:59 PM]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [06/18/2007 03:10 PM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [12/22/2007 04:05 AM]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [03/01/2007 03:57 PM]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [09/20/2007 09:51 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [09/01/2004 12:00 AM]
"AutoShutdown"="C:\Documents and Settings\Admin\Desktop\Utility shortcuts\autoshutdown2\autoshutdown2.exe" [05/15/2001 01:09 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Spyware Doctor"=
"Nokia.PCSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

C:\Documents and Settings\Admin\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [3/16/2005 7:16:50 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Palo Alto Software Update Manager 8.0.lnk - C:\Program Files\Common Files\Palo Alto Software\8.0\PAS8_Update.exe [3/8/2006 1:24:26 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoStartBanner"=01
"NoInstrumentation"=1 (0x1)
"NoStartMenuSubFolders"=1 (0x1)
"NoFavoritesMenu"=1 (0x1)
"NoSMMyDocs"=1 (0x1)
"NoRecentDocsMenu"=1 (0x1)
"NoRecentDocsNetHood"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"winlogon"=C:\Config\system.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyDocs"=1 (0x1)
"NoRecentDocsMenu"=1 (0x1)
"NoRecentDocsNetHood"=1 (0x1)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1e7af3c2-19aa-11dc-93b2-001676a35e74}]
Auto\command- setup.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3dc3e2ac-cb3f-11db-9dfd-001676a35e74}]
Auto\command- setup.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3dec64e4-f12b-11dc-bfb0-001676a35e74}]
Auto\command- I:\system.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL system.exe
Explore\command- I:\system.exe
Open\command- I:\system.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{65da2f40-71a2-11db-9cfc-001676a35e74}]
Auto\command- H:\infrom.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL infrom.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9efd936a-b4c9-11db-9dc1-001676a35e74}]
AutoRun\command- H:\Capinst.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d7904814-756a-11dc-93ee-e557485925be}]
AutoRun\command- H:\HGsetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fd9e7514-af29-11dc-bf2d-001676a35e74}]
AutoRun\command- I:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ff918df6-bc3b-11dc-bf48-da2c3dcd7651}]




-- End of Deckard's System Scanner: finished at 2008-03-18 21:36:34 ------------
  • 0

#4
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
No problem

I would like for you to submit some files for me to analyze.

Click Here and upload these 2 files for me please.

C:\system.exe
C:\Config\system.exe

Thank you.

We will continue after that.
  • 0

#5
UBS

UBS

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
How do I get those files? Please tell me the procedure.

Thank you.

I tried everything but just couldn't find those files.

It would be a pleasure if you would guide me through the process of acquiring those files so that I could get my problem fixed soon.

Thank you again.

Edited by UBS, 19 March 2008 - 10:47 PM.

  • 0

#6
UBS

UBS

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
Hello Kahdah!

After some help from Don77 on the Geeks to Go chatroom, I was able to figure out how to find those files. I have uploaded them. Please check and let me know what to do next.

Thank you.

PS. I would also like to point out to you that when I run HijackThis and fix the below line, everything comes back to normal until a reboot is done. After fixing this line, even when I restore it, everything works fine. It's just after restarting that the problem comes back.

O4 - HKCU\..\Policies\Explorer\Run: [winlogon] C:\Config\system.exe

I assumed this would help you understand the problem better.

Edited by UBS, 20 March 2008 - 02:08 PM.

  • 0

#7
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
I'm sorry I didn't know you had replied to this thread I didn't get an e-mail notification.
Anyway thanks and yes I did get them :)
Let's proceed.
==============================
Make sure that you paste the following file paths under the yellow bar within the OTMoveit2 program or it will not work correctly.

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\system.exe
    C:\Config\system.exe
    I:\system.exe
    H:\infrom.exe
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run\\winlogon
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3dec64e4-f12b-11dc-bfb0-001676a35e74}
  • Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
===================
Then::
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
==================================================================
Please do an online scan with Kaspersky WebScanner
(This scanner is for use with internet explorer only)
Click on "Accept"

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Edited by kahdah, 20 March 2008 - 04:57 PM.

  • 0

#8
UBS

UBS

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
Hello Kahdah!

Thank you for your reply.

I have posted the contents of the files as instructed by you. Please take a look below:

Thank you for all your support. I really appreciate it.



[Custom Input]
< C:\system.exe >
C:\system.exe moved successfully.
< C:\Config\system.exe >
C:\Config\system.exe moved successfully.
< I:\system.exe >
File/Folder I:\system.exe not found.
< H:\infrom.exe >
File/Folder H:\infrom.exe not found.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run\\winlogon >
Registry value HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run\\winlogon deleted successfully.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3dec64e4-f12b-11dc-bfb0-001676a35e74} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3dec64e4-f12b-11dc-bfb0-001676a35e74}\\ deleted successfully.

OTMoveIt2 by OldTimer - Version 1.0.21 log created on 03212008_110935




-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, March 21, 2008 2:14:17 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 21/03/2008
Kaspersky Anti-Virus database records: 649944
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\

Scan Statistics:
Total number of scanned objects: 47996
Number of viruses found: 6
Number of infected objects: 13
Number of suspicious objects: 0
Duration of the scan process: 00:52:53

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Admin\ntuser.dat Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Admin\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Admin\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Admin\desktop\EVERYTHING\misc2\frostyhandeyeV2free.exe/WISE0070.BIN Infected: Trojan-Downloader.Win32.Agent.hym skipped
C:\Documents and Settings\Admin\desktop\EVERYTHING\misc2\frostyhandeyeV2free.exe/WISE0071.BIN Infected: Trojan-Downloader.Win32.Agent.hym skipped
C:\Documents and Settings\Admin\desktop\EVERYTHING\misc2\frostyhandeyeV2free.exe/WISE0072.BIN Infected: Trojan-Downloader.Win32.Agent.hym skipped
C:\Documents and Settings\Admin\desktop\EVERYTHING\misc2\frostyhandeyeV2free.exe/WISE0111.BIN Infected: not-a-virus:AdWare.Win32.Mostofate.ab skipped
C:\Documents and Settings\Admin\desktop\EVERYTHING\misc2\frostyhandeyeV2free.exe/WISE0116.BIN Infected: not-a-virus:AdWare.Win32.Mostofate.ab skipped
C:\Documents and Settings\Admin\desktop\EVERYTHING\misc2\frostyhandeyeV2free.exe WiseSFX: infected - 5 skipped
C:\Documents and Settings\Admin\desktop\EVERYTHING\misc2\frostyhandeyeV2free.exe WiseSFXDropper: infected - 5 skipped
C:\Documents and Settings\Admin\desktop\New Folder\Install_RS_MG_Leecher_08.exe/data19 Infected: Trojan.Win32.Agent.dcv skipped
C:\Documents and Settings\Admin\desktop\New Folder\Install_RS_MG_Leecher_08.exe SIM: infected - 1 skipped
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq400.tmp\bin\10.0.275.0\HostOE.dll Infected: not-a-virus:AdWare.Win32.HotBar.ck skipped
C:\System Volume Information\_restore{6DA51A59-7AC5-4456-A66C-8CF6A4A87EC9}\RP402\change.log Object is locked skipped
C:\autorun.inf\lpt3.This folder was created by Flash_Disinfector Object is locked skipped
C:\_OTMoveIt\MovedFiles\03212008_110935\system.exe Infected: Trojan.Win32.AutoHK.am skipped
C:\_OTMoveIt\MovedFiles\03212008_110935\Config\system.exe Infected: Trojan.Win32.AutoHK.am skipped
D:\System Volume Information\_restore{6DA51A59-7AC5-4456-A66C-8CF6A4A87EC9}\RP402\change.log Object is locked skipped
D:\autorun.inf\lpt3.This folder was created by Flash_Disinfector Object is locked skipped
E:\autorun.inf\lpt3.This folder was created by Flash_Disinfector Object is locked skipped
E:\System Volume Information\_restore{6DA51A59-7AC5-4456-A66C-8CF6A4A87EC9}\RP402\change.log Object is locked skipped
E:\My Installers\DivX Pro (incl. DivX Player) 6.5.1 for Windows\keygen.exe Infected: not-a-virus:PSWTool.Win32.GetPass.h skipped
F:\System Volume Information\_restore{6DA51A59-7AC5-4456-A66C-8CF6A4A87EC9}\RP402\change.log Object is locked skipped
F:\autorun.inf\lpt3.This folder was created by Flash_Disinfector Object is locked skipped

Scan process completed.
  • 0

#9
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
You are welcome :)

  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\Documents and Settings\Admin\desktop\EVERYTHING\misc2\frostyhandeyeV2free.exe
    E:\My Installers\DivX Pro (incl. DivX Player) 6.5.1 for Windows
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq400.tmp\bin\10.0.275.0\HostOE.dll 
    C:\Documents and Settings\Admin\desktop\New Folder\Install_RS_MG_Leecher_08.exe
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • OTMoveit2 will create a log of moved files in the C:\_OTMoveIt\MovedFiles folder. The log's name will appear as the date and time it was created, with the format mmddyyyy_hhmmss.log. Open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
================
Please also post a new Hijackthis log and let me know how things are running?
  • 0

#10
UBS

UBS

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
Hello!

Here are the contents. FYI I had deleted O4 - HKCU\..\Policies\Explorer\Run: [winlogon] C:\Config\system.exe through HijackThis. After that it is not showing that pop-up anymore. Did I do the right thing? Is the malware completely removed from my system?



File/Folder C:\Documents and Settings\Admin\desktop\EVERYTHING\misc2\frostyhandeyeV2free.exe not found.
File/Folder E:\My Installers\DivX Pro (incl. DivX Player) 6.5.1 for Windows not found.
File/Folder C:\Program Files\Yahoo!\YPSR\Quarantine\ppq400.tmp\bin\10.0.275.0\HostOE.dll not found.
File/Folder C:\Documents and Settings\Admin\desktop\New Folder\Install_RS_MG_Leecher_08.exe not found.

OTMoveIt2 by OldTimer - Version 1.0.21 log created on 03212008_195451





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:57:32 PM, on 3/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UTSCSI.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Admin\Desktop\Utility shortcuts\autoshutdown2\autoshutdown2.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {140BD8E3-C167-11D4-B4A3-080000180323} - (no file)
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.5.19.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AutoShutdown] C:\Documents and Settings\Admin\Desktop\Utility shortcuts\autoshutdown2\autoshutdown2.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Palo Alto Software Update Manager 8.0.lnk = C:\Program Files\Common Files\Palo Alto Software\8.0\PAS8_Update.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1193518333187
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{68834CFC-BE08-4BA4-9CC9-1B9C01BE8ED0}: NameServer = 202.88.130.67,202.88.130.15,202.88.130.5
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: USBest Service Zero (UTSCSI) - USBest - C:\WINDOWS\system32\UTSCSI.EXE
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Admin/LOCALS~1/Temp/msohtml1/01/clip_image001.jpg

--
End of file - 8106 bytes
  • 0

Advertisements


#11
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
That is fine.
===========
Please submit the following file to one of these online file scanners.
(All you have to do is copy and paste it in)

C:\Documents and Settings\Admin\Desktop\Utility shortcuts\autoshutdown2\autoshutdown2.exe

Jotti File Scan
VirusTotal File Scan

This will produce a report after the scan is complete, please copy and paste those results in your next post.
  • 0

#12
UBS

UBS

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
Hi Kahdah!

Below are the results: Thank you.

Jotti File Scan

Service load:
0% 100%
File: autoshutdown2.exe
Status:
OK(Note: file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: ba6435c78c4a91877ae8aa4dcc0927d3
Packers detected:
-
Bit9 reports: Not analyzed yet (more info)

Scan taken on 21 Mar 2008 19:38:39 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Rising Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing


VirusTotal File Scan

File autoshutdown2.exe received on 03.18.2008 20:53:25 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.3.18.1 2008.03.18 -
AntiVir 7.6.0.75 2008.03.18 -
Authentium 4.93.8 2008.03.18 -
Avast 4.7.1098.0 2008.03.18 -
AVG 7.5.0.516 2008.03.18 -
BitDefender 7.2 2008.03.18 -
CAT-QuickHeal 9.50 2008.03.14 -
ClamAV 0.92.1 2008.03.18 -
DrWeb 4.44.0.09170 2008.03.18 -
eSafe 7.0.15.0 2008.03.18 -
eTrust-Vet 31.3.5623 2008.03.17 -
Ewido 4.0 2008.03.18 -
FileAdvisor 1 2008.03.18 -
Fortinet 3.14.0.0 2008.03.18 -
F-Prot 4.4.2.54 2008.03.18 -
F-Secure 6.70.13260.0 2008.03.18 -
Ikarus T3.1.1.20 2008.03.18 -
Kaspersky 7.0.0.125 2008.03.18 -
McAfee 5254 2008.03.18 -
Microsoft 1.3301 2008.03.18 -
NOD32v2 2957 2008.03.18 -
Norman 5.80.02 2008.03.18 -
Panda 9.0.0.4 2008.03.17 -
Prevx1 V2 2008.03.18 -
Rising 20.36.12.00 2008.03.18 -
Sophos 4.27.0 2008.03.18 -
Sunbelt 3.0.978.0 2008.03.18 -
Symantec 10 2008.03.18 -
TheHacker 6.2.92.248 2008.03.17 -
VBA32 3.12.6.3 2008.03.17 -
VirusBuster 4.3.26:9 2008.03.18 -
Webwasher-Gateway 6.6.2 2008.03.18 -

Additional information
File size: 572416 bytes
MD5: ba6435c78c4a91877ae8aa4dcc0927d3
SHA1: 18919ffcec48790660022ea0e2f4990d19b63a26
PEiD: -

Edited by UBS, 21 March 2008 - 02:03 PM.

  • 0

#13
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
You are welcome :)

Please re-open Hijackthis and click on "Do a system scan only"
Then place a check mark next to these entries below:

O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {140BD8E3-C167-11D4-B4A3-080000180323} - (no file)


Now click on Fix Checked and then close Hijackthis.
======================================================
Cleanup::
  • Make sure you have an Internet Connection.
  • Double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OtMoveit2 to rech the Internet, please allow the application to do so.
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.
=============================
After that please update your Java:
Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

Ugrading Java:After that
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
====================================
Then I will need you to reset your System Restore points, please note that you will need to log into your computer with an account which has full administrator access.
You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)
1. Turn off System Restore.
Click on *Start
Right-click *My Computer
Click *Properties
Click the *System Restore tab
Check *Turn off System Restore
Click *Apply, and then click *OK.

2. Reboot.

3. Turn ON System Restore.
Click on *Start
Right-click *My Computer
Click *Properties
*UN-Check *Turn off System Restore*
Check *Turn on System Restore
Click *Apply, and then click *OK.


How to Turn On and Turn Off System Restore in Windows XP
http://support.micro...kb/310405/en-us
==============================================
After that Your log is clean. :)

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein ->Here
  • 0

#14
UBS

UBS

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
Hello Kahdah!

I have done everything as instructed. Everything is working fine now... :) You guys have never disappointed me.

Thank you so much for all your time, effort and help. I really appreciate it.

May god bless you and this website.
  • 0

#15
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
You are welcome and thank you. :)


Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If your the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP