Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

cryp_tap-2 and probably more


  • Please log in to reply

#1
barbouncer

barbouncer

    New Member

  • Member
  • Pip
  • 6 posts
Computer got infected recently. could tell by pop ups and computer becoming slower and slower. tried everything to get rid of this to no avail. even tried to erase the partition and reinstall windows xp fresh, but would not allow me to. From what i read around the Cryp_tap-2 virus is a nasty little bug and would appreciate any help in removing this.

Did all the steps in the "do this before u post" thread.

Here are the Logs.


SUPERAntiSpyware Scan Log
Generated 04/17/2008 at 00:09 AM

Application Version : 3.6.1000

Core Rules Database Version : 3440
Trace Rules Database Version: 1432

Scan type : Complete Scan
Total Scan Time : 00:46:09

Memory items scanned : 328
Memory threats detected : 0
Registry items scanned : 4532
Registry threats detected : 2
File items scanned : 46164
File threats detected : 4

Adware.IST/ISTBar (Slotch Bar)
HKU\S-1-5-21-1482476501-583907252-839522115-1003\Software\Microsoft\Internet Explorer\Main#BandRest [ Never ]
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main#BandRest [ Never ]

Trojan.Unclassified/CRU629
C:\DOCUMENTS AND SETTINGS\CHRIS\APPLICATION DATA\AVANQUEST\SYSTEMSUITE\QUARANTINE\CRU629.DAT.QUAR00
C:\DOCUMENTS AND SETTINGS\CHRIS\APPLICATION DATA\AVANQUEST\SYSTEMSUITE\QUARANTINE\CRU629.DAT.QUAR01

Rogue.WinReanimator
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\WINREANIMATOR\WINREANIMATOR.EXE.VIR

Trojan.Downloader-Gen/MROFIN
C:\QOOBOX\QUARANTINE\C\WINDOWS\MROFINU2000382.EXE.VIR





Malwarebytes' Anti-Malware 1.11
Database version: 636

Scan type: Quick Scan
Objects scanned: 29173
Time elapsed: 4 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Nvchost (Trojan.Goldun) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BMafcd3bd7 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\braviax (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\twxereqq.dll (Trojan.AVKiller) -> Quarantined and deleted successfully.
C:\sysmivb.exe (Trojan.Downloader) -> Quarantined and deleted successfully.





;*******************************************************************************
*********************************************************************************
*******************
ANALYSIS: 2008-04-17 01:06:51
PROTECTIONS: 0
MALWARE: 15
SUSPECTS: 0
;*******************************************************************************
*********************************************************************************
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
=================================================================================
===================
;===============================================================================
=================================================================================
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
=================================================================================
===================
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\t4puzp6u.default\cookies.txt[.mediaplex.com/]
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\t4puzp6u.default\cookies.txt[.mediaplex.com/]
00147824 Cookie/Clickbank TrackingCookie No 0 Yes No C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\t4puzp6u.default\cookies.txt[.clickbank.net/]
00167704 Cookie/Xiti TrackingCookie No 0 Yes No C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\t4puzp6u.default\cookies.txt[.xiti.com/]
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\t4puzp6u.default\cookies.txt[.apmebf.com/]
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\t4puzp6u.default\cookies.txt[.apmebf.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\t4puzp6u.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\t4puzp6u.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\t4puzp6u.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\t4puzp6u.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\t4puzp6u.default\cookies.txt[.advertising.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\t4puzp6u.default\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\t4puzp6u.default\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\t4puzp6u.default\cookies.txt[.go.com/]
00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\t4puzp6u.default\cookies.txt[.target.com/]
01176994 Bck/VB.XB Virus/Trojan No 0 No No C:\Documents and Settings\Chris\Desktop\ComboFix.exe[327882R2FWJFW\nircmd.cfexe]
02895262 W32/PatchLog.P Virus Yes 0 Yes No C:\PROGRAM FILES\JAVA\JRE1.6.0_05\BIN\JUSCHED.EXE
02895262 W32/PatchLog.P Virus Yes 0 Yes No C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBARNOTIFIER\1.2.1128.5462\GOOGLETOOLBARNOTIFIER.EXE
02895262 W32/PatchLog.P Virus Yes 0 Yes No C:\PROGRAM FILES\ATI MULTIMEDIA\REMCTRL\ATIRW.EXE
02895262 W32/PatchLog.P Virus Yes 0 Yes No C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
02895340 Adware/PurityScan Adware No 0 Yes No C:\Documents and Settings\Chris\Application Data\Avanquest\SystemSuite\Quarantine\univrs32.dat.QUAR00
02907283 Application/WinReanimator Spyware No 0 Yes No C:\QooBox\Quarantine\C\Program Files\WinReanimator\WinReanimator.dll.vir
02907453 Application/WinReanimator Spyware No 0 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\winivstr.exe.vir
02907453 Application/WinReanimator Spyware No 0 Yes No C:\QooBox\Quarantine\C\Program Files\WinReanimator\install.exe.vir
02913300 Spyware/Virtumonde Spyware No 1 Yes No C:\Documents and Settings\Chris\Application Data\Avanquest\SystemSuite\Quarantine\ssqRJyvT.dll.QUAR00
02913545 Spyware/Virtumonde Spyware No 1 Yes No C:\Documents and Settings\Chris\Application Data\Avanquest\SystemSuite\Quarantine\ygoquglc.dll.QUAR00
02913546 Spyware/Virtumonde Spyware No 1 Yes No C:\Documents and Settings\Chris\Application Data\Avanquest\SystemSuite\Quarantine\jmqohkou.dll.QUAR00
;===============================================================================
=================================================================================
===================
SUSPECTS
Sent Location 
;===============================================================================
=================================================================================
===================
;===============================================================================
=================================================================================
===================
VULNERABILITIES
Id Severity Description 
;===============================================================================
=================================================================================
===================
184380 MEDIUM MS08-002 
184379 MEDIUM MS08-001 
182048 HIGH MS07-069 
182046 HIGH MS07-067 
182043 HIGH MS07-064 
179553 HIGH MS07-061 
176382 HIGH MS07-057 
176383 HIGH MS07-058 
170911 HIGH MS07-050 
170907 HIGH MS07-046 
170906 HIGH MS07-045 
170904 HIGH MS07-043 
164915 HIGH MS07-035 
164913 HIGH MS07-033 
164911 HIGH MS07-031 
160623 HIGH MS07-027 
157262 HIGH MS07-022 
157261 HIGH MS07-021 
157260 HIGH MS07-020 
157259 HIGH MS07-019 
156477 HIGH MS07-017 
150253 HIGH MS07-016 
150249 HIGH MS07-013 
150248 HIGH MS07-012 
150247 HIGH MS07-011 
150243 HIGH MS07-008 
150242 HIGH MS07-007 
150241 MEDIUM MS07-006 
141034 HIGH MS06-076 
141033 MEDIUM MS06-075 
141030 HIGH MS06-072 
137571 HIGH MS06-070 
137568 HIGH MS06-067 
133387 MEDIUM MS06-065 
133386 MEDIUM MS06-064 
133385 MEDIUM MS06-063 
133379 HIGH MS06-057 
131654 HIGH MS06-055 
129977 MEDIUM MS06-053 
129976 MEDIUM MS06-052 
126093 HIGH MS06-051 
126092 MEDIUM MS06-050 
126087 HIGH MS06-046 
126086 MEDIUM MS06-045 
126083 HIGH MS06-042 
126082 HIGH MS06-041 
126081 HIGH MS06-040 
123421 HIGH MS06-036 
123420 HIGH MS06-035 
120825 MEDIUM MS06-032 
120823 MEDIUM MS06-030 
120818 HIGH MS06-025 
120815 HIGH MS06-022 
120814 HIGH MS06-021 
117384 MEDIUM MS06-018 
114666 HIGH MS06-015 
114664 HIGH MS06-013 
108744 MEDIUM MS06-008 
108743 MEDIUM MS06-007 
108742 MEDIUM MS06-006 
104567 HIGH MS06-002 
104237 HIGH MS06-001 
96574 HIGH MS05-053 
93395 HIGH MS05-051 
93394 HIGH MS05-050 
93454 MEDIUM MS05-049 
;===============================================================================
=================================================================================
===================





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:20:00 AM, on 4/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [razertra] C:\Program Files\Razer\razertra.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: vtUkHWmJ - vtUkHWmJ.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 3890 bytes






Thanks in advance for any advice and help.
C
  • 0

Advertisements


#2
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello barbouncer

Welcome to G2Go. :)
=====================
Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

#3
barbouncer

barbouncer

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Deckard's System Scanner v20071014.68
Run by Chris on 2008-04-22 08:49:28
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
9: 2008-04-22 15:49:31 UTC - RP9 - Deckard's System Scanner Restore Point
8: 2008-04-18 04:27:12 UTC - RP8 - Software Distribution Service 3.0
7: 2008-04-18 04:17:31 UTC - RP7 - ComboFix created restore point
6: 2008-04-17 08:08:56 UTC - RP6 - Software Distribution Service 3.0
5: 2008-04-17 06:20:03 UTC - RP5 - Installed SUPERAntiSpyware Free Edition


-- First Restore Point --
1: 2008-04-17 04:49:19 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Chris.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:49:52 AM, on 4/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Chris\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Chris.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [razertra] C:\Program Files\Razer\razertra.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: vtUkHWmJ - vtUkHWmJ.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 3829 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>

S3 MailScan - c:\progra~1\avanqu~1\system~1\mailscan.sys (file missing)
S3 Razerlow (Razerlow USB Filter Driver) - c:\windows\system32\drivers\razerlow.sys <Not Verified; Razer (Asia-Pacific) Pte Ltd; Diamonback USB Optical Mouse>
S3 razerusb - c:\windows\system32\drivers\razerusb.sys <Not Verified; Razer Inc.; Razer USB Mouse Driver>
S3 TFilter - c:\progra~1\avanqu~1\system~1\tfilter.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: RAID Controller
Device ID: PCI\VEN_105A&DEV_3373&SUBSYS_80F51043&REV_02\3&267A616A&0&40
Manufacturer:
Name: RAID Controller
PNP Device ID: PCI\VEN_105A&DEV_3373&SUBSYS_80F51043&REV_02\3&267A616A&0&40
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Modem
Device ID: PCI\VEN_1057&DEV_3052&SUBSYS_30201057&REV_04\3&267A616A&0&68
Manufacturer:
Name: PCI Modem
PNP Device ID: PCI\VEN_1057&DEV_3052&SUBSYS_30201057&REV_04\3&267A616A&0&68
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: RAID Controller
Device ID: PCI\VEN_1106&DEV_3149&SUBSYS_80ED1043&REV_80\3&267A616A&0&78
Manufacturer:
Name: RAID Controller
PNP Device ID: PCI\VEN_1106&DEV_3149&SUBSYS_80ED1043&REV_80\3&267A616A&0&78
Service:


-- Scheduled Tasks -------------------------------------------------------------

2008-04-09 08:38:05 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-03-22 and 2008-04-22 -----------------------------

2008-04-17 02:02:11 0 d-------- C:\Logs
2008-04-17 01:19:21 0 d-------- C:\Program Files\Trend Micro
2008-04-16 23:20:07 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-16 23:20:04 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-04-16 23:20:03 0 d-------- C:\Documents and Settings\Chris\Application Data\SUPERAntiSpyware.com
2008-04-16 23:11:49 0 d-------- C:\Documents and Settings\Chris\Application Data\Malwarebytes
2008-04-16 23:11:46 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-16 23:11:45 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-16 23:11:22 0 d-------- C:\Program Files\Common Files\Download Manager
2008-04-16 23:04:05 0 d-------- C:\WINDOWS\system32\PreInstall
2008-04-16 22:46:37 0 d-------- C:\WINDOWS\system32\appmgmt
2008-04-16 21:48:26 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-04-16 21:46:57 0 d-------- C:\WINDOWS\Prefetch
2008-04-10 14:59:43 68096 --a------ C:\WINDOWS\zip.exe
2008-04-10 14:59:43 49152 --a------ C:\WINDOWS\VFind.exe
2008-04-10 14:59:43 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-10 14:59:43 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-10 14:59:43 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-10 14:59:43 98816 --a------ C:\WINDOWS\sed.exe
2008-04-10 14:59:43 80412 --a------ C:\WINDOWS\grep.exe
2008-04-10 14:59:43 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-10 13:41:56 0 d-------- C:\Program Files\Panda Security
2008-04-10 12:02:59 0 d-------- C:\Documents and Settings\LocalService\Application Data\Avanquest
2008-04-10 12:01:12 0 d-------- C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-04-10 12:00:44 0 dr-hs---- C:\_Backup.RC
2008-04-10 12:00:42 0 d--h----- C:\_Backup
2008-04-10 11:58:32 0 d-------- C:\Documents and Settings\Chris\Application Data\Avanquest
2008-04-10 11:57:53 0 d-------- C:\Program Files\Avanquest
2008-04-09 15:00:42 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-09 14:55:09 10174 --a------ C:\WINDOWS\system32\taxipif.vbs
2008-04-09 14:55:09 13434 --a------ C:\WINDOWS\rozijewozo.bat
2008-04-09 14:55:09 13259 --a------ C:\WINDOWS\mubiqu.reg
2008-04-09 14:55:09 11942 --a------ C:\Program Files\Common Files\ujodomeloh.dll
2008-04-09 14:55:09 19982 --a------ C:\Program Files\Common Files\iqada.dat
2008-04-09 14:55:09 18575 --a------ C:\Documents and Settings\Chris\Application Data\ypugikozal.reg
2008-04-09 14:55:09 13410 --a------ C:\Documents and Settings\Chris\Application Data\ryjimo.dat
2008-04-09 14:55:08 13334 --a------ C:\WINDOWS\system32\nyrew.dll
2008-04-09 14:55:08 12283 --a------ C:\WINDOWS\inabahyro.com
2008-04-09 14:19:21 0 d-------- C:\Program Files\Alwil Software
2008-04-09 12:31:10 0 d-------- C:\Documents and Settings\Chris\Application Data\Google
2008-04-09 12:29:01 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-09 12:28:42 0 d-------- C:\Documents and Settings\All Users\Application Data\Google
2008-04-09 12:28:32 0 d-------- C:\Program Files\Google
2008-04-09 12:01:11 0 d-------- C:\Program Files\LimeWire
2008-04-08 00:45:12 0 d-------- C:\Documents and Settings\Chris\OngameNetwork


-- Find3M Report ---------------------------------------------------------------

2008-04-17 02:04:04 0 d-------- C:\Program Files\World of Warcraft
2008-04-17 01:13:24 0 d-------- C:\Program Files\Messenger
2008-04-17 00:17:14 2546 --a------ C:\WINDOWS\mozver.dat
2008-04-16 23:19:51 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-16 23:11:22 0 d-------- C:\Program Files\Common Files
2008-04-16 21:38:40 22720 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-04-09 14:55:09 15198 --a------ C:\Program Files\Common Files\ucoci._sy
2008-04-09 14:55:09 19730 --a------ C:\Documents and Settings\Chris\Application Data\syfuj.db
2008-04-09 14:55:08 13118 --a------ C:\Documents and Settings\Chris\Application Data\kypymuru.inf
2008-04-09 14:05:41 0 d-------- C:\Program Files\Razer
2008-04-09 14:05:41 0 d-------- C:\Program Files\QuickTime
2008-04-09 12:08:40 0 d-------- C:\Documents and Settings\Chris\Application Data\LimeWire
2008-04-01 12:56:52 0 d-------- C:\Program Files\Java
2008-03-18 15:13:39 0 d-------- C:\Program Files\Starcraft
2008-03-11 22:08:47 967 --a------ C:\WINDOWS\ScUnin.pif
2008-03-11 22:08:47 94208 --a------ C:\WINDOWS\ScUnin.exe <Not Verified; Blizzard Entertainment; Starcraft Uninstaller>
2008-03-11 22:08:47 12852 --a------ C:\WINDOWS\scunin.dat
2008-03-11 21:54:14 0 d-------- C:\Documents and Settings\Chris\Application Data\Sierra Entertainment
2008-03-11 21:53:46 0 dr-h----- C:\Documents and Settings\Chris\Application Data\SecuROM
2008-03-11 21:50:54 0 d-------- C:\Program Files\AGEIA Technologies
2008-03-11 21:21:38 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-11 21:21:27 0 d-------- C:\Program Files\Sierra Entertainment
2008-03-11 21:19:39 0 d-------- C:\Documents and Settings\Chris\Application Data\InstallShield
2008-03-10 17:54:10 0 d-------- C:\Program Files\Common Files\Adobe
2008-03-09 20:58:21 0 d-------- C:\Program Files\Firefly Studios
2008-03-09 20:55:55 0 d-------- C:\Program Files\Common Files\InstallShield


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [04/09/2008 12:26 PM]
"ATI DeviceDetect"="C:\Program Files\ATI Multimedia\main\ATIDtct.EXE" [06/15/2004 10:17 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [04/09/2008 12:26 PM]
"razertra"="C:\Program Files\Razer\razertra.exe" [04/09/2008 12:26 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [04/09/2008 12:26 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATI Launchpad"="C:\Program Files\ATI Multimedia\main\launchpd.exe" [06/15/2004 10:22 PM]
"ATI Remote Control"="C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe" [04/09/2008 12:26 PM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [04/09/2008 02:53 PM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [04/17/2008 01:17 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 1:01:04 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 04/17/2008 01:17 AM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtUkHWmJ]
vtUkHWmJ.dll




-- End of Deckard's System Scanner: finished at 2008-04-22 08:50:29 ------------
  • 0

#4
barbouncer

barbouncer

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ 64 Processor 3000+
Percentage of Memory in Use: 26%
Physical Memory (total/avail): 1022.73 MiB / 751.95 MiB
Pagefile Memory (total/avail): 2459.92 MiB / 2252.5 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1937.99 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 76.68 GiB total, 45.11 GiB free.
D: is CDROM (CDFS)

\\.\PHYSICALDRIVE0 - HDS728080PLAT20 - 76.69 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 76.68 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
UpdatesDisableNotify is set.


[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.12.6546-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.12.6546-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\BitLord\\BitLord.exe"="C:\\Program Files\\BitLord\\BitLord.exe:*:Enabled:BitLord"
"C:\\Program Files\\Shareaza\\Shareaza.exe"="C:\\Program Files\\Shareaza\\Shareaza.exe:*:Enabled:Shareaza"
"C:\\Program Files\\Firefly Studios\\Stronghold 2\\Stronghold2.exe"="C:\\Program Files\\Firefly Studios\\Stronghold 2\\Stronghold2.exe:*:Enabled:Stronghold 2"
"C:\\Program Files\\Sierra Entertainment\\Empire Earth III\\EE3.exe"="C:\\Program Files\\Sierra Entertainment\\Empire Earth III\\EE3.exe:*:Enabled:Empire Earth III"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Chris\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=CHRIS-17CF57202
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Chris
LOGONSERVER=\\CHRIS-17CF57202
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\QuickTime\QTSystem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 12 Stepping 0, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0c00
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Chris\LOCALS~1\Temp
TMP=C:\DOCUME~1\Chris\LOCALS~1\Temp
USERDOMAIN=CHRIS-17CF57202
USERNAME=Chris
USERPROFILE=C:\Documents and Settings\Chris
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Chris (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> MsiExec /X{85EBB283-65AF-4C53-9EBE-7C0A232762F7}
--> MsiExec.exe /X{69495273-FCDC-4A86-BCB7-49B504D3FB0E}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
ACE Mega CoDecS Pack --> "C:\Program Files\ACE Mega CoDecS Pack\unins000.exe"
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
AGEIA PhysX v7.03.21 --> MsiExec.exe /X{85EBB283-65AF-4C53-9EBE-7C0A232762F7}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Decoder --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{EDE28287-D32C-415E-9C97-2BF9F9260150} /l1033
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,[email protected] -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
ATI HYDRAVISION --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{083F79E4-6FE9-46FB-A6C6-4F8862742947}\setup.exe"
ATI Multimedia Center 9.01 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{8988F5D0-C83F-41F4-B41B-86031F9B37F5} /l1033
ATI Remote Wonder 2.3 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{3347F781-9C89-4C9B-B471-B1FFC3BC4A84} /l1033
BitLord 1.1 --> C:\Program Files\BitLord\uninst.exe
BitTorrent 5.0.7 --> "C:\Program Files\BitTorrent\uninstall.exe"
DAO --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{C88E49AA-41C5-4420-A08D-BE1B6C5A3A74}
Empire Earth III --> C:\Program Files\InstallShield Installation Information\{B17E235C-7A3B-4482-B650-21FFDE1D452E}\setup.exe -runfromtemp -l0x0009 -removeonly
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
LimeWire 4.16.6 --> "C:\Program Files\LimeWire\uninstall.exe"
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Marvell Miniport Driver --> MsiExec.exe /X{C950420B-4182-49EA-850A-A6A2ABF06C6B}
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Panda ActiveScan 2.0 --> C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe
QuickTime --> MsiExec.exe /I{BFD96B89-B769-4CD6-B11E-E79FFD46F067}
Razer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{85C6CE1E-2A22-4C5A-A8A1-9DBFBEA81DE1}\Setup.exe" -l0x9
Shareaza version 2.2.5.0 --> "C:\Program Files\Shareaza\Uninstall\unins000.exe"
Starcraft --> C:\WINDOWS\scunin.exe C:\WINDOWS\scunin.dat
Stronghold 2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{16D2C649-CBA8-44EE-B730-12584667D487}\setup.exe" -l0x9 -removeonly
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Ventrilo Client --> MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}
Windows Media Encoder 9 Series --> msiexec.exe /I {E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows Media Encoder 9 Series --> MsiExec.exe /I{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
World of Warcraft --> C:\Program Files\Common Files\Blizzard Entertainment\World of Warcraft (2)\Uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type1715 / Warning
Event Submitted/Written: 04/16/2008 10:44:20 PM
Event ID/Source: 1 / SystemSuite
Event Description:
Virus Scanner:

Potential Threat Detected

Cryp_Tap-2 - C:\WINDOWS\system32\jkkIbbCs.dll

Event Record #/Type1712 / Warning
Event Submitted/Written: 04/16/2008 09:51:48 PM
Event ID/Source: 1 / SystemSuite
Event Description:
Virus Scanner:

Potential Threat Detected

Cryp_Tap-2 - C:\WINDOWS\system32\jkkIbbCs.dll

Event Record #/Type1704 / Warning
Event Submitted/Written: 04/16/2008 09:40:22 PM
Event ID/Source: 4353 / EventSystem
Event Description:
The COM+ Event System attempted to fire the EventObjectChange::ChangedSubscription event but received a bad return code. HRESULT was 80040201.

Event Record #/Type1703 / Warning
Event Submitted/Written: 04/16/2008 09:40:22 PM
Event ID/Source: 4356 / EventSystem
Event Description:
The COM+ Event System failed to create an instance of the subscriber partition:{41E90F3E-56C1-4633-81C3-6E8BAC8BDD70}!new:{D3938AB0-5B9D-11D1-8DD2-00AA004ABD5E}. CoGetObject returned HRESULT 80070422.

Event Record #/Type1702 / Warning
Event Submitted/Written: 04/16/2008 09:40:22 PM
Event ID/Source: 4353 / EventSystem
Event Description:
The COM+ Event System attempted to fire the EventObjectChange::ChangedSubscription event but received a bad return code. HRESULT was 80040201.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type5853 / Warning
Event Submitted/Written: 04/17/2008 01:50:47 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type5443 / Error
Event Submitted/Written: 04/16/2008 09:44:33 PM
Event ID/Source: 27287 / Setup
Event Description:
Windows Setup encountered non-fatal errors during installation. Please check the setuperr.log found in your Windows directory for more information.

Event Record #/Type5442 / Warning
Event Submitted/Written: 04/16/2008 09:41:00 PM
Event ID/Source: 20 / Print
Event Description:
Printer Driver HP LaserJet 1200 Series PS (MS) for Windows NT x86 Version-3 was added or updated. Files:- PSCRIPT5.DLL, PS5UI.DLL, HP1200_7.PPD, PSCRIPT.HLP, PSCRIPT.NTF.

Event Record #/Type5441 / Warning
Event Submitted/Written: 04/16/2008 09:41:00 PM
Event ID/Source: 20 / Print
Event Description:
Printer Driver HP LaserJet 1200 Series PCL for Windows NT x86 Version-3 was added or updated. Files:- UNIDRV.DLL, UNIDRVUI.DLL, HPLJ1200.GPD, UNIDRV.HLP, UNIRES.DLL, hpcfont.dll, hpcstr.dll, hpcljx.hlp, hpcmacro.gpd, hpcfont.gpd, TTFSUB.GPD, STDNAMES.GPD.

Event Record #/Type5440 / Error
Event Submitted/Written: 04/16/2008 09:40:22 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service SENS with arguments ""
in order to run the server:
{D3938AB0-5B9D-11D1-8DD2-00AA004ABD5E}



-- End of Deckard's System Scanner: finished at 2008-04-22 08:50:29 ------------
  • 0

#5
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Save all of the logs and post them all at the same time.
==================================
Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\system32\taxipif.vbs
    C:\WINDOWS\rozijewozo.bat
    C:\WINDOWS\mubiqu.reg
    C:\Program Files\Common Files\ujodomeloh.dll
    C:\Program Files\Common Files\iqada.dat
    C:\Documents and Settings\Chris\Application Data\ypugikozal.reg
    C:\WINDOWS\system32\nyrew.dll
    C:\WINDOWS\inabahyro.com
    C:\Program Files\Common Files\ucoci._sy
    C:\Documents and Settings\Chris\Application Data\syfuj.db
    C:\Documents and Settings\Chris\Application Data\kypymuru.inf
    C:\WINDOWS\system32\jkkIbbCs.dll
    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtUkHWmJ
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • OTMoveit2 will create a log of moved files in the C:\_OTMoveIt\MovedFiles folder. The log's name will appear as the date and time it was created, with the format mmddyyyy_hhmmss.log. Open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
====================
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
=================================================================
Please do an online scan with Kaspersky WebScanner
(This scanner is for use with internet explorer only)
Click on "Accept"

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as an html document button:
  • Save the file to your desktop.
  • Attach that information in your next post.

  • 0

#6
barbouncer

barbouncer

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
couple things had errors during the OTMOVEIT2 - 1) c:\program files\common files\ujodomeloh.dll and 2) c:\windows\system32\nyrew.dll

here is the log

C:\WINDOWS\system32\taxipif.vbs moved successfully.
C:\WINDOWS\rozijewozo.bat moved successfully.
C:\WINDOWS\mubiqu.reg moved successfully.
LoadLibrary failed for C:\Program Files\Common Files\ujodomeloh.dll
C:\Program Files\Common Files\ujodomeloh.dll NOT unregistered.
C:\Program Files\Common Files\ujodomeloh.dll moved successfully.
C:\Program Files\Common Files\iqada.dat moved successfully.
C:\Documents and Settings\Chris\Application Data\ypugikozal.reg moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\nyrew.dll
C:\WINDOWS\system32\nyrew.dll NOT unregistered.
C:\WINDOWS\system32\nyrew.dll moved successfully.
C:\WINDOWS\inabahyro.com moved successfully.
C:\Program Files\Common Files\ucoci._sy moved successfully.
C:\Documents and Settings\Chris\Application Data\syfuj.db moved successfully.
C:\Documents and Settings\Chris\Application Data\kypymuru.inf moved successfully.
File/Folder C:\WINDOWS\system32\jkkIbbCs.dll not found.
< HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtUkHWmJ >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtUkHWmJ\\ deleted successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04222008_181213




and the kaspersky log is as follows

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, April 22, 2008 8:24:47 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 23/04/2008
Kaspersky Anti-Virus database records: 722306
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 56833
Number of viruses found: 11
Number of infected objects: 25
Number of suspicious objects: 0
Duration of the scan process: 01:01:10

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\ATI MMC\RemoteWonder.txt Object is locked skipped
C:\Documents and Settings\Chris\Application Data\Avanquest\SystemSuite\Quarantine\ACEMCP603PRO.exe.QUAR00 Infected: Trojan-Dropper.Win32.Delf.xo skipped
C:\Documents and Settings\Chris\Application Data\Avanquest\SystemSuite\Quarantine\jmqohkou.dll.QUAR00 Infected: Packed.Win32.Monder.gen skipped
C:\Documents and Settings\Chris\Application Data\Avanquest\SystemSuite\Quarantine\nbmktwnj.dll.QUAR00 Infected: Packed.Win32.Monder.gen skipped
C:\Documents and Settings\Chris\Application Data\Avanquest\SystemSuite\Quarantine\ssqRJyvT.dll.QUAR00 Infected: Packed.Win32.Monder.gen skipped
C:\Documents and Settings\Chris\Application Data\Avanquest\SystemSuite\Quarantine\univrs32.dat.QUAR00 Infected: not-a-virus:AdWare.Win32.Agent.zo skipped
C:\Documents and Settings\Chris\Application Data\Avanquest\SystemSuite\Quarantine\ygoquglc.dll.QUAR00 Infected: Packed.Win32.Monder.gen skipped
C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\t4puzp6u.default\cert8.db Object is locked skipped
C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\t4puzp6u.default\history.dat Object is locked skipped
C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\t4puzp6u.default\key3.db Object is locked skipped
C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\t4puzp6u.default\parent.lock Object is locked skipped
C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\t4puzp6u.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\t4puzp6u.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Chris\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-4-22-2008( 17-58-30 ).LOG Object is locked skipped
C:\Documents and Settings\Chris\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Chris\Desktop\Download_mbam-setup.exe Infected: not-a-virus:Downloader.Win32.WinFixer.fs skipped
C:\Documents and Settings\Chris\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Chris\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Chris\Local Settings\Application Data\Mozilla\Firefox\Profiles\t4puzp6u.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Chris\Local Settings\Application Data\Mozilla\Firefox\Profiles\t4puzp6u.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Chris\Local Settings\Application Data\Mozilla\Firefox\Profiles\t4puzp6u.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Chris\Local Settings\Application Data\Mozilla\Firefox\Profiles\t4puzp6u.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Chris\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Chris\ntuser.dat Object is locked skipped
C:\Documents and Settings\Chris\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\ATI Multimedia\RemCtrl\atirw.exe Infected: Trojan.Win32.Patched.bz skipped
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe Infected: Trojan.Win32.Patched.bz skipped
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\googletoolbarnotifier.exe Infected: Trojan.Win32.Patched.bz skipped
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe Infected: Trojan.Win32.Patched.bz skipped
C:\Program Files\QuickTime\qttask.exe Infected: Trojan.Win32.Patched.bz skipped
C:\Program Files\Razer\razertra.exe Infected: Trojan.Win32.Patched.bz skipped
C:\QooBox\Quarantine\C\Program Files\WinReanimator\install.exe.vir Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped
C:\QooBox\Quarantine\C\Program Files\WinReanimator\WinReanimator.dll.vir Infected: not-a-virus:FraudTool.Win32.Reanimator.d skipped
C:\QooBox\Quarantine\C\WINDOWS\braviax.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.eg skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\braviax.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.eg skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\jkkIbbCs.dll.vir Infected: Packed.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\pmnnkiJB.dll.vir Infected: Packed.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\users32.dat.vir Infected: Trojan.Win32.Zapchast.fu skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\vtUkHWmJ.dll.vir Infected: Packed.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\winivstr.exe.vir Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{D54BDBBD-0A0F-428D-89AC-8DA0F15B4B65}\RP2\A0000590.exe Infected: Trojan-Downloader.Win32.Homles.bc skipped
C:\System Volume Information\_restore{D54BDBBD-0A0F-428D-89AC-8DA0F15B4B65}\RP2\A0000592.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{D54BDBBD-0A0F-428D-89AC-8DA0F15B4B65}\RP4\A0000675.exe Infected: Trojan-Downloader.Win32.FraudLoad.lq skipped
C:\System Volume Information\_restore{D54BDBBD-0A0F-428D-89AC-8DA0F15B4B65}\RP9\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
  • 0

#7
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Everything is fine it moved all of the files.
Bad news though you have a few pieces of software that will need to be reinstalled.
=========
These programs you will have to reinstall:
Razer
QuickTime
Java
GoogleToolbarNotifier
ATI Control Panel

================
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\Documents and Settings\Chris\Desktop\Download_mbam-setup.exe 
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe 
    C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\googletoolbarnotifier.exe 
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe 
    C:\Program Files\QuickTime\qttask.exe 
    C:\Program Files\Razer\razertra.exe 
    C:\Documents and Settings\Chris\Application Data\Avanquest\SystemSuite\Quarantine\ACEMCP603PRO.exe.QUAR00
    C:\Documents and Settings\Chris\Application Data\Avanquest\SystemSuite\Quarantine\jmqohkou.dll.QUAR00 
    C:\Documents and Settings\Chris\Application Data\Avanquest\SystemSuite\Quarantine\nbmktwnj.dll.QUAR00
    C:\Documents and Settings\Chris\Application Data\Avanquest\SystemSuite\Quarantine\ssqRJyvT.dll.QUAR00
    C:\Documents and Settings\Chris\Application Data\Avanquest\SystemSuite\Quarantine\univrs32.dat.QUAR00
    C:\Documents and Settings\Chris\Application Data\Avanquest\SystemSuite\Quarantine\ygoquglc.dll.QUAR00
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • OTMoveit2 will create a log of moved files in the C:\_OTMoveIt\MovedFiles folder. The log's name will appear as the date and time it was created, with the format mmddyyyy_hhmmss.log. Open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
==============
PLease post the OTMove it log and a new Hijackthis and let me know how things are running.
  • 0

#8
barbouncer

barbouncer

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
everything moved fine. here are the logs. and thanks for the fast replies.

C:\Documents and Settings\Chris\Desktop\Download_mbam-setup.exe moved successfully.
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe moved successfully.
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\googletoolbarnotifier.exe moved successfully.
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe moved successfully.
C:\Program Files\QuickTime\qttask.exe moved successfully.
C:\Program Files\Razer\razertra.exe moved successfully.
C:\Documents and Settings\Chris\Application Data\Avanquest\SystemSuite\Quarantine\ACEMCP603PRO.exe.QUAR00 moved successfully.
C:\Documents and Settings\Chris\Application Data\Avanquest\SystemSuite\Quarantine\jmqohkou.dll.QUAR00 moved successfully.
C:\Documents and Settings\Chris\Application Data\Avanquest\SystemSuite\Quarantine\nbmktwnj.dll.QUAR00 moved successfully.
C:\Documents and Settings\Chris\Application Data\Avanquest\SystemSuite\Quarantine\ssqRJyvT.dll.QUAR00 moved successfully.
C:\Documents and Settings\Chris\Application Data\Avanquest\SystemSuite\Quarantine\univrs32.dat.QUAR00 moved successfully.
C:\Documents and Settings\Chris\Application Data\Avanquest\SystemSuite\Quarantine\ygoquglc.dll.QUAR00 moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04232008_132942



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:31:41 PM, on 4/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [razertra] C:\Program Files\Razer\razertra.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 3878 bytes
  • 0

#9
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Ok remember you will have to reinstall those programs because they are missing their exe files as they had been patched to become malware.
====================
Cleanup::
  • Make sure you have an Internet Connection.
  • Double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OtMoveit2 to reach the Internet, please allow the application to do so.
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

Delete\uninstall anything else that we used.
=========================
Then I will need you to reset your System Restore points.
The link below shows how to create a clean restore point.
How to Turn On and Turn Off System Restore in Windows XP
http://support.micro...kb/310405/en-us
===================================
After that your log is clean. :)

The following is a list of tools and utilities that I like to suggest to people.
You do not have to have all or any of them they are only suggestions.
This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

Spybot Search & Destroy-Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.

Ad-Aware-Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.

Spyware Blaster - Great prevention tool to keep nasties from installing on your system.

Spywareguard-Works as a Spyware "Shield" to protect your computer from getting malware in the first place.

IE-SPYAD- puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Tony Klein article To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP