Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

mrofinu1001186.exe among other offenders


  • Please log in to reply

#1
Stir423

Stir423

    Member

  • Member
  • PipPip
  • 26 posts
I was trying to rid my niece's machine of malware using Spybot-S&D. But after attempting to excise some other suspicious files, I can no longer log in normally. As soon as I do, I get logged off. Fortunately, the Win XP machine still runs in safe mode. Based on the following HijackThis log, what further action should I take?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:16:15 PM, on 4/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\17PHolmes1001186.exe
C:\WINDOWS\TEMP\DIL50.tmp
C:\WINDOWS\17PHolmes1001186.exe
C:\Program Files\trendmicro\HijackThis.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [AutoInclude] C:\WINDOWS\TEMP\DIL45.tmp
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1001186.exe 61A847B5BBF72813329B39577AFF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\RunServices: [fafa] mwoz.exe
O4 - HKLM\..\RunServices: [Internet Firewall Layer] tsqla.exe
O4 - HKLM\..\RunServices: [Internet] C:\WINDOWS\system32\alm7tas.exe
O4 - HKLM\..\RunServices: [Internet Security Service] mysqlwin32.exe
O4 - HKLM\..\RunServices: [pronto] anqh.exe
O4 - HKLM\..\RunServices: [z0ogu] z0ogu.exe
O4 - HKLM\..\RunServices: [Windows USB Monitor] servupdate.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [nvcoi] C:\Program Files\nvcoi\nvcoi.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [nvcoi] C:\Program Files\nvcoi\nvcoi.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{A7F2600D-2596-48BC-B361-72DD753419B0}: NameServer = 58.69.254.3,58.69.254.8
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Microsoft Agent - Unknown owner - C:\WINDOWS\system32\dllcache\qxchost.exe

--
End of file - 4055 bytes
  • 0

Advertisements


#2
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello Stir423

Welcome to G2Go. :)
=====================
Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Finally copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

  • 0

#3
Stir423

Stir423

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts

Hello Stir423

Welcome to G2Go. :)
=====================
Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Finally copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log


Thanks for the quick reply. Something I need clarity on though: will I be able to reliably install SDFix.exe while in Safe Mode? For now, that's the only condition I can boot from Win XP Pro. Major problem is I get logged off as fast as I log in when trying to boot normally.
  • 0

#4
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
YEs Download it and double click on it to install it.
Then go to C:\SdFix and open that folder.
Then Double click on runthis.bat and let it complete.
Then after that try booting into normal mode to retrieve the log.
If you still cannot boot into normal mode then boot back into safe mode and go to the C:\SDFix folder again and look for a text file named report.
Post the contents of that file here and a new Hijackthis log please.
  • 0

#5
Stir423

Stir423

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
OK, will download SDFix and try this solution as soon as I get to the affected machine. I'll be able to do this by thursday (and not sooner, I'm afraid). Will post another HijackThis logfile by then. Thanks again.
  • 0

#6
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Ok.
  • 0

#7
Stir423

Stir423

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
We still can't log in properly. Here's the SDFix report and latest HijackThis logfile:



SDFix: Version 1.173
Run by Myds on Thu 04/24/2008 at 09:49 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name :
Microsoft Agent

Path :
"C:\WINDOWS\system32\dllcache\qxchost.exe"

Microsoft Agent - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:01:28 AM, on 4/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\TEMP\DIL4.tmp
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\17PHolmes1001186.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AutoInclude] C:\WINDOWS\TEMP\DIL4.tmp
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1001186.exe 61A847B5BBF72813329B39577AFF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [z0ogu] z0ogu.exe
O4 - HKLM\..\Run: [Windows USB Monitor] servupdate.exe
O4 - HKLM\..\Run: [WinDLL (msygl32.exe)] rundll32.exe C:\WINDOWS\system32\msygl32.exe,start
O4 - HKLM\..\Run: [pronto] anqh.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Internet Security Service] mysqlwin32.exe
O4 - HKLM\..\Run: [Internet Firewall Layer] tsqla.exe
O4 - HKLM\..\Run: [fafa] mwoz.exe
O4 - HKLM\..\Run: [SDFix] C:\SDFix\RunThis.bat /second
O4 - HKLM\..\RunServices: [fafa] mwoz.exe
O4 - HKLM\..\RunServices: [Internet Firewall Layer] tsqla.exe
O4 - HKLM\..\RunServices: [Internet] C:\WINDOWS\system32\alm7tas.exe
O4 - HKLM\..\RunServices: [Internet Security Service] mysqlwin32.exe
O4 - HKLM\..\RunServices: [pronto] anqh.exe
O4 - HKLM\..\RunServices: [z0ogu] z0ogu.exe
O4 - HKLM\..\RunServices: [Windows USB Monitor] servupdate.exe
O4 - HKLM\..\RunOnce: [SDFix] C:\SDFix\RunThis.bat /second
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [nvcoi] C:\Program Files\nvcoi\nvcoi.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [nvcoi] C:\Program Files\nvcoi\nvcoi.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{A7F2600D-2596-48BC-B361-72DD753419B0}: NameServer = 58.69.254.3,58.69.254.8
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 4534 bytes
  • 0

#8
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hi I would like for you to Go into Spybot > Mode > Advanced mode > Tools > View Reports > View Previous reports. Look for the Checks.yymmdd-hhmm or Fixes.yymmdd-hhmm file that contains the files removed before the account was logging in then logging out. Post that information here in your next reply.
  • 0

#9
Stir423

Stir423

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
OK, here's the last Fix report before the log in-log off problem began.



--- Report generated: 2008-04-21 11:21 ---

Smitfraud-C.: [SBI $3D8C0DCC] Program directory (Directory, fixed)
C:\Program Files\InetGet2\

AdSpy.TTC: [SBI $8F597076] Browser helper object (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1242398B-8FD8-4C74-B31A-8C37046287AE}

AdSpy.TTC: [SBI $8F597076] Class ID (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1242398B-8FD8-4C74-B31A-8C37046287AE}

Kazaa.Irc.Spybot13.WorldNL: [SBI $2D34E19B] Autorun settings (Registry value, fixed)
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver

Kazaa.Irc.Spybot13.WorldNL: [SBI $2D34E19B] Autorun settings (Registry value, fixed)
HKEY_USERS\PE_C_DES CHANEL.MENLO-G9WECL961\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver

Kazaa.Irc.Spybot13.WorldNL: [SBI $2D34E19B] Autorun settings (Registry value, fixed)
HKEY_USERS\PE_C_ELIJAH JAMES\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver

Kazaa.Irc.Spybot13.WorldNL: [SBI $2D34E19B] Autorun settings (Registry value, fixed)
HKEY_USERS\PE_C_MYDS.MENLO-G9WECL961\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver

Kazaa.Irc.Spybot13.WorldNL: [SBI $2D34E19B] Autorun settings (Registry value, fixed)
HKEY_USERS\PE_C_SERGE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver

Kazaa.Irc.Spybot13.WorldNL: [SBI $2D34E19B] Autorun settings (Registry value, fixing failed)
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver

Kazaa.Irc.Spybot13.WorldNL: [SBI $2D34E19B] Autorun settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver

PremiumSearch: [SBI $DB786E08] Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system32\Z0OGU.exe

PremiumSearch: [SBI $477361B7] Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system32\Z0OGU.exe

Virtumonde: [SBI $461108D3] Settings (Registry value, fixing failed)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system32\Z0OGU.exe

Win32.Small.azl: [SBI $02AFBE7E] Autorun settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runner1

Win32.Small.azl: [SBI $FC4CBE9D] Executable (File, fixed)
C:\WINDOWS\b152.exe

Win32.Small.azl: [SBI $FC4CBE9D] Executable (File, fixed)
C:\WINDOWS\b153.exe

Win32.Small.azl: [SBI $FC4CBE9D] Executable (File, fixed)
C:\WINDOWS\b155.exe

MediaPlex: Tracking cookie (Firefox: default) (Cookie, fixed)


CasaleMedia: Tracking cookie (Firefox: default) (Cookie, fixed)


CasaleMedia: Tracking cookie (Firefox: default) (Cookie, fixed)


CasaleMedia: Tracking cookie (Firefox: default) (Cookie, fixed)


CasaleMedia: Tracking cookie (Firefox: default) (Cookie, fixed)


CasaleMedia: Tracking cookie (Firefox: default) (Cookie, fixed)


CasaleMedia: Tracking cookie (Firefox: default) (Cookie, fixed)


CasaleMedia: Tracking cookie (Firefox: default) (Cookie, fixed)


DoubleClick: Tracking cookie (Firefox: default) (Cookie, fixed)


HitBox: Tracking cookie (Firefox: default) (Cookie, fixed)


HitBox: Tracking cookie (Firefox: default) (Cookie, fixed)


HitBox: Tracking cookie (Firefox: default) (Cookie, fixed)


HitBox: Tracking cookie (Firefox: default) (Cookie, fixed)


HitBox: Tracking cookie (Firefox: default) (Cookie, fixed)


FastClick: Tracking cookie (Firefox: default) (Cookie, fixed)


FastClick: Tracking cookie (Firefox: default) (Cookie, fixed)


HitBox: Tracking cookie (Firefox: default) (Cookie, fixed)


HitBox: Tracking cookie (Firefox: default) (Cookie, fixed)


MediaPlex: Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: default) (Cookie, fixed)


AdRevolver: Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: default) (Cookie, fixed)



--- Spybot - Search & Destroy version: 1.5.2 (build: 20080128) ---

2008-01-28 blindman.exe (1.0.0.7)
2008-01-28 SDDelFile.exe (1.0.2.4)
2008-01-28 SDMain.exe (1.0.0.5)
2007-10-07 SDShred.exe (1.0.1.2)
2008-01-28 SDUpdate.exe (1.0.8.8)
2008-01-28 SDWinSec.exe (1.0.0.11)
2008-01-28 SpybotSD.exe (1.5.2.20)
2008-01-28 TeaTimer.exe (1.5.2.16)
2008-03-25 unins000.exe (51.49.0.0)
2008-01-28 Update.exe (1.4.0.6)
2008-01-28 advcheck.dll (1.5.4.5)
2007-04-02 aports.dll (2.1.0.0)
2007-11-17 DelZip179.dll (1.79.7.4)
2008-01-28 SDFiles.dll (1.5.1.19)
2008-01-28 SDHelper.dll (1.5.0.11)
2008-01-28 Tools.dll (2.1.3.3)
2008-03-19 Includes\Cookies.sbi (*)
2007-12-26 Includes\Dialer.sbi (*)
2008-03-19 Includes\DialerC.sbi (*)
2008-03-19 Includes\HeavyDuty.sbi (*)
2008-03-19 Includes\Hijackers.sbi (*)
2008-03-19 Includes\HijackersC.sbi (*)
2008-02-27 Includes\Keyloggers.sbi (*)
2008-03-19 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-03-12 Includes\Malware.sbi (*)
2008-03-19 Includes\MalwareC.sbi (*)
2008-02-20 Includes\PUPS.sbi (*)
2008-03-19 Includes\PUPSC.sbi (*)
2008-03-19 Includes\Revision.sbi (*)
2008-01-09 Includes\Security.sbi (*)
2008-03-19 Includes\SecurityC.sbi (*)
2008-03-19 Includes\Spybots.sbi (*)
2008-03-19 Includes\SpybotsC.sbi (*)
2007-11-06 Includes\Tracks.uti
2008-03-19 Includes\Trojans.sbi (*)
2008-03-19 Includes\TrojansC.sbi (*)
2008-12-24 Plugins\TCPIPAddress.dll
  • 0

#10
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hmm it is strange because I don't see anything that would cause that to happen.

Let's see if a we cannot get a deeper look please.
You can run this and install it in Safe Mode.

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

Advertisements


#11
Stir423

Stir423

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Here they are:

Deckard's System Scanner v20071014.68
Run by Myds on 2008-04-24 11:54:11
Computer is in Safe Mode with Networking.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; computer is in safe mode.


-- Last 5 Restore Point(s) --
8: 2008-04-21 20:34:00 UTC - RP42 - Installed AVG 7.5
7: 2008-04-21 19:50:19 UTC - RP41 - Installed AVG 7.5
6: 2008-04-21 19:46:16 UTC - RP40 - Installed AVG 7.5
5: 2008-04-21 19:25:35 UTC - RP39 - Installed AVG 7.5
4: 2008-04-17 17:08:11 UTC - RP38 - System Checkpoint


-- First Restore Point --
1: 2008-04-03 15:17:26 UTC - RP35 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 255 MiB (512 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-04-24 11:56:02
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Myds.MENLO-G9WECL961\Desktop\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [z0ogu] z0ogu.exe
O4 - HKLM\..\Run: [Windows USB Monitor] servupdate.exe
O4 - HKLM\..\Run: [WinDLL (msygl32.exe)] rundll32.exe C:\WINDOWS\system32\msygl32.exe,start
O4 - HKLM\..\Run: [SDFix] C:\SDFix\RunThis.bat /second
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1001186.exe 61A847B5BBF72813329B39577AFF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [pronto] anqh.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Internet Security Service] mysqlwin32.exe
O4 - HKLM\..\Run: [Internet Firewall Layer] tsqla.exe
O4 - HKLM\..\Run: [fafa] mwoz.exe
O4 - HKLM\..\Run: [AutoInclude] C:\WINDOWS\TEMP\DIL4.tmp
O4 - HKLM\..\RunServices: [fafa] mwoz.exe
O4 - HKLM\..\RunServices: [Internet Firewall Layer] tsqla.exe
O4 - HKLM\..\RunServices: [Internet] C:\WINDOWS\system32\alm7tas.exe
O4 - HKLM\..\RunServices: [Internet Security Service] mysqlwin32.exe
O4 - HKLM\..\RunServices: [pronto] anqh.exe
O4 - HKLM\..\RunServices: [z0ogu] z0ogu.exe
O4 - HKLM\..\RunServices: [Windows USB Monitor] servupdate.exe
O4 - HKLM\..\RunOnce: [SDFix] C:\SDFix\RunThis.bat /second
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [nvcoi] C:\Program Files\nvcoi\nvcoi.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [JavaCore] C:\Program Files\\JavaCore\\JavaCore.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Windows Service Agent] msngear.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [nvcoi] C:\Program Files\nvcoi\nvcoi.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [JavaCore] C:\Program Files\\JavaCore\\JavaCore.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Windows Service Agent] msngear.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{A7F2600D-2596-48BC-B361-72DD753419B0}: NameServer = 58.69.254.3,58.69.254.8
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
O18 - Protocol: msero - {B0D92A71-886B-453B-A649-1B91F93801E7} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\MSERO.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe


--
End of file - 5191 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S1 oreans32 - c:\windows\system32\drivers\oreans32.sys
S3 catchme - c:\docume~1\myds~1.men\locals~1\temp\catchme.sys (file missing)
S3 FETNDIS (VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver) - c:\windows\system32\drivers\fetnd5.sys (file missing)
S3 GMSIPCI - e:\install\gmsipci.sys (file missing)
S3 MSICPL - e:\install4\msicpl.sys (file missing)
S3 NTACCESS - e:\ntaccess.sys (file missing)
S3 SetupNTGLM7X - e:\ntglm7x.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Simple Communications Controller
Device ID: PCI\VEN_14F1&DEV_2F30&SUBSYS_20D514F1&REV_01\3&13C0B0C5&0&40
Manufacturer:
Name: PCI Simple Communications Controller
PNP Device ID: PCI\VEN_14F1&DEV_2F30&SUBSYS_20D514F1&REV_01\3&13C0B0C5&0&40
Service:


-- Files created between 2008-03-24 and 2008-04-24 -----------------------------

2008-04-24 10:00:29 0 d-------- C:\Program Files\Trend Micro
2008-04-24 09:58:04 280064 --a------ C:\WINDOWS\mrofinu1001186.exe
2008-04-24 09:48:19 0 d-------- C:\WINDOWS\ERUNT
2008-04-23 16:01:41 0 d-------- C:\Documents and Settings\Myds.MENLO-G9WECL961\Application Data\AVG7
2008-04-21 14:37:16 0 d--hs---- C:\WINDOWS\CSC
2008-04-21 13:34:47 0 d-------- C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\AVG7
2008-04-21 13:34:00 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft
2008-04-21 13:34:00 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\avg7
2008-04-21 12:41:52 0 d-------- C:\WINDOWS\pss
2008-04-21 11:22:55 0 d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2008-04-21 11:22:44 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2008-04-21 10:43:42 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-04-21 10:43:42 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-04-21 10:43:42 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-04-21 10:43:42 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-04-21 10:43:42 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-04-21 10:43:42 524288 --a------ C:\Documents and Settings\Administrator\NTUSER.DAT
2008-04-21 10:43:42 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-04-21 10:43:42 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-04-21 10:43:42 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-04-21 10:43:42 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-04-21 10:43:42 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-04-21 10:43:42 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-04-21 10:43:42 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-04-21 10:43:42 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-04-17 10:14:17 0 d-------- C:\Documents and Settings\Elijah James\Application Data\Macromedia
2008-04-17 10:14:16 0 d-------- C:\Documents and Settings\Elijah James\Application Data\Adobe
2008-04-15 14:11:37 0 d-------- C:\Program Files\JavaCore
2008-04-15 14:06:24 0 d-------- C:\Program Files\nvcoi
2008-04-13 23:09:35 27 --a------ C:\Documents and Settings\Myds.MENLO-G9WECL961\kuki.bat
2008-04-11 21:01:40 27 --a------ C:\Documents and Settings\Des Chanel.MENLO-G9WECL961\he.bat
2008-04-10 21:26:44 1204224 --a------ C:\Documents and Settings\Myds.MENLO-G9WECL961\nope.dll
2008-04-10 21:26:44 27 --a------ C:\Documents and Settings\Myds.MENLO-G9WECL961\he.bat
2008-04-09 17:53:06 123193 ---h----- C:\WINDOWS\system32\len.exe
2008-04-08 22:23:11 123193 ---h----- C:\WINDOWS\system32\jer.exe
2008-04-08 14:03:21 0 d-------- C:\Program Files\CPV
2008-04-08 14:03:20 0 d-------- C:\Program Files\Temporary
2008-04-07 08:58:38 1204224 --a------ C:\WINDOWS\system32\nope.dll
2008-04-07 08:58:38 27 --a------ C:\WINDOWS\system32\kuki.bat
2008-04-07 08:56:48 1204224 --ahs---- C:\WINDOWS\system32\smaprnter.exe
2008-04-07 08:56:41 27 --a------ C:\WINDOWS\system32\he.bat
2008-04-01 21:21:05 0 d-------- C:\WINDOWS\system32\aqVreo04
2008-03-30 09:37:56 0 d-------- C:\WINDOWS\system32\zeb3
2008-03-30 09:37:56 0 d-------- C:\WINDOWS\system32\xk1
2008-03-30 09:37:56 0 d-------- C:\WINDOWS\system32\tf5
2008-03-30 09:37:47 0 d-------- C:\WINDOWS\system32\iDlo04
2008-03-25 23:52:05 691545 --a------ C:\WINDOWS\unins000.exe
2008-03-25 23:52:05 2557 --a------ C:\WINDOWS\unins000.dat
2008-03-25 00:10:35 1137 -rahs---- C:\WINDOWS\system32\azkaban.vbs
2008-03-25 00:10:35 542 -rahs---- C:\WINDOWS\system32\azkaban.reg
2008-03-25 00:10:35 421 -rahs---- C:\WINDOWS\system32\azkaban.bat
2008-03-24 23:46:09 0 d--h----- C:\WINDOWS\system32\GroupPolicy


-- Find3M Report ---------------------------------------------------------------

2008-03-24 23:48:09 0 d-------- C:\Program Files\kari
2008-03-09 23:44:18 0 d--h----- C:\Program Files\InstallShield Installation Information


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [03/01/2006 01:22 AM C:\WINDOWS\SOUNDMAN.EXE]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [04/21/2008 01:34 PM]
"z0ogu"="z0ogu.exe" [08/03/2004 03:56 PM C:\WINDOWS\system32\z0ogu.exe]
"Windows USB Monitor"="servupdate.exe" [08/03/2004 03:56 PM C:\WINDOWS\system32\servupdate.exe]
"WinDLL (msygl32.exe)"="C:\WINDOWS\system32\msygl32.exe" [12/27/2007 04:48 AM]
"SDFix"="C:\SDFix\RunThis.bat /second" []
"runner1"="C:\WINDOWS\mrofinu1001186.exe" [04/24/2008 09:58 AM]
"pronto"="anqh.exe" [08/03/2004 03:56 PM C:\WINDOWS\system32\anqh.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [03/09/2006 12:29 AM]
"Internet Security Service"="mysqlwin32.exe" []
"Internet Firewall Layer"="tsqla.exe" [08/03/2004 03:56 PM C:\WINDOWS\system32\tsqla.exe]
"fafa"="mwoz.exe" [08/28/2002 12:41 PM C:\WINDOWS\system32\mwoz.exe]
"AutoInclude"="C:\WINDOWS\TEMP\DIL4.tmp" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 12:43 PM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [08/04/2004 02:06 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"SDFix"=C:\SDFix\RunThis.bat /second

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"fafa"=mwoz.exe
"Internet Firewall Layer"=tsqla.exe
"Internet"=C:\WINDOWS\system32\alm7tas.exe
"Internet Security Service"=mysqlwin32.exe
"pronto"=anqh.exe
"z0ogu"=z0ogu.exe
"Windows USB Monitor"=servupdate.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"nvcoi"=C:\Program Files\nvcoi\nvcoi.exe
"JavaCore"=C:\Program Files\\JavaCore\\JavaCore.exe
"Windows Service Agent"=msngear.exe

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2/17/1999 1:05:56 PM]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6a7247cc-e7c6-11dc-b9f7-0016178cdd58}]
Auto\command- F:\infrom.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL infrom.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{821d6136-0189-11dd-ba43-0016178cdd58}]
Auto\command- F:\infrom.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL infrom.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c09edd1a-e26f-11dc-b9e5-0016178cdd58}]
AutoRun\command- F:\
explore\Command- WScript.exe .\azkaban.vbs
open\Command- WScript.exe .\azkaban.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e5b110b4-d74d-11dc-b9c9-0016178cdd58}]
AutoRun\command- F:\
explore\Command- WScript.exe .\azkaban.vbs
open\Command- WScript.exe .\azkaban.vbs




-- Hosts -----------------------------------------------------------------------

127.0.0.1 dl2.teenpassage.com
127.0.0.1 ntkrnlpa.info
127.0.0.1 dl2.teenpassage.com
127.0.0.1 ntkrnlpa.info


-- End of Deckard's System Scanner: finished at 2008-04-24 11:56:36 ------------







Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Celeron® D CPU 3.06GHz
Percentage of Memory in Use: 43%
Physical Memory (total/avail): 254.48 MiB / 144.46 MiB
Pagefile Memory (total/avail): 625.45 MiB / 543.83 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1928.8 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 37.25 GiB total, 23.75 GiB free.
D: is Fixed (NTFS) - 39.43 GiB total, 37.78 GiB free.
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - Hitachi HDS721680PLAT80 - 76.69 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 37.25 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 39.43 GiB - D:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: AVG 7.5.524 v7.5.524 (Grisoft)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\rundll32.exe"="C:\\WINDOWS\\system32\\rundll32.exe:*:Disabled:Run a DLL as an App"
"C:\\WINDOWS\\system32\\mysqlwin32.exe"="C:\\WINDOWS\\system32\\mysqlwin32.exe:*:Disabled:mysqlwin32"
"C:\\WINDOWS\\system32\\anqh.exe"="C:\\WINDOWS\\system32\\anqh.exe:*:Disabled:anqh"
"C:\\WINDOWS\\system32\\win.exe"="C:\\WINDOWS\\system32\\win.exe:*:Disabled:win"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Mozilla Firefox"
"C:\\WINDOWS\\system32\\tsqla.exe"="C:\\WINDOWS\\system32\\tsqla.exe:*:Disabled:tsqla"
"C:\\WINDOWS\\system32\\mwoz.exe"="C:\\WINDOWS\\system32\\mwoz.exe:*:Disabled:mwoz"
"C:\\WINDOWS\\system32\\bl.exe"="C:\\WINDOWS\\system32\\bl.exe:*:Disabled:bl"
"C:\\WINDOWS\\system32\\msngear.exe"="C:\\WINDOWS\\system32\\msngear.exe:*:Disabled:msngear"
"C:\\WINDOWS\\system32\\z0ogu.exe"="C:\\WINDOWS\\system32\\z0ogu.exe:*:Disabled:z0ogu"
"C:\\WINDOWS\\system32\\alm7tas.exe"="C:\\WINDOWS\\system32\\alm7tas.exe:*:Disabled:Internet"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\servupdate.exe"="C:\\WINDOWS\\system32\\servupdate.exe:*:Enabled:Windows USB Monitor"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users.WINDOWS
APPDATA=C:\Documents and Settings\Myds.MENLO-G9WECL961\Application Data
CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=MENLO-G9WECL961
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Myds.MENLO-G9WECL961
LOGONSERVER=\\MENLO-G9WECL961
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\WBEM
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 6 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0604
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
SAFEBOOT_OPTION=NETWORK
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\MYDS~1.MEN\LOCALS~1\Temp
TMP=C:\DOCUME~1\MYDS~1.MEN\LOCALS~1\Temp
USERDOMAIN=MENLO-G9WECL961
USERNAME=Myds
USERPROFILE=C:\Documents and Settings\Myds.MENLO-G9WECL961
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Des Chanel.MENLO-G9WECL961 (admin)
Elijah James (admin)
Myds.MENLO-G9WECL961 (admin)
Serge (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4E7DC12A-3597-4A94-9429-F6C6987361B1}\setup.exe" -l0x9 -removeonly
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7DADB304-AF20-48C3-A780-4B4133A08817}\setup.exe" -l0x9 -removeonly
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9C423CF6-2DAA-4A37-94B8-59D7ECC7DB13}\setup.exe" -l0x9 -removeonly
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FA6CC4B4-7741-4F8D-8E81-15C4BAB9869B}\setup.exe" -l0x9 -removeonly
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player Plugin --> C:\WINDOWS\System32\Macromed\Flash\uninstall_plugin.exe
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
HijackThis 2.0.2 --> "D:\eBooks\HiJackThis\HijackThis.exe" /uninstall
iPod for Windows 2006-06-28 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{BD57EA4D-026E-4F08-9B93-080E282B81FE} /l1033
iTunes --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{54C0D94A-F467-4ABC-9D02-6E58748668D4} /l1033
Microsoft Encarta Reference Library 2004 --> MsiExec.exe /I{044100C0-9149-45C6-A806-F2BF9CFCE762}
Microsoft Office 2000 Premium --> MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}
Microsoft Text-to-Speech Engine 4.0 (English) --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msTTSf22.inf, Uninstall
mIRC --> "C:\WINDOWS\system32\SYSTEM [bleep]\psycho.exe" -uninstall
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
NVIDIA Drivers --> C:\WINDOWS\System32\nvudisp.exe UninstallGUI
Realtek AC'97 Audio --> Alcrmv.exe -r -m
Shockwave --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Sony Picture Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D5068583-D569-468B-9755-5FBF5848F46F}\setup.exe" -l0x9 /removeonly uninstall -removeonly
Sony USB Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5C29CB8B-AC1E-4114-8D68-9CD080140D4A}\Setup.exe" UNINSTALL
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Spybot - Search & Destroy 1.5.2.20 --> "C:\WINDOWS\unins000.exe"
VIA Platform Device Manager --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{20D4A895-748C-4D88-871C-FDB1695B0169}
Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type2213 / Error
Event Submitted/Written: 04/24/2008 09:57:42 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application firefox.exe, version 1.8.20080.40413, faulting module js3250.dll, version 4.0.0.0, fault address 0x00020b42.
Processing media-specific event for [firefox.exe!ws!]

Event Record #/Type2114 / Error
Event Submitted/Written: 04/19/2008 00:59:13 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application firefox.exe, version 1.8.20080.31114, faulting module npswf32.dll, version 9.0.115.0, fault address 0x0000d899.
Processing media-specific event for [firefox.exe!ws!]

Event Record #/Type2113 / Error
Event Submitted/Written: 04/19/2008 00:56:06 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application firefox.exe, version 1.8.20080.31114, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x00018fea.
Processing media-specific event for [firefox.exe!ws!]

Event Record #/Type2092 / Warning
Event Submitted/Written: 04/17/2008 00:22:20 PM
Event ID/Source: 1004 / MsiInstaller
Event Description:
Detection of product '{00000409-78E1-11D2-B60F-006097C998E7}', feature 'OfficeUserData', component '{C9AF9050-C8BE-11D1-9C67-0000F81F1B38}' failed. The resource 'HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Common\UserData' does not exist.

Event Record #/Type2091 / Warning
Event Submitted/Written: 04/17/2008 11:13:31 AM
Event ID/Source: 1004 / MsiInstaller
Event Description:
Detection of product '{00000409-78E1-11D2-B60F-006097C998E7}', feature 'WordUserData', component '{8ADD2C93-C8B7-11D1-9C67-0000F81F1B38}' failed. The resource 'HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\UserData' does not exist.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type1672 / Error
Event Submitted/Written: 04/24/2008 11:18:47 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service Avg7Alrt with arguments ""
in order to run the server:
{3486DF65-1D90-406A-A072-30629910F113}

Event Record #/Type1671 / Error
Event Submitted/Written: 04/24/2008 11:18:46 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service Avg7Alrt with arguments ""
in order to run the server:
{3486DF65-1D90-406A-A072-30629910F113}

Event Record #/Type1670 / Error
Event Submitted/Written: 04/24/2008 11:18:42 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service Avg7Alrt with arguments ""
in order to run the server:
{3486DF65-1D90-406A-A072-30629910F113}

Event Record #/Type1669 / Warning
Event Submitted/Written: 04/24/2008 11:02:36 AM
Event ID/Source: 1007 / Dhcp
Event Description:
Your computer has automatically configured the IP address for the Network
Card with network address 0016178CDD58. The IP address being used is 169.254.81.213.

Event Record #/Type1668 / Warning
Event Submitted/Written: 04/24/2008 11:02:34 AM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0016178CDD58. The following
error occurred:
%%121.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.



-- End of Deckard's System Scanner: finished at 2008-04-24 11:56:36 ------------
  • 0

#12
Stir423

Stir423

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
I want to add that before I went online today, I unhid the system operating files and found files (azkaban.reg, azkaban.bat, azkaban.vbs and autorun.inf) that make up the azkaban virus on the C and D drives. I promptly deleted them. The machine had the same problem weeks before. And this was how it was rid of it.
  • 0

#13
Stir423

Stir423

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
I notice that under C:\\WINDOWS\system32 there's a folder named SYSTEM [bleep] which contain several reg files and the executables psycho.exe and sex.exe I had mIRC removed from control panel. But the folder and files remain.
  • 0

#14
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Ok for now let's do the following.
============================
Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\system32\msygl32.exe
    C:\WINDOWS\mrofinu1001186.exe
    C:\WINDOWS\mrofinu1001186.exe.tmp
    C:\WINDOWS\TEMP\DIL4.tmp
    C:\WINDOWS\system32\alm7tas.exe
    C:\Windows\ z0ogu.exe
    C:\Windows\system32\ z0ogu.exe
    C:\Windows\servupdate.exe
    C:\Windows\system32\servupdate.exe
    C:\Windows\mysqlwin32.exe
    C:\Windows\system32\mwoz.exe
    C:\Windows\mwoz.exe
    C:\Windows\system32\tsqla.exe
    C:\Windows\tsqla.exe
    C:\Windows\system32\anqh.exe
    C:\Windows\anqh.exe
    C:\Windows\system32\msngear.exe 
    C:\Windows\msngear.exe 
    C:\Program Files\nvcoi
    C:\Program Files\\JavaCore
    C:\Documents and Settings\Myds.MENLO-G9WECL961\kuki.bat
    C:\Documents and Settings\Des Chanel.MENLO-G9WECL961\he.bat
    C:\Documents and Settings\Myds.MENLO-G9WECL961\nope.dll
    C:\Documents and Settings\Myds.MENLO-G9WECL961\he.bat
    C:\Program Files\Temporary
    C:\WINDOWS\system32\nope.dll
    C:\WINDOWS\system32\kuki.bat
    C:\WINDOWS\system32\smaprnter.exe
    C:\WINDOWS\system32\he.bat
    C:\WINDOWS\system32\aqVreo04
    C:\WINDOWS\system32\zeb3
    C:\WINDOWS\system32\xk1
    C:\WINDOWS\system32\tf5
    C:\WINDOWS\system32\iDlo04
    C:\WINDOWS\system32\azkaban.vbs
    C:\WINDOWS\system32\azkaban.reg
    C:\WINDOWS\system32\azkaban.bat
    F:\infrom.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\z0ogu
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Windows USB Monitor
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\WinDLL (msygl32.exe)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\runner1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\pronto
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Internet Security Service
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Internet Firewall Layer
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\fafa
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\AutoInclude
    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices\\fafa
    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices\\Internet Firewall Layer
    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices\\Internet
    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices\\Internet Security Service
    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices\\pronto
    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices\\z0ogu
    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices\\Windows USB Monitor
    HKEY_USERS\.default\software\microsoft\windows\currentversion\run\\nvcoi
    HKEY_USERS\.default\software\microsoft\windows\currentversion\run\\JavaCore
    HKEY_USERS\.default\software\microsoft\windows\currentversion\run\\Windows Service Agent
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6a7247cc-e7c6-11dc-b9f7-0016178cdd58}
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{821d6136-0189-11dd-ba43-0016178cdd58}
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c09edd1a-e26f-11dc-b9e5-0016178cdd58}
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e5b110b4-d74d-11dc-b9c9-0016178cdd58}
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • OTMoveit2 will create a log of moved files in the C:\_OTMoveIt\MovedFiles folder. The log's name will appear as the date and time it was created, with the format mmddyyyy_hhmmss.log. Open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
=========================
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
============================================================
Then see if you can get into normal mode.
If you cannot then just post those logs and a new dsss log please
  • 0

#15
Stir423

Stir423

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
I tried to implement your last suggestion but I encountered a few snags along the way. Still running in Safe Mode. Can't finish running OTMoveIt. This message comes up: SecureEngine driver cannot be updated because there are programs using it. You need to close these programs and restart your computer." So I restart, still in Safe Mode. I check the OTMoveIt folders and see that there are files there but no log. When trying to install MBAM, I hit a wall as well with this file - mbamext.dll and this msg: unable to register DLL/OCX RegSvr32 So I was unable to run MBAM. All that's left is to post the last DSS report. What now?


Deckard's System Scanner v20071014.68
Run by Myds on 2008-04-28 14:55:51
Computer is in Safe Mode with Networking.
--------------------------------------------------------------------------------

Total Physical Memory: 255 MiB (512 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-04-28 14:55:53
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Myds.MENLO-G9WECL961\Desktop\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows USB Monitor] servupdate.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunServices: [fafa] mwoz.exe
O4 - HKLM\..\RunServices: [Internet Firewall Layer] tsqla.exe
O4 - HKLM\..\RunServices: [Internet] C:\WINDOWS\system32\alm7tas.exe
O4 - HKLM\..\RunServices: [Internet Security Service] mysqlwin32.exe
O4 - HKLM\..\RunServices: [pronto] anqh.exe
O4 - HKLM\..\RunServices: [z0ogu] z0ogu.exe
O4 - HKLM\..\RunServices: [Windows USB Monitor] servupdate.exe
O4 - HKLM\..\RunOnce: [SDFix] C:\SDFix\RunThis.bat /second
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [nvcoi] C:\Program Files\nvcoi\nvcoi.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [JavaCore] C:\Program Files\\JavaCore\\JavaCore.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Windows Service Agent] msngear.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [nvcoi] C:\Program Files\nvcoi\nvcoi.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [JavaCore] C:\Program Files\\JavaCore\\JavaCore.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Windows Service Agent] msngear.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{A7F2600D-2596-48BC-B361-72DD753419B0}: NameServer = 58.69.254.3,58.69.254.8
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
O18 - Protocol: msero - {B0D92A71-886B-453B-A649-1B91F93801E7} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\MSERO.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe


--
End of file - 4577 bytes

-- Files created between 2008-03-28 and 2008-04-28 -----------------------------

2008-04-24 10:00:29 0 d-------- C:\Program Files\Trend Micro
2008-04-24 09:48:19 0 d-------- C:\WINDOWS\ERUNT
2008-04-23 16:01:41 0 d-------- C:\Documents and Settings\Myds.MENLO-G9WECL961\Application Data\AVG7
2008-04-21 14:37:16 0 d--hs---- C:\WINDOWS\CSC
2008-04-21 13:34:47 0 d-------- C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\AVG7
2008-04-21 13:34:00 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft
2008-04-21 13:34:00 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\avg7
2008-04-21 12:41:52 0 d-------- C:\WINDOWS\pss
2008-04-21 11:22:55 0 d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2008-04-21 11:22:44 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2008-04-21 10:43:42 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-04-21 10:43:42 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-04-21 10:43:42 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-04-21 10:43:42 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-04-21 10:43:42 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-04-21 10:43:42 524288 --a------ C:\Documents and Settings\Administrator\NTUSER.DAT
2008-04-21 10:43:42 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-04-21 10:43:42 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-04-21 10:43:42 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-04-21 10:43:42 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-04-21 10:43:42 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-04-21 10:43:42 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-04-21 10:43:42 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-04-21 10:43:42 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-04-17 10:14:17 0 d-------- C:\Documents and Settings\Elijah James\Application Data\Macromedia
2008-04-17 10:14:16 0 d-------- C:\Documents and Settings\Elijah James\Application Data\Adobe
2008-04-10 21:26:44 1204224 --a------ C:\Documents and Settings\Myds.MENLO-G9WECL961\nope.dll
2008-04-10 21:26:44 27 --a------ C:\Documents and Settings\Myds.MENLO-G9WECL961\he.bat
2008-04-09 17:53:06 123193 --ah----- C:\WINDOWS\system32\len.exe
2008-04-08 22:23:11 123193 --ah----- C:\WINDOWS\system32\jer.exe
2008-04-08 14:03:21 0 d-------- C:\Program Files\CPV
2008-04-08 14:03:20 0 d-------- C:\Program Files\Temporary
2008-04-07 08:58:38 1204224 --a------ C:\WINDOWS\system32\nope.dll
2008-04-07 08:58:38 27 --a------ C:\WINDOWS\system32\kuki.bat
2008-04-07 08:56:48 1204224 --ahs---- C:\WINDOWS\system32\smaprnter.exe
2008-04-07 08:56:41 27 --a------ C:\WINDOWS\system32\he.bat
2008-04-01 21:21:05 0 d-------- C:\WINDOWS\system32\aqVreo04
2008-03-30 09:37:56 0 d-------- C:\WINDOWS\system32\zeb3
2008-03-30 09:37:56 0 d-------- C:\WINDOWS\system32\xk1
2008-03-30 09:37:56 0 d-------- C:\WINDOWS\system32\tf5
2008-03-30 09:37:47 0 d-------- C:\WINDOWS\system32\iDlo04


-- Find3M Report ---------------------------------------------------------------

2008-03-25 23:52:05 2557 --a------ C:\WINDOWS\unins000.dat
2008-03-25 23:30:02 691545 --a------ C:\WINDOWS\unins000.exe
2008-03-24 23:48:09 0 d-------- C:\Program Files\kari
2008-03-09 23:44:18 0 d--h----- C:\Program Files\InstallShield Installation Information


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [03/01/2006 01:22 AM C:\WINDOWS\SOUNDMAN.EXE]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [04/21/2008 01:34 PM]
"Windows USB Monitor"="servupdate.exe" []
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [03/09/2006 12:29 AM]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [08/03/2004 03:56 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 12:43 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"SDFix"=C:\SDFix\RunThis.bat /second

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"fafa"=mwoz.exe
"Internet Firewall Layer"=tsqla.exe
"Internet"=C:\WINDOWS\system32\alm7tas.exe
"Internet Security Service"=mysqlwin32.exe
"pronto"=anqh.exe
"z0ogu"=z0ogu.exe
"Windows USB Monitor"=servupdate.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"nvcoi"=C:\Program Files\nvcoi\nvcoi.exe
"JavaCore"=C:\Program Files\\JavaCore\\JavaCore.exe
"Windows Service Agent"=msngear.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoInclude]
C:\WINDOWS\TEMP\DIL4.tmp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fafa]
mwoz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Firewall Layer]
tsqla.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Security Service]
mysqlwin32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pronto]
anqh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\mrofinu1001186.exe 61A847B5BBF72813329B39577AFF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDFix]
C:\SDFix\RunThis.bat /second

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinDLL (msygl32.exe)]
rundll32.exe C:\WINDOWS\system32\msygl32.exe,start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\z0ogu]
z0ogu.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6a7247cc-e7c6-11dc-b9f7-0016178cdd58}]
Auto\command- F:\infrom.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL infrom.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{821d6136-0189-11dd-ba43-0016178cdd58}]
Auto\command- F:\infrom.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL infrom.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c09edd1a-e26f-11dc-b9e5-0016178cdd58}]
AutoRun\command- F:\
explore\Command- WScript.exe .\azkaban.vbs
open\Command- WScript.exe .\azkaban.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e5b110b4-d74d-11dc-b9c9-0016178cdd58}]
AutoRun\command- F:\
explore\Command- WScript.exe .\azkaban.vbs
open\Command- WScript.exe .\azkaban.vbs




-- End of Deckard's System Scanner: finished at 2008-04-28 14:56:33 ------------
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP