Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Braviax, Sircam, Winreanimator help. [CLOSED]


  • This topic is locked This topic is locked

#1
deekay_dk

deekay_dk

    Member

  • Member
  • PipPip
  • 10 posts
I have a close friend who asked me to take a look at their pc after it crashed. He gave the symptoms of a red biohazard wallpaper and system instability. When I looked at the pc and booted the first thing I was greeted by was a yellow and blue box that said Warning Spyware detected on your computer ....install and anti virus. Then the PC barely booted into windows, and I was greeted the by the system locking up and now bug were crawling all over the screen and eating it.

I booted into safe mood and ran the following programs in this order

SmitFraudFix - Found and cleaned alot of stuff
SDFix - Got to the finishing stage after running catchme and the PC rebooted, didnt get a log file.
ComboFix - Finished
Super AntiSpyware - 440 infections, found alot of stuff.

After all these were ran, the only issues that i saw were the after effects of the Sircam worm. I used the exe fix tool and it worked.

Now I still see the red white shield that tries to install Winreanimator, and the remnants of Braviax/Cru629/Beep.sys

I tried getting into safe mode, using kill box to delete and dummy them, then remove registry entries. I have had no luck removing it. Also at the time being, I have to rename every infection software tool to something else to be open it. Nothing would get rid of them I tried.

Since I have a few logs I will post some of the older logs, followed by a freshly taken log. Hopefully we can get rid of this pesky infection. I will paste the new HJT, and 3 scans of SD, one as combofix, a malware bytes scan as well


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:17, on 2008-04-25
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\WinReanimator\WinReanimator.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\rundll32.exe
c:\windows\system32\ps2.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Hjeeet.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WinReanimator] "C:\Program Files\WinReanimator\WinReanimator.exe" /hide
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [jdgf894jrghoiiskd] C:\WINDOWS\TEMP\winlogan.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Service Pack 1] C:\WINDOWS\System32\vedxg6ame4.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [jdgf894jrghoiiskd] C:\WINDOWS\TEMP\winlogan.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O20 - Winlogon Notify: !saswinlogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: lDbygiFghaRNwYW - {44A7743A-EE0D-DE90-4441-CB946BE9BCEF} - C:\WINDOWS\System32\kpdfw.dll
O23 - Service: avast! iAVS4 Control Service (aswupdsv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus (avast! antivirus) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner (avast! mail scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner (avast! web scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 4414 bytes

Attached Files


  • 0

Advertisements


#2
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Hi deekay_dk

welcome to geekstogo :)

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

you may need to post the logs over 2 replies to ensure all the information is posted.

andrewuk
  • 0

#3
deekay_dk

deekay_dk

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
as requested

Deckard's System Scanner v20071014.68
Run by Owner on 2008-04-25 11:58:41
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; System Restore is disabled (service is not running).


-- Last 5 Restore Point(s) --
6: 2008-04-25 00:58:54 UTC - RP6 - ComboFix created restore point
5: 2008-04-23 12:13:26 UTC - RP5 - Installed Windows Installer KB893803v2.
4: 2008-04-23 11:23:29 UTC - RP4 - Removed Google Earth.
3: 2008-04-22 16:59:11 UTC - RP3 - Installed ErrorSmart
2: 2008-04-22 15:56:29 UTC - RP2 - Unsigned driver install


-- First Restore Point --
1: 2008-04-22 15:48:33 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 448 MiB (512 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-04-25 11:59:49
Platform: Windows XP Service Pack 1 (5.01.2600)
MSIE: Internet Explorer (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\WinReanimator\WinReanimator.exe
C:\Program Files\Google\GoogleToolbarNotifier\googletoolbarnotifier.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Desktop\dss22.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: (no name) - - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WinReanimator] "C:\Program Files\WinReanimator\WinReanimator.exe" /hide
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [jdgf894jrghoiiskd] C:\WINDOWS\TEMP\winlogan.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Service Pack 1] C:\WINDOWS\System32\vedxg6ame4.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [jdgf894jrghoiiskd] C:\WINDOWS\TEMP\winlogan.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Service Pack 1] C:\WINDOWS\System32\vedxg6ame4.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - Winlogon Notify: !saswinlogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: lDbygiFghaRNwYW - {44A7743A-EE0D-DE90-4441-CB946BE9BCEF} - C:\WINDOWS\system32\kpdfw.dll
O23 - Service: avast! iAVS4 Control Service (aswupdsv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! mail scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! web scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


--
End of file - 5866 bytes

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 sasdifsv - c:\program files\superantispyware\sasdifsv.sys
R1 saskutil - c:\program files\superantispyware\saskutil.sys
R3 Pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>
R3 SunkFilt (Alcor Micro Corp - 9360) - c:\windows\system32\drivers\sunkfilt.sys <Not Verified; Alcor Micro Corp.; SunkFilt>

S1 AFS2K - c:\windows\system32\drivers\afs2k.sys
S1 ydhqzop - c:\windows\ydhqzop.sys (file missing)
S3 catchme - c:\docume~1\owner~1.you\locals~1\temp\catchme.sys (file missing)
S3 sasenum - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>
S3 Sunkfiltp (HP && Alcor Micro Corp for Phison) - c:\windows\system32\drivers\sunkfiltp.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 uploadmgr (Upload Manager) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E965-E325-11CE-BFC1-08002BE10318}
Description: CD-ROM Drive
Device ID: IDE\CDROM_NEC_DVD+RW_ND-2100AD___________________1.26____\5&22AC9DF0&0&0.0.0
Manufacturer: (Standard CD-ROM drives)
Name: _NEC DVD+RW ND-2100AD
PNP Device ID: IDE\CDROM_NEC_DVD+RW_ND-2100AD___________________1.26____\5&22AC9DF0&0&0.0.0
Service: cdrom


-- Scheduled Tasks -------------------------------------------------------------

2008-04-22 18:56:41 408 --a------ C:\WINDOWS\Tasks\Norton Security Scan.job
2008-04-22 09:01:33 272 --a------ C:\WINDOWS\Tasks\Easy Internet Sign-up.job
2006-11-04 15:34:18 402 --a------ C:\WINDOWS\Tasks\ErrorSmart Scheduled Scan.job


-- Files created between 2008-03-25 and 2008-04-25 -----------------------------

2008-04-24 21:09:09 0 d-------- C:\Program Files\WinReanimator
2008-04-24 20:54:37 0 d-------- C:\!KillBox
2008-04-24 20:30:59 0 d-------- C:\VundoFix Backups
2008-04-24 20:23:35 17408 --a------ C:\WINDOWS\braviax.exe
2008-04-24 20:10:59 11254 --a------ C:\WINDOWS\System32\locate.com
2008-04-24 20:10:37 0 d-------- C:\MGtools
2008-04-24 19:59:34 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-04-24 19:56:37 6656 --a------ C:\WINDOWS\System32\univrs32.dat
2008-04-24 19:55:24 6144 --a------ C:\WINDOWS\System32\cru629.dat
2008-04-24 19:55:24 6144 --a------ C:\WINDOWS\cru629.dat
2008-04-24 19:54:14 206 --a------ C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\delself.bat
2008-04-24 19:54:13 35328 --a------ C:\WINDOWS\System32\drivers\beep.sys
2008-04-24 19:42:02 0 d-------- C:\Documents and Settings\Administrator.YOUR-AT5QGAAC3Z\Application Data\Malwarebytes
2008-04-24 19:20:42 0 d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\Malwarebytes
2008-04-24 19:20:32 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-24 19:20:32 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-24 19:19:54 0 d-------- C:\Program Files\Common Files\Download Manager
2008-04-24 19:12:42 0 d-------- C:\WinPFind3u
2008-04-24 19:12:01 0 d-------- C:\Rustbfix
2008-04-24 19:11:44 25600 --a------ C:\WINDOWS\System32\WS2Fix.exe
2008-04-24 19:11:44 289144 --a------ C:\WINDOWS\System32\VCCLSID.exe <Not Verified; S!Ri; >
2008-04-24 19:11:44 86528 --a------ C:\WINDOWS\System32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-04-24 19:11:44 288417 --a------ C:\WINDOWS\System32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-04-24 19:11:44 82432 --a------ C:\WINDOWS\System32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-04-24 19:11:44 51200 --a------ C:\WINDOWS\System32\dumphive.exe
2008-04-24 19:11:43 53248 --a------ C:\WINDOWS\System32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-04-24 18:51:58 0 d-------- C:\Program Files\Alwil Software
2008-04-24 18:37:19 483328 --a------ C:\WINDOWS\System32\hphmon05.exe <Not Verified; Hewlett-Packard; HP Photosmart>
2008-04-24 18:37:19 52736 --a------ C:\WINDOWS\system\hpsysdrv.exe <Not Verified; Hewlett-Packard Company; hpsysdrv>
2008-04-24 18:15:23 0 dr-h----- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Recent
2008-04-24 18:14:34 0 d-------- C:\Program Files\CCleaner
2008-04-24 18:03:41 53248 --a------ C:\WINDOWS\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-04-24 17:58:41 68096 --a------ C:\WINDOWS\zip.exe
2008-04-24 17:58:41 49152 --a------ C:\WINDOWS\VFind.exe
2008-04-24 17:58:41 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-24 17:58:41 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-24 17:58:41 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-24 17:58:41 98816 --a------ C:\WINDOWS\sed.exe
2008-04-24 17:58:41 80412 --a------ C:\WINDOWS\grep.exe
2008-04-24 17:58:41 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-24 17:32:32 10752 --a------ C:\exefix_xp.com <Not Verified; ; ExeFix for Windows® XP>
2008-04-24 17:15:30 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-24 17:15:09 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-04-24 17:15:08 0 d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\SUPERAntiSpyware.com
2008-04-24 17:14:49 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-23 05:13:48 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-22 18:56:37 0 d-------- C:\Program Files\Norton Security Scan
2008-04-22 18:38:21 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-22 18:19:20 0 dr-hs---- C:\cmdcons
2008-04-22 18:18:54 0 d-------- C:\WINDOWS\setupupd
2008-04-22 09:59:33 0 d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\ErrorSmart
2008-04-22 09:52:45 0 dr-hs--c- C:\WINDOWS\System32\dllcache
2008-04-22 08:29:06 208896 --a------ C:\WINDOWS\System32\wmpns.dll <Not Verified; Microsoft Corporation; Microsoft® Windows Media Player>
2008-04-22 08:27:24 175712 --a------ C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\GDIPFONTCACHEV1.DAT
2008-04-22 08:22:49 184386 --a------ C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\hpdj04 <Not Verified; HP; HP DeskJet>
2008-04-22 08:22:49 184386 --a------ C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\hpdj02 <Not Verified; HP; HP DeskJet>
2008-04-22 08:14:21 0 d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\Aim
2008-04-22 08:14:21 0 d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\AdobeUM
2008-04-22 08:14:21 0 d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\Adobe
2008-04-22 08:14:20 0 d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\LimeWire
2008-04-22 08:14:20 0 d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\Leadertech
2008-04-22 08:14:20 0 d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\j2 Global
2008-04-22 08:14:20 0 d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\InterVideo
2008-04-22 08:14:20 0 d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\interMute
2008-04-22 08:14:20 0 d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\Identities
2008-04-22 08:14:20 0 d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\HP
2008-04-22 08:14:20 0 d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\Help
2008-04-22 08:14:20 0 d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\Google
2008-04-22 08:14:20 0 d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\funkitron
2008-04-22 08:14:20 0 d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\FUJIFILM
2008-04-22 08:14:20 0 d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\Earthlink
2008-04-22 08:14:20 0 d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\EarthLink Toolbar
2008-04-22 08:14:20 0 d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\Datalayer
2008-04-22 08:14:09 0 d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\Macromedia
2008-04-22 08:14:08 0 d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\Musicmatch
2008-04-22 08:14:08 0 d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\MSN6
2008-04-22 08:14:08 0 d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\Mozilla
2008-04-22 08:14:08 0 d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\Motive
2008-04-22 08:14:07 0 d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\PC Suite
2008-04-22 08:14:07 0 d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\Nokia
2008-04-22 08:14:07 0 d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\Nokia Multimedia Player
2008-04-22 08:14:06 0 d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\Sun
2008-04-22 08:14:06 0 d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\Sonic
2008-04-22 08:14:06 0 d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\Share-to-Web Upload Folder
2008-04-22 08:14:06 0 d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\ScamBlocker
2008-04-22 08:14:06 0 d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\SampleView
2008-04-22 08:14:06 0 d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\Real
2008-04-22 08:14:02 0 d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\Viewpoint
2008-04-22 08:14:02 0 d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\TmpRecentIcons
2008-04-22 08:14:02 0 d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\Template
2008-04-22 08:14:02 0 d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\Symantec
2008-04-22 08:14:01 0 d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Incomplete
2008-04-22 08:14:01 0 dr------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Favorites
2008-04-22 08:14:01 0 d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Desktop
2008-04-22 08:14:01 0 d---s---- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Cookies
2008-04-22 08:14:01 0 dr-h----- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data
2008-04-22 08:14:01 0 d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\Yahoo!
2008-04-22 08:14:01 0 d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\Yahoo! Messenger
2008-04-22 08:14:01 0 d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\WildTangent
2008-04-22 08:14:01 0 d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\Webshots
2008-04-22 08:13:57 0 d--h----- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\NetHood
2008-04-22 08:13:57 0 dr------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\My Documents
2008-04-22 08:13:57 0 d--h----- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Local Settings
2008-04-22 08:13:56 0 d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\WINDOWS
2008-04-22 08:13:56 0 d---s---- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\UserData
2008-04-22 08:13:56 0 d--h----- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Templates
2008-04-22 08:13:56 0 dr------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Start Menu
2008-04-22 08:13:56 0 d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Shared
2008-04-22 08:13:56 0 dr-h----- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\SendTo
2008-04-22 08:13:56 0 d--h----- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\PrintHood
2008-04-22 08:13:56 0 d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Phone Browser
2008-04-22 08:13:56 1835008 --ah----- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\NTUSER.DAT
2008-04-22 07:55:04 10368 -----n--- C:\WINDOWS\System32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>
2008-04-22 07:54:36 204800 --a------ C:\WINDOWS\System32\IVIresizeW7.dll
2008-04-22 07:54:36 188416 --a------ C:\WINDOWS\System32\IVIresizePX.dll
2008-04-22 07:54:36 192512 --a------ C:\WINDOWS\System32\IVIresizeP6.dll
2008-04-22 07:54:36 192512 --a------ C:\WINDOWS\System32\IVIresizeM6.dll
2008-04-22 07:54:36 200704 --a------ C:\WINDOWS\System32\IVIresizeA6.dll
2008-04-22 07:54:36 20480 --a------ C:\WINDOWS\System32\IVIresize.dll
2008-04-22 07:50:21 175712 --a----c- C:\Documents and Settings\Default User\Application Data\GDIPFONTCACHEV1.DAT
2008-04-22 07:30:03 184386 --a----c- C:\Documents and Settings\Default User\hpdj02 <Not Verified; HP; HP DeskJet>
2008-04-22 07:30:02 184386 --a----c- C:\Documents and Settings\Default User\hpdj04 <Not Verified; HP; HP DeskJet>
2008-04-22 07:20:43 0 d--hs---- C:\Documents and Settings\Default User\UserData
2008-04-22 07:20:43 0 d-------- C:\Documents and Settings\Default User\Shared
2008-04-22 07:20:43 0 d-------- C:\Documents and Settings\Default User\Phone Browser
2008-04-22 07:20:43 0 d-------- C:\Documents and Settings\Default User\Incomplete
2008-04-22 07:20:43 0 d-------- C:\Documents and Settings\Default User\Application Data\Yahoo!
2008-04-22 07:20:43 0 d-------- C:\Documents and Settings\Default User\Application Data\Yahoo! Messenger
2008-04-22 07:20:43 0 d-------- C:\Documents and Settings\Default User\Application Data\WildTangent
2008-04-22 07:20:43 0 d-------- C:\Documents and Settings\Default User\Application Data\Webshots
2008-04-22 07:20:43 0 d-------- C:\Documents and Settings\Default User\Application Data\Viewpoint
2008-04-22 07:20:43 0 d-------- C:\Documents and Settings\Default User\Application Data\TmpRecentIcons
2008-04-22 07:20:43 0 d-------- C:\Documents and Settings\Default User\Application Data\Template
2008-04-22 07:20:43 0 d-------- C:\Documents and Settings\Default User\Application Data\Share-to-Web Upload Folder
2008-04-22 07:20:43 0 d-------- C:\Documents and Settings\Default User\Application Data\ScamBlocker
2008-04-22 07:20:43 0 d-------- C:\Documents and Settings\Default User\Application Data\PC Suite
2008-04-22 07:20:43 0 d-------- C:\Documents and Settings\Default User\Application Data\Nokia
2008-04-22 07:20:43 0 d-------- C:\Documents and Settings\Default User\Application Data\Nokia Multimedia Player
2008-04-22 07:20:43 0 d-------- C:\Documents and Settings\Default User\Application Data\Musicmatch
2008-04-22 07:20:43 0 d-------- C:\Documents and Settings\Default User\Application Data\MSN6
2008-04-22 07:20:43 0 d-------- C:\Documents and Settings\Default User\Application Data\Mozilla
2008-04-22 07:20:43 0 d-------- C:\Documents and Settings\Default User\Application Data\Motive
2008-04-22 07:20:43 0 d-------- C:\Documents and Settings\Default User\Application Data\Macromedia
2008-04-22 07:20:43 0 d-------- C:\Documents and Settings\Default User\Application Data\LimeWire
2008-04-22 07:20:43 0 d-------- C:\Documents and Settings\Default User\Application Data\Leadertech
2008-04-22 07:20:43 0 d-------- C:\Documents and Settings\Default User\Application Data\j2 Global
2008-04-22 07:20:43 0 d-------- C:\Documents and Settings\Default User\Application Data\InterVideo
2008-04-22 07:20:43 0 d-------- C:\Documents and Settings\Default User\Application Data\HP
2008-04-22 07:20:43 0 d-------- C:\Documents and Settings\Default User\Application Data\Help
2008-04-22 07:20:43 0 d-------- C:\Documents and Settings\Default User\Application Data\Google
2008-04-22 07:20:43 0 d-------- C:\Documents and Settings\Default User\Application Data\funkitron
2008-04-22 07:20:43 0 d-------- C:\Documents and Settings\Default User\Application Data\FUJIFILM
2008-04-22 07:20:43 0 d-------- C:\Documents and Settings\Default User\Application Data\Earthlink
2008-04-22 07:20:43 0 d-------- C:\Documents and Settings\Default User\Application Data\EarthLink Toolbar
2008-04-22 07:20:43 0 d-------- C:\Documents and Settings\Default User\Application Data\Datalayer
2008-04-22 07:20:43 0 d-------- C:\Documents and Settings\Default User\Application Data\Aim
2008-04-22 07:20:43 0 d-------- C:\Documents and Settings\Default User\Application Data\AdobeUM
2008-04-22 07:20:43 0 d-------- C:\Documents and Settings\Default User\Application Data\Adobe
2008-04-21 22:12:49 0 d-------- C:\Program Files\Windows Sidebar
2008-04-21 19:40:16 0 d-------- C:\Documents and Settings\Guest\Application Data\PC Suite
2008-04-17 11:14:31 0 d-------- C:\Program Files\Common Files\PCSuite
2008-04-17 11:14:31 0 d-------- C:\Program Files\Common Files\Nokia
2008-04-01 13:54:08 0 d-------- C:\Program Files\Cablenut


-- Find3M Report ---------------------------------------------------------------

2008-04-24 19:28:25 0 d-------- C:\Program Files\Wxvwgbtk
2008-04-24 19:19:54 0 d-------- C:\Program Files\Common Files
2008-04-24 18:48:50 0 d-------- C:\Program Files\Multimedia Card Reader
2008-04-24 18:22:22 3678 --a------ C:\WINDOWS\System32\tmp.reg
2008-04-24 18:18:21 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-23 04:27:13 0 d-------- C:\Program Files\Norton AntiVirus
2008-04-23 04:23:51 0 d-------- C:\Program Files\Google
2008-04-22 10:06:23 0 d-------- C:\Program Files\Windows NT
2008-04-22 10:06:20 0 d-------- C:\Program Files\Movie Maker
2008-04-22 10:06:20 0 d-------- C:\Program Files\Messenger
2008-04-22 09:01:51 3884 --a----c- C:\WINDOWS\viassary-hp.reg
2008-04-22 09:01:33 0 d-------- C:\Program Files\Easy Internet signup
2008-04-22 08:57:24 0 d--h----- C:\Program Files\WindowsUpdate
2008-04-22 06:13:49 0 d-------- C:\Program Files\The Cleaner
2008-04-17 15:01:59 7160 --a------ C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\NMM-MetaData.db
2008-04-17 11:14:30 0 d-------- C:\Program Files\Nokia
2008-03-24 14:09:57 0 d-------- C:\Program Files\Common Files\Adobe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2008-04-24 18:37]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2008-04-24 18:37]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-04-24 18:37]
"AGRSMMSG"="AGRSMMSG.exe" [2003-12-12 22:54 C:\WINDOWS\AGRSMMSG.exe]
"AlcxMonitor"="ALCXMNTR.EXE" [2003-04-03 21:35 C:\WINDOWS\ALCXMNTR.EXE]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 05:00]
"WinReanimator"="C:\Program Files\WinReanimator\WinReanimator.exe" [2008-02-29 23:45]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 16:57]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RecordNow!"="" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-24 18:37]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-04-24 18:37]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"jdgf894jrghoiiskd"=C:\WINDOWS\TEMP\winlogan.exe
"Service Pack 1"=C:\WINDOWS\System32\vedxg6ame4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
"EnableLUA"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 11:55 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"lDbygiFghaRNwYW"= {44A7743A-EE0D-DE90-4441-CB946BE9BCEF} - C:\WINDOWS\System32\kpdfw.dll [2002-08-29 05:00 32768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!saswinlogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 11:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\jmq57.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\psexesvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\xce13.sys]
@="Driver"




-- End of Deckard's System Scanner: finished at 2008-04-25 12:00:26 ------------
  • 0

#4
deekay_dk

deekay_dk

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Now here is extra.txt

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 1.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ XP 3000+
Percentage of Memory in Use: 52%
Physical Memory (total/avail): 447.48 MiB / 211.65 MiB
Pagefile Memory (total/avail): 1056.92 MiB / 914.04 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1942.55 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 107.32 GiB total, 86.18 GiB free.
D: is Fixed (FAT32) - 4.45 GiB total, 0.53 GiB free.
F: is Removable (No Media)
G: is Removable (No Media)
H: is Removable (No Media)
I: is Removable (No Media)
J: is Removable (FAT)

\\.\PHYSICALDRIVE0 - WDC WD1200BB-22FTA0 - 111.79 GiB - 2 partitions
\PARTITION0 - Unknown - 4.46 GiB - D:
\PARTITION1 (bootable) - Installable File System - 107.32 GiB - C:

\\.\PHYSICALDRIVE5 - USB Flash Memory USB Device - 486.34 MiB - 1 partition
\PARTITION0 (bootable) - MS-DOS V4 Huge - 488.86 MiB - J:

\\.\PHYSICALDRIVE2 - Generic USB CF Reader USB Device

\\.\PHYSICALDRIVE4 - Generic USB MS Reader USB Device

\\.\PHYSICALDRIVE1 - Generic USB SD Reader USB Device

\\.\PHYSICALDRIVE3 - Generic USB SM Reader USB Device



-- Security Center -------------------------------------------------------------

AUOptions is not configured.
AUState says computer is in an unknown state.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=YOUR-AT5QGAAC3Z
ComSpec=C:\WINDOWS\system32\cmd.exe
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner.YOUR-AT5QGAAC3Z
LOGONSERVER=\\YOUR-AT5QGAAC3Z
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;c:\Python22
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 10 Stepping 0, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0a00
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\OWNER~1.YOU\LOCALS~1\Temp
TMP=C:\DOCUME~1\OWNER~1.YOU\LOCALS~1\Temp
USERDOMAIN=YOUR-AT5QGAAC3Z
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Owner.YOUR-AT5QGAAC3Z (admin)
Administrator.YOUR-AT5QGAAC3Z (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\rnuninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\System32\\MSIEXEC.EXE /I {09DA4F91-2A09-4232-AB8C-6BC740096DE3} REMOVE=UpdateMgrFeature
--> c:\WINDOWS\System32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
--> RUNDLL32.EXE C:\WINDOWS\System32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2572
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player ActiveX --> C:\WINDOWS\System32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 6.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-000000000001}
Agere Systems PCI Soft Modem --> agrsmdel
avast! Antivirus --> rundll32 C:\PROGRA~1\ALWILS~1\Avast4\Setup\setiface.dll,RunSetup
Blackhawk Striker from Hewlett-Packard Desktops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\E28167F1-3F42-40C7-9119-1D5A97444F10\Uninstall.exe"
Blasterball 2 from Hewlett-Packard Desktops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\8C4E79CC-03E1-43AA-9910-9A5113F24603\Uninstall.exe"
Bounce Symphony from Hewlett-Packard Desktops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\D11F7128-8CBD-408B-8BF8-034604DEDD42\Uninstall.exe"
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Easy Internet Sign-up --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{0613467F-A45E-4CB1-9ECE-1F3DD79FB927} /l1033
Excavation from Hewlett-Packard Desktops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\C56C66C3-3462-4A3F-8661-9E18362A5E7C\Uninstall.exe"
Five Card Frenzy from Hewlett-Packard Desktops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\DA44615A-C243-46A4-8E47-184CFF33CD38\Uninstall.exe"
GearDrvs --> MsiExec.exe /I{206FD69B-F9FE-4164-81BD-D52552BC9C23}
Google Desktop --> C:\Program Files\Google\Google Desktop Search\GoogleDesktopSetup.exe -uninstall
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar2.dll"
HijackThis 2.0.2 --> "C:\HijackThis.exe" /uninstall
HP Deskjet Preloaded Printer Drivers --> MsiExec.exe /X{F419D20A-7719-4639-8E30-C073A040D878}
HP Image Zone 3.5 --> C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP Image Zone Plus 3.5 --> C:\Program Files\HP\Digital Imaging\{C6C44651-7C66-4b11-92E8-17565D3D22DD}\setup\hpzscr01.exe -datfile hpdscr01.dat
HP Instant Support --> C:\PROGRA~1\HPINST~1\UNWISE.EXE C:\PROGRA~1\HPINST~1\INSTALL.LOG
HP Organize --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D0122362-6333-4DE4-93F6-A5A2F3CC101A}\Setup.exe" UNINSTALL
HP Photo & Imaging 3.5 - HP Devices --> C:\Program Files\HP\Digital Imaging\{15B9DC72-73F9-4d99-9E28-848D66DA8D99}\setup\hpzscr01.exe -datfile hpiscr01.dat
HP PSC & OfficeJet 3.0 --> "C:\Program Files\HP\Digital Imaging\{F38FA38A-7E5A-4209-88ED-4DE21CD20EEF}\setup\hpzscr01.exe" -datfile hposcr03.dat
HP Software Update --> MsiExec.exe /X{34957B51-9676-41CE-9E52-44AE91B73F1C}
HPIZ350 --> MsiExec.exe /X{F247869D-3643-4A9F-821B-3534145928E3}
IntelliMover Data Transfer Demo --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{14589F05-C658-4594-9429-D437BA688686}\Setup.exe" -l0x9
Internet Explorer Q832894 --> C:\WINDOWS\ieuninst.exe C:\WINDOWS\INF\Q832894.inf
InterVideo WinDVD Creator 2 --> "C:\Program Files\InstallShield Installation Information\{2FCE4FC5-6930-40E7-A4F1-F862207424EF}\setup.exe" REMOVEALL
InterVideo WinDVD Player --> "C:\Program Files\InstallShield Installation Information\{98E8A2EF-4EAE-43B8-A172-74842B764777}\setup.exe" REMOVEALL
Java 2 Runtime Environment, SE v1.4.2_03 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142030}
KBD --> C:\HP\KBD\KBD.EXE uninstalled
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Malwarebytes' RogueRemover --> "C:\Program Files\RogueRemover FREE\unins000.exe"
Memories Disc Creator 2.0 --> MsiExec.exe /X{2E132061-C78A-48D4-A899-1D13B9D189FA}
Microsoft Money 2004 --> MsiExec.exe /I{1D643CD7-4DD6-11D7-A4E0-000874180BB3}
Microsoft Money 2004 System Pack --> MsiExec.exe /I{8C64E145-54BA-11D6-91B1-00500462BE80}
Microsoft Office Standard Edition 2003 --> MsiExec.exe /I{91120409-6000-11D3-8CFE-0150048383C9}
Microsoft Plus! Digital Media Edition --> MsiExec.exe /I{C6A7AF96-4EB1-4AAE-8318-1AB393C64F88}
Microsoft Works 7.0 --> MsiExec.exe /I{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}
Multimedia Card Reader --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{EF9967D8-1999-4260-ACC2-86901AA36650}
MUSICMATCH® Jukebox --> C:\PROGRA~1\MUSICM~1\MUSICM~1\unmatch.exe
Norton Security Scan --> MsiExec.exe /I{3A4FFB84-D070-4DA5-AB7B-D41D87FD8D19}
NVIDIA GART Driver --> C:\WINDOWS\System32\nvugart.exe Uninstall C:\WINDOWS\System32\Nvgart.nvu,NVIDIA GART Driver
Orbital from Hewlett-Packard Desktops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\62067F4C-84A9-45B9-8573-B90468B0A3EF\Uninstall.exe"
Otto from Hewlett-Packard Desktops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\BFBCBAE3-8293-4215-9C4F-C2402C118EDB\Uninstall.exe"
Outlook Express Update Q330994 --> C:\WINDOWS\Q330994.exe C:\WINDOWS\INF\Q330994.inf
Overball from Hewlett-Packard Desktops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\6723E59E-322A-417A-8E03-27A61E18253C\Uninstall.exe"
Photosmart 140,240,7200,7600,7700,7900 Series --> C:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\setup\hpzscr01.exe -datfile hphscr01.dat
Polar Bowler from Hewlett-Packard Desktops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\36317AE4-57EC-4F3E-B828-009A3DD96BE8\Uninstall.exe"
PS2 --> C:\WINDOWS\system32\ps2.exe uninstall
Python 2.2 combined Win32 extensions --> C:\Python22\Lib\SITE-P~1\UNWISE~1.EXE C:\Python22\Lib\SITE-P~1\w32inst.log
Python 2.2.1 --> C:\Python22\UNWISE.EXE C:\Python22\INSTALL.LOG
Quicken 2004 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{54DE0B75-6CD9-44C4-B10A-1F25DA9899D8} anything
RealOne Player --> C:\Program Files\Common Files\Real\Update_OB\rnuninst.exe RealNetworks|RealPlayer|6.0
RecordNow! --> MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
S3 S3Display --> vtuninst.exe -reg 5 'HKLM\Software\S3\VT\S3Uninst\S3Display'
S3 S3Gamma2 --> vtuninst.exe -reg 5 'HKLM\Software\S3\VT\S3Uninst\S3Gamma2'
S3 S3Info2 --> vtuninst.exe -reg 5 'HKLM\Software\S3\VT\S3Uninst\S3Info2'
S3 S3Overlay --> vtuninst.exe -reg 5 'HKLM\Software\S3\VT\S3Uninst\S3Overlay'
Slyder from Hewlett-Packard Desktops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\C2C3C2DB-7D8A-4E20-B527-E3149FAECC3A\Uninstall.exe"
Sonic Update Manager --> MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3}
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Toolkit View(HP) --> c:\Windows\HPTK\unhptkit.exe
Updates from HP --> C:\WINDOWS\BWUnin-6.2.3.66.exe -AppId 137903
Yahoo! Install Manager --> C:\WINDOWS\System32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe
Zone Deluxe Games --> MsiExec.exe /I{66C018BD-6F16-4B32-B4CD-1DC1B21FBDFF}


-- Application Event Log -------------------------------------------------------

Event Record #/Type195 / Error
Event Submitted/Written: 04/24/2008 09:11:35 PM
Event ID/Source: 8193 / VSS
Event Description:
Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance. hr = 0x80040206.

Event Record #/Type194 / Error
Event Submitted/Written: 04/24/2008 09:11:35 PM
Event ID/Source: 4609 / EventSystem
Event Description:
The COM+ Event System detected a bad return code during its internal processing. HRESULT was 8007043C from line 44 of d:\nt_qxp\com\com1x\src\events\tier1\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error.

Event Record #/Type193 / Error
Event Submitted/Written: 04/24/2008 09:10:34 PM
Event ID/Source: 8193 / VSS
Event Description:
Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance. hr = 0x80040206.

Event Record #/Type192 / Error
Event Submitted/Written: 04/24/2008 09:10:34 PM
Event ID/Source: 4609 / EventSystem
Event Description:
The COM+ Event System detected a bad return code during its internal processing. HRESULT was 8007043C from line 44 of d:\nt_qxp\com\com1x\src\events\tier1\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error.

Event Record #/Type191 / Error
Event Submitted/Written: 04/24/2008 09:09:11 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application winreanimator.exe, version 1.0.0.1, faulting module unknown, version 0.0.0.0, fault address 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type48785 / Error
Event Submitted/Written: 04/25/2008 11:15:15 AM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
AFS2K
rjnl48

Event Record #/Type48784 / Error
Event Submitted/Written: 04/25/2008 11:15:15 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The mrtRate service failed to start due to the following error:
%%2

Event Record #/Type48783 / Error
Event Submitted/Written: 04/25/2008 11:15:15 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The avast! antivirus service failed to start due to the following error:
%%1053

Event Record #/Type48782 / Error
Event Submitted/Written: 04/25/2008 11:15:15 AM
Event ID/Source: 7009 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for the avast! antivirus service to connect.

Event Record #/Type48765 / Error
Event Submitted/Written: 04/24/2008 09:19:56 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
AFS2K
rjnl48



-- End of Deckard's System Scanner: finished at 2008-04-25 12:00:26 ------------
  • 0

#5
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Hi deekay_dk

i can see the infections in your logs now, so in this post we will re-run some of the tools you have already tried and then in the following post we will also be removing further infections.

====STEP 1====
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

====STEP 2====
could you delete the current version of malwarebytes that you have and follow these instructions:

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


====STEP 3====
could you re-run combofix


In your next reply could i see:
1. the Report.txt
2. the malwarebytes log
3. the combofix log
4. a new hijackthis log

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk
  • 0

#6
deekay_dk

deekay_dk

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
As requested


SDFix: Version 1.116

Run by Administrator on Fri 04/25/2008 at 12:41 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Infected beep.sys Found!

beep.sys File Locations:

"C:\WINDOWS\system32\dllcache\beep.sys" 35328 04/24/2008 07:54 PM
"C:\WINDOWS\system32\drivers\beep.sys" 35328 04/24/2008 07:54 PM

Infected File Listed Below:

C:\WINDOWS\system32\dllcache\beep.sys
C:\WINDOWS\system32\drivers\beep.sys

Trojan File copied to Backups Folder
Attempting to replace beep.sys with original version...

Original beep.sys Restored


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

No Trojan Files Found





Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-25 12:48:36
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000002
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000007
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000023
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000004
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000004
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000004
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000007
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Services\MRxDAV\EncryptedDirectories]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000002
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000007
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000023
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000004
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000004
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000004
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000007
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\asc3550p]
"ErrorControl"=dword:00000000
"Start"=dword:00000002
"Group"="SCSI miniport"
"Tag"=dword:0000002a
"Type"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxDAV\EncryptedDirectories]
@=""

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"Appinit_dlls"="cru629.dat"

scanning hidden files ...

C:\WINDOWS\Prefetch\PCHealth\UploadLB
C:\WINDOWS\Prefetch\PCHealth\UploadLB\Binaries
C:\WINDOWS\Prefetch\PCHealth\UploadLB\Binaries\UploadM.exe 138752 bytes executable
C:\WINDOWS\Prefetch\PCHealth\UploadLB\Config
C:\WINDOWS\Prefetch\PCHealth\UploadLB\Config\config.xml 466 bytes

scan completed successfully
hidden processes: 0
hidden services: 1
hidden files: 5


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Tue 22 Apr 2008 196 A.SHR --- "C:\BOOT.BAK"
Wed 30 Aug 2006 36,685 ...H. --- "C:\Program Files\eFax Messenger Plus 3.3\J2GPlus.exe-BarStateC"
Wed 29 Mar 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 4 Aug 2004 11,776 ..SH. --- "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMComReg.exe"
Sun 26 Aug 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Sat 7 Feb 2004 5,294,080 A..H. --- "C:\hp\patches\42WW1REC\src\App00153.exe"
Sat 7 Feb 2004 452,096 A..H. --- "C:\hp\patches\42WW1REC\src\App00292.exe"
Sat 7 Feb 2004 444,416 A..H. --- "C:\hp\patches\42WW1REC\src\App00491.exe"
Sat 7 Feb 2004 1,838,592 A..H. --- "C:\hp\patches\42WW1REC\src\App02995.exe"
Sat 7 Feb 2004 492,544 A..H. --- "C:\hp\patches\42WW1REC\src\App04827.exe"
Sat 7 Feb 2004 1,401,856 A..H. --- "C:\hp\patches\42WW1REC\src\App05447.exe"
Sat 7 Feb 2004 440,320 A..H. --- "C:\hp\patches\42WW1REC\src\App05705.exe"
Sat 7 Feb 2004 462,848 A..H. --- "C:\hp\patches\42WW1REC\src\App09961.exe"
Sat 7 Feb 2004 15,596,032 A..H. --- "C:\hp\patches\42WW1REC\src\App14604.exe"
Sat 7 Feb 2004 5,256,704 A..H. --- "C:\hp\patches\42WW1REC\src\App16827.exe"
Sat 7 Feb 2004 3,668,992 A..H. --- "C:\hp\patches\42WW1REC\src\App17421.exe"
Tue 10 Feb 2004 696,832 A..H. --- "C:\hp\patches\42WW1REC\src\App18716.exe"
Sat 7 Feb 2004 423,936 A..H. --- "C:\hp\patches\42WW1REC\src\App19169.exe"
Sat 7 Feb 2004 1,157,632 A..H. --- "C:\hp\patches\42WW1REC\src\App19718.exe"
Tue 10 Feb 2004 995,328 A..H. --- "C:\hp\patches\42WW1REC\src\App19895.exe"
Sat 7 Feb 2004 453,632 A..H. --- "C:\hp\patches\42WW1REC\src\App23281.exe"
Sat 7 Feb 2004 453,632 A..H. --- "C:\hp\patches\42WW1REC\src\App24464.exe"
Sat 7 Feb 2004 2,251,776 A..H. --- "C:\hp\patches\42WW1REC\src\App26962.exe"
Sat 7 Feb 2004 481,792 A..H. --- "C:\hp\patches\42WW1REC\src\App29358.exe"
Sat 7 Feb 2004 12,426,752 A..H. --- "C:\hp\patches\42WW1REC\src\App32391.exe"
Sat 7 Feb 2004 12,426,752 A..H. --- "C:\hp\patches\42WW1REC\src\App99990.exe"
Sat 7 Feb 2004 15,596,032 A..H. --- "C:\hp\patches\42WW1REC\src\App99992.exe"
Sat 7 Feb 2004 5,256,704 A..H. --- "C:\hp\patches\42WW1REC\src\App99993.exe"
Sat 7 Feb 2004 5,256,704 A..H. --- "C:\hp\patches\42WW1REC\src\xApp14604.exe"
Sun 26 Aug 2007 20 A..H. --- "C:\Documents and Settings\Default User\Application Data\Real\rhapsody\wmlicbackup\drmv1lic.bak"
Sun 26 Aug 2007 20 A..H. --- "C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\Real\rhapsody\wmlicbackup\drmv1lic.bak"
Sun 26 Aug 2007 20 A..H. --- "C:\WINDOWS\system32\config\systemprofile\Application Data\Real\rhapsody\wmlicbackup\drmv1lic.bak"

Finished!

_---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.11
Database version: 682

Scan type: Full Scan (C:\|)
Objects scanned: 157090
Time elapsed: 40 minute(s), 36 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 4
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 4
Files Infected: 117

Memory Processes Infected:
C:\Program Files\WinReanimator\WinReanimator.exe (Rogue.WinReanimator) -> No action taken.

Memory Modules Infected:
c:\program files\winreanimator\winreanimator.dll (Rogue.WinReanimator) -> No action taken.
C:\Program Files\WinReanimator\htmlayout.dll (Rogue.WinReanimator) -> No action taken.
C:\Program Files\WinReanimator\pthreadVC2.dll (Rogue.WinReanimator) -> No action taken.
C:\Program Files\WinReanimator\Microsoft.VC80.CRT\msvcr80.dll (Rogue.WinReanimator) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\WinReanimator (Rogue.WinReanimator) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\asc3550p (Rootkit.Agent) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinReanimator (Rogue.WinReanimator) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\WinReanimator (Rogue.WinReanimator) -> No action taken.
C:\Program Files\WinReanimator\data (Rogue.WinReanimator) -> No action taken.
C:\Program Files\WinReanimator\Microsoft.VC80.CRT (Rogue.WinReanimator) -> No action taken.
C:\Documents and Settings\All Users\Start Menu\Programs\WinReanimator (Rogue.WinReanimator) -> No action taken.

Files Infected:
c:\program files\winreanimator\winreanimator.dll (Rogue.WinReanimator) -> No action taken.
C:\!KillBox\cru629.dat (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Local Settings\Temporary Internet Files\Content.IE5\GHIJKLMN\Installer2[1].exe (Trojan.FakeAlert) -> No action taken.
C:\Program Files\WinReanimator\install.exe (Trojan.FakeAlert) -> No action taken.
C:\QooBox\Quarantine\C\WINDOWS\system32\wind32.exe.vir (Trojan.Downloader) -> No action taken.
C:\QooBox\Quarantine\C\WINDOWS\system32\winivstr.exe.vir (Trojan.FakeAlert) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP5\A0000696.exe (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP5\A0000709.exe (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP5\A0000716.exe (Trojan.FakeAlert) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP5\A0004770.scr (Trojan.Agent) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP5\A0005762.exe (Trojan.Peed) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP5\A0005763.exe (Trojan.Agent) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP5\A0005770.dll (Rogue.Multiple) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP5\A0005771.dll (Rogue.Brave.Sentry) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP5\A0005772.dll (Rogue.Multiple) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP5\A0005774.dll (Adware.E404) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP5\A0005776.exe (Trojan.DownLoader) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP5\A0005777.exe (Worm.Socks) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP5\A0005778.exe (Trojan.DownLoader) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP5\A0005788.exe (Worm.Zhelatin) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP5\A0005797.exe (Trojan.DownLoader) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP5\A0005799.exe (Worm.Socks) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP5\A0005803.exe (Trojan.DownLoader) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP5\A0005812.exe (Worm.Zhelatin) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP5\A0005813.exe (Trojan.DownLoader) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP5\A0006795.exe (Worm.Socks) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP5\A0006796.exe (Trojan.Agent) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP5\A0006808.dll (Rogue.WinReanimator) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP5\A0006906.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP5\A0006908.exe (Worm.Socks) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP5\A0006909.exe (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP5\A0006910.exe (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP5\A0006911.exe (Trojan.FakeAlert) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP5\A0006912.exe (Trojan.FakeAlert) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP5\A0006913.exe (Trojan.FakeAlert) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP5\A0006915.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP5\A0006916.exe (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP5\A0006918.exe (Trojan.Agent) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP5\A0006919.exe (Trojan.Pakes) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP5\A0006920.exe (Trojan.Agent) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP5\A0006921.exe (Trojan.Cryptic) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP5\A0006922.exe (Trojan.Agent) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP5\A0006923.exe (Trojan.Agent) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP5\A0006924.exe (Trojan.Pakes) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP5\A0006925.exe (Trojan.Agent) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP5\A0006936.exe (Trojan.Agent) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP5\A0006937.exe (Trojan.Agent) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP5\A0006938.dll (Trojan.BHO) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP5\A0006939.exe (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP5\A0006940.dll (Trojan.Agent) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP5\A0006941.dll (Trojan.Agent) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP5\A0006942.dll (Trojan.Agent) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP5\A0006944.exe (BackDoor.Sdbot) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP5\A0006945.exe (BackDoor.Sdbot) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP5\A0006946.exe (Trojan.DownLoader) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP5\A0006947.exe (Trojan.Agent) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP5\A0006948.exe (Trojan.DownLoader) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP5\A0006949.exe (Worm.Socks) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP5\A0006950.exe (Worm.Socks) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP5\A0006952.exe (Trojan.FakeAlert) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP5\A0006955.exe (Trojan.FakeAlert) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP5\A0006963.exe (Trojan.Peed) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP5\A0006964.sys (Trojan.Srizbi) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP5\A0006965.sys (Trojan.Srizbi) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP5\A0006966.exe (Trojan.Clicker) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP5\A0006967.exe (Trojan.BHO) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP5\A0006968.exe (BackDoor.Bech) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP5\A0006969.exe (Trojan.FakeAlert) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP5\A0006970.exe (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP5\A0007790.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP5\A0007793.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP5\A0007794.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP5\A0007797.exe (Trojan.Agent) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP5\A0007798.dll (Trojan.Clicker) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP5\A0007799.exe (Trojan.FakeAlert) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP5\A0007801.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP5\A0007804.exe (Trojan.FakeAlert) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP5\A0007805.dll (Trojan.BHO) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP5\A0007811.exe (Trojan.Peed) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP6\A0007879.exe (Trojan.FakeAlert) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP6\A0007882.exe (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP6\A0007932.exe (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP6\A0008369.exe (Trojan.FakeAlert) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP6\A0008373.exe (Trojan.FakeAlert) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP6\A0008374.exe (Trojan.FakeAlert) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP6\A0008375.exe (Trojan.FakeAlert) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP6\A0008376.exe (Trojan.FakeAlert) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP6\A0008424.exe (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP6\A0008899.exe (Trojan.FakeAlert) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP6\A0008904.exe (Trojan.FakeAlert) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP6\A0008914.exe (Trojan.FakeAlert) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP6\A0008929.exe (Trojan.FakeAlert) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP6\A0008948.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP6\A0008949.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP6\A0009035.exe (Trojan.FakeAlert) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP6\A0010048.exe (Trojan.FakeAlert) -> No action taken.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP6\A0010060.exe (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\cru629.dat (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\cru629.dat (Trojan.FakeAlert) -> No action taken.
C:\Program Files\WinReanimator\htmlayout.dll (Rogue.WinReanimator) -> No action taken.
C:\Program Files\WinReanimator\pthreadVC2.dll (Rogue.WinReanimator) -> No action taken.
C:\Program Files\WinReanimator\un.ico (Rogue.WinReanimator) -> No action taken.
C:\Program Files\WinReanimator\unzip32.dll (Rogue.WinReanimator) -> No action taken.
C:\Program Files\WinReanimator\WinReanimator.exe (Rogue.WinReanimator) -> No action taken.
C:\Program Files\WinReanimator\data\daily.cvd (Rogue.WinReanimator) -> No action taken.
C:\Program Files\WinReanimator\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (Rogue.WinReanimator) -> No action taken.
C:\Program Files\WinReanimator\Microsoft.VC80.CRT\msvcm80.dll (Rogue.WinReanimator) -> No action taken.
C:\Program Files\WinReanimator\Microsoft.VC80.CRT\msvcp80.dll (Rogue.WinReanimator) -> No action taken.
C:\Program Files\WinReanimator\Microsoft.VC80.CRT\msvcr80.dll (Rogue.WinReanimator) -> No action taken.
C:\Documents and Settings\All Users\Start Menu\Programs\WinReanimator\Uninstall.lnk (Rogue.WinReanimator) -> No action taken.
C:\Documents and Settings\All Users\Start Menu\Programs\WinReanimator\WinReanimator.lnk (Rogue.WinReanimator) -> No action taken.
C:\WINDOWS\system32\drivers\beep.sys (Fake.Beep.Sys) -> No action taken.
C:\WINDOWS\system32\dllcache\beep.sys (Fake.Beep.Sys) -> No action taken.
C:\WINDOWS\system32\univrs32.dat (Trojan.Agent) -> No action taken.
C:\WINDOWS\braviax.exe (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\delself.bat (Malware.Trace) -> No action taken.
C:\Documents and Settings\All Users\Desktop\WinReanimator.lnk (Rogue.WinReanimator) -> No action taken.

Attached Files


  • 0

#7
deekay_dk

deekay_dk

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
ComboFix 08-04-22.5 - Owner 2008-04-25 13:42:46.2 - NTFSx86
Running from: C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\dllcache\figaro.sys
.
---- Previous Run -------
.
C:\Documents and Settings\LocalService\Application Data\WinIFixer.com
C:\Program Files\MyWay
C:\Program Files\MyWay\myBar\Settings\prevcfg.htm
C:\WINDOWS\base64.tmp
C:\WINDOWS\braviax.exe
C:\WINDOWS\Help\oqtxde.chm
C:\WINDOWS\nivavir.config
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\dllcache\figaro.sys
C:\WINDOWS\system32\n.ini
C:\WINDOWS\system32\uFhiQqss.ini
C:\WINDOWS\system32\uFhiQqss.ini2
C:\WINDOWS\system32\univrs32.dat
C:\WINDOWS\system32\vx.tll
C:\WINDOWS\system32\wind32.exe
C:\WINDOWS\system32\winivstr.exe
C:\WINDOWS\Web\def.htm
C:\WINDOWS\zip1.tmp
C:\WINDOWS\zip2.tmp
C:\WINDOWS\zip3.tmp
C:\WINDOWS\zipped.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_asc3550p
-------\Service_oqtxde
-------\Service_asc3550p


((((((((((((((((((((((((( Files Created from 2008-03-25 to 2008-04-25 )))))))))))))))))))))))))))))))
.

2008-04-25 13:41 . 2002-08-29 05:00 4,224 --a------ C:\WINDOWS\system32\drivers\beep.sys
2008-04-25 13:41 . 2002-08-29 05:00 4,224 --a--c--- C:\WINDOWS\system32\dllcache\beep.sys
2008-04-25 12:55 . 2008-04-25 12:55 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-25 11:58 . 2008-04-25 11:58 <DIR> d-------- C:\Deckard
2008-04-24 20:54 . 2008-04-25 13:37 <DIR> d-------- C:\!KillBox
2008-04-24 20:30 . 2008-04-24 20:30 <DIR> d-------- C:\VundoFix Backups
2008-04-24 20:10 . 2008-04-24 20:12 <DIR> d-------- C:\MGtools
2008-04-24 20:10 . 2008-04-24 20:12 40,568 --a------ C:\MGlogs.zip
2008-04-24 20:10 . 2005-01-13 20:41 11,254 --a------ C:\WINDOWS\system32\locate.com
2008-04-24 19:59 . 2008-04-24 19:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-04-24 19:42 . 2008-04-24 19:42 <DIR> d-------- C:\Documents and Settings\Administrator.YOUR-AT5QGAAC3Z\Application Data\Malwarebytes
2008-04-24 19:20 . 2008-04-24 19:20 <DIR> d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\Malwarebytes
2008-04-24 19:20 . 2008-04-24 19:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-24 19:19 . 2008-04-24 19:19 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-04-24 19:12 . 2008-04-24 19:12 <DIR> d-------- C:\WinPFind3u
2008-04-24 19:12 . 2008-04-24 19:12 <DIR> d-------- C:\Rustbfix
2008-04-24 19:11 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-04-24 19:11 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-04-24 19:11 . 2008-03-09 02:15 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-04-24 19:11 . 2008-03-05 23:29 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-04-24 19:11 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-04-24 19:11 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-24 19:11 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-24 18:51 . 2008-04-24 18:51 <DIR> d-------- C:\Program Files\Alwil Software
2008-04-24 18:44 . 2007-10-29 15:46 401,720 --a------ C:\Hjeeet.exe
2008-04-24 18:37 . 2008-04-24 18:37 483,328 --a------ C:\WINDOWS\system32\hphmon05.exe
2008-04-24 18:37 . 2002-10-16 16:57 81,920 --a------ C:\WINDOWS\system32\ps2.exe
2008-04-24 18:37 . 2008-04-24 18:37 52,736 --a------ C:\WINDOWS\system\hpsysdrv.exe
2008-04-24 18:14 . 2008-04-24 18:14 <DIR> d-------- C:\Program Files\CCleaner
2008-04-24 17:32 . 2008-04-24 17:32 10,752 --a------ C:\exefix_xp.com
2008-04-24 17:31 . 2008-04-24 17:30 69,696 --a------ C:\FixSirc.com
2008-04-24 17:15 . 2008-04-25 13:41 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-24 17:15 . 2008-04-24 17:15 <DIR> d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\SUPERAntiSpyware.com
2008-04-24 17:15 . 2008-04-24 17:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-24 17:15 . 2008-04-24 17:21 1,509,211 ---hs---- C:\WINDOWS\system32\krdkkjha.ini
2008-04-24 17:14 . 2008-04-24 17:14 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-24 17:13 . 2008-04-24 17:13 109,738 --a------ C:\WINDOWS\BM4794470a.xml
2008-04-23 05:15 . 2008-04-23 05:18 8,014 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-04-23 05:15 . 2008-04-23 05:18 806 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-04-23 05:13 . 2008-04-24 18:48 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-22 18:56 . 2008-04-22 18:56 <DIR> d-------- C:\Program Files\Norton Security Scan
2008-04-22 18:38 . 2008-04-22 19:06 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-22 18:38 . 2008-04-22 18:38 827,392 --a------ C:\WINDOWS\system32\FLASH.OCX
2008-04-22 11:15 . 2002-08-29 02:01 56,832 --a------ C:\WINDOWS\system32\drivers\sysaudio.sys
2008-04-22 11:15 . 2001-08-17 14:00 54,272 --a------ C:\WINDOWS\system32\drivers\swmidi.sys
2008-04-22 11:15 . 2001-08-17 13:59 50,048 --a------ C:\WINDOWS\system32\drivers\DMusic.sys
2008-04-22 11:15 . 2002-08-29 01:50 24,960 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-04-22 11:15 . 2002-08-29 03:40 20,480 --a------ C:\WINDOWS\system32\hidserv.dll
2008-04-22 11:15 . 2001-08-17 13:48 13,952 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-04-22 11:15 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-04-22 11:15 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-04-22 11:15 . 2002-08-29 01:32 2,816 --a------ C:\WINDOWS\system32\drivers\drmkaud.sys
2008-04-22 11:14 . 2002-08-29 01:33 55,680 --a------ C:\WINDOWS\system32\drivers\ohci1394.sys
2008-04-22 11:14 . 2001-08-17 13:46 6,400 --a------ C:\WINDOWS\system32\drivers\enum1394.sys
2008-04-22 09:59 . 2008-04-22 09:59 <DIR> d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\ErrorSmart
2008-04-22 09:52 . 2008-04-25 13:43 <DIR> dr-hsc--- C:\WINDOWS\system32\dllcache
2008-04-22 08:29 . 2002-12-12 01:34 208,896 --a------ C:\WINDOWS\system32\wmpns.dll
2008-04-22 08:28 . 2003-08-25 18:06 182,880 --a------ C:\WINDOWS\system32\iuenginenew.dll
2008-04-22 08:28 . 2008-04-22 08:28 4,094 -rahs---- C:\WINDOWS\system32\drivers\HP_PC032A-ABA A527X_YC_Pavi_QMXK423_E42NAheBLU4_4_IKelut_SASUSTek Computer INC._V2.02_B3.03_T040209_WXH1_L409_M448_J120_7AMD_8Athlon XP 3000+_92.1_111063044_N11063065_P_Z11C1048C_K_A11063059_U11063038_G11067205.MRK
2008-04-22 08:27 . 2005-06-01 12:54 175,712 --a------ C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\GDIPFONTCACHEV1.DAT
2008-04-22 08:26 . 2008-04-17 15:01 7,160 --a------ C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\NMM-MetaData.db
2008-04-22 08:14 . 2008-03-25 08:46 <DIR> d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Incomplete
2008-04-22 08:14 . 2005-03-18 16:27 <DIR> d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\Yahoo! Messenger
2008-04-22 08:14 . 2006-05-01 14:24 <DIR> d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\Yahoo!
2008-04-22 08:14 . 2006-12-22 09:38 <DIR> d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\WildTangent
2008-04-22 08:14 . 2007-08-26 12:40 <DIR> d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\Webshots
2008-04-22 08:14 . 2007-11-25 13:25 <DIR> d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\Viewpoint
2008-04-22 08:14 . 2008-04-22 06:13 <DIR> d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\TmpRecentIcons
2008-04-22 08:14 . 2006-11-02 08:01 <DIR> d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\Template
2008-04-22 08:14 . 2004-01-21 02:48 <DIR> d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\Symantec
2008-04-22 08:14 . 2004-01-20 20:21 <DIR> d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\Sonic
2008-04-22 08:14 . 2004-06-28 10:32 <DIR> d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\Share-to-Web Upload Folder
2008-04-22 08:14 . 2007-05-11 10:30 <DIR> d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\ScamBlocker
2008-04-22 08:14 . 2004-01-20 21:29 <DIR> d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\SampleView
2008-04-22 08:14 . 2008-04-17 14:48 <DIR> d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\PC Suite
2008-04-22 08:14 . 2008-04-18 14:16 <DIR> d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\Nokia Multimedia Player
2008-04-22 08:14 . 2008-04-17 11:19 <DIR> d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\Nokia
2008-04-22 08:14 . 2005-10-31 13:10 <DIR> d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\Musicmatch
2008-04-22 08:14 . 2007-09-26 12:17 <DIR> d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\MSN6
2008-04-22 08:14 . 2004-07-14 09:29 <DIR> d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\Motive
2008-04-22 08:14 . 2008-03-31 13:05 <DIR> d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\LimeWire
2008-04-22 08:14 . 2004-06-28 08:20 <DIR> d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\Leadertech
2008-04-22 08:14 . 2004-12-23 14:46 <DIR> d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\j2 Global
2008-04-22 08:14 . 2004-12-06 07:40 <DIR> d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\InterVideo
2008-04-22 08:14 . 2008-04-24 18:18 <DIR> d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\interMute
2008-04-22 08:14 . 2005-07-22 11:20 <DIR> d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\HP
2008-04-22 08:14 . 2006-07-09 13:54 <DIR> d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\funkitron
2008-04-22 08:14 . 2004-09-20 18:01 <DIR> d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\FUJIFILM
2008-04-22 08:14 . 2005-05-29 16:27 <DIR> d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\EarthLink Toolbar
2008-04-22 08:14 . 2007-05-11 10:24 <DIR> d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\Earthlink
2008-04-22 08:14 . 2008-04-17 17:15 <DIR> d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\Datalayer
2008-04-22 08:14 . 2008-02-02 09:07 <DIR> d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\Aim
2008-04-22 08:14 . 2007-10-20 10:41 <DIR> d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\AdobeUM
2008-04-22 08:13 . 2004-01-20 20:48 <DIR> d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\WINDOWS
2008-04-22 08:13 . 2004-06-27 16:13 <DIR> d---s---- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\UserData
2008-04-22 08:13 . 2008-03-25 08:45 <DIR> d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Shared
2008-04-22 08:13 . 2008-04-17 17:15 <DIR> d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Phone Browser
2008-04-22 08:13 . 2008-04-25 13:38 <DIR> d-------- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z
2008-04-22 08:13 . 2008-04-25 13:48 77,824 --ah----- C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\ntuser.dat.LOG
2008-04-22 07:57 . 2004-01-20 20:48 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\WINDOWS
2008-04-22 07:57 . 2004-06-27 16:13 <DIR> d--hs---- C:\WINDOWS\system32\config\systemprofile\UserData
2008-04-22 07:57 . 2008-03-25 08:45 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Shared
2008-04-22 07:57 . 2008-04-17 17:15 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Phone Browser
2008-04-22 07:57 . 2008-03-25 08:46 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Incomplete
2008-04-22 07:55 . 2003-09-19 01:47 10,368 --------- C:\WINDOWS\system32\drivers\pfc.sys
2008-04-22 07:54 . 2001-12-10 17:42 204,800 --a------ C:\WINDOWS\system32\IVIresizeW7.dll
2008-04-22 07:54 . 2001-12-10 17:42 200,704 --a------ C:\WINDOWS\system32\IVIresizeA6.dll
2008-04-22 07:54 . 2001-12-10 17:42 192,512 --a------ C:\WINDOWS\system32\IVIresizeP6.dll
2008-04-22 07:54 . 2001-12-10 17:42 192,512 --a------ C:\WINDOWS\system32\IVIresizeM6.dll
2008-04-22 07:54 . 2001-12-10 17:42 188,416 --a------ C:\WINDOWS\system32\IVIresizePX.dll
2008-04-22 07:54 . 2001-12-10 17:42 20,480 --a------ C:\WINDOWS\system32\IVIresize.dll
2008-04-22 07:53 . 2001-08-17 22:37 22,016 --a------ C:\WINDOWS\system32\wdmaud.drv
2008-04-22 07:52 . 2002-08-29 02:01 134,272 --a------ C:\WINDOWS\system32\drivers\portcls.sys
2008-04-22 07:52 . 2002-08-29 01:32 57,856 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2008-04-22 07:20 . 2004-06-27 16:13 <DIR> d--hs---- C:\Documents and Settings\Default User\UserData
2008-04-22 07:20 . 2008-03-25 08:45 <DIR> d-------- C:\Documents and Settings\Default User\Shared
2008-04-22 07:20 . 2008-04-17 17:15 <DIR> d-------- C:\Documents and Settings\Default User\Phone Browser
2008-04-22 07:20 . 2008-03-25 08:46 <DIR> d-------- C:\Documents and Settings\Default User\Incomplete
2008-04-21 22:12 . 2008-04-21 22:12 <DIR> d-------- C:\Program Files\Windows Sidebar
2008-04-21 19:40 . 2008-04-21 19:40 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\PC Suite
2008-04-17 11:14 . 2008-04-17 11:14 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2008-04-17 11:14 . 2008-04-17 11:14 <DIR> d-------- C:\Program Files\Common Files\Nokia
2008-04-01 13:54 . 2008-04-01 13:54 <DIR> d-------- C:\Program Files\Cablenut

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-25 02:28 --------- d-----w C:\Program Files\Wxvwgbtk
2008-04-25 01:48 --------- d-----w C:\Program Files\Multimedia Card Reader
2008-04-25 01:18 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-25 00:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\dmpqzarm
2008-04-23 11:27 --------- d-----w C:\Program Files\Norton AntiVirus
2008-04-23 11:23 --------- d-----w C:\Program Files\Google
2008-04-22 16:01 3,884 -c--a-w C:\WINDOWS\viassary-hp.reg
2008-04-22 16:01 --------- d-----w C:\Program Files\Easy Internet signup
2008-04-22 13:13 --------- d-----w C:\Program Files\The Cleaner
2008-04-22 13:13 --------- d-----w C:\Documents and Settings\Administrator.YOUR-AT5QGAAC3Z\Application Data\TmpRecentIcons
2008-04-22 02:40 --------- d-----w C:\Documents and Settings\Guest\Application Data\Symantec
2008-04-18 21:16 --------- d-----w C:\Documents and Settings\Administrator.YOUR-AT5QGAAC3Z\Application Data\Nokia Multimedia Player
2008-04-18 00:15 --------- d-----w C:\Documents and Settings\Administrator.YOUR-AT5QGAAC3Z\Application Data\Datalayer
2008-04-17 21:48 --------- d-----w C:\Documents and Settings\Administrator.YOUR-AT5QGAAC3Z\Application Data\PC Suite
2008-04-17 18:19 --------- d-----w C:\Documents and Settings\Administrator.YOUR-AT5QGAAC3Z\Application Data\Nokia
2008-04-17 18:14 --------- d-----w C:\Program Files\Nokia
2008-04-17 18:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Downloaded Installations
2008-03-31 20:05 --------- d-----w C:\Documents and Settings\Administrator.YOUR-AT5QGAAC3Z\Application Data\LimeWire
2008-03-24 21:09 --------- d-----w C:\Program Files\Common Files\Adobe
2006-11-04 23:08 135,168 ----a-w C:\Documents and Settings\All Users\Application Data\jevavqno.dll
2006-11-04 22:35 118 ----a-w C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\c39.bat
2006-11-05 23:29 6,668 --sha-w C:\WINDOWS\system32\tEdedJjl.ini2
.
Files Infected - Win32.Agent.zb
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RecordNow!"="" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [ ]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-04-24 18:37 151597]
"AGRSMMSG"="AGRSMMSG.exe" [2003-12-12 22:54 88363 C:\WINDOWS\AGRSMMSG.exe]
"AlcxMonitor"="ALCXMNTR.EXE" [2003-04-03 21:35 50176 C:\WINDOWS\ALCXMNTR.EXE]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 05:00 79224]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 16:57 81920]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"jdgf894jrghoiiskd"="C:\WINDOWS\TEMP\winlogan.exe" [ ]
"Service Pack 1"="C:\WINDOWS\System32\vedxg6ame4.exe" [ ]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 11:55 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"lDbygiFghaRNwYW"= {44A7743A-EE0D-DE90-4441-CB946BE9BCEF} - C:\WINDOWS\system32\kpdfw.dll [2002-08-29 05:00 32768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!saswinlogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 11:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\jmq57.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\xce13.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

S1 ydhqzop;ydhqzop;C:\WINDOWS\ydhqzop.sys []
S3 GoogleDesktopManager-022208-143751;Google Desktop Manager 5.7.802.22438;"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-04-22 18:56]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-22 16:01:33 C:\WINDOWS\Tasks\Easy Internet Sign-up.job"
- C:\Program Files\Easy Internet signup\HPSdpApp.exe
"2006-11-04 22:34:18 C:\WINDOWS\Tasks\ErrorSmart Scheduled Scan.job"
- C:\Program Files\ErrorSmart\ErrorSmart.ex
- C:\Program Files\ErrorSmart
"2008-04-23 01:56:41 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-25 13:48:24
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\controlset004\Services\asc3550p]

.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
.
**************************************************************************
.
Completion time: 2008-04-25 13:55:15 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-04-25 20:55:04

Pre-Run: 92,523,921,408 bytes free
Post-Run: 92,526,321,664 bytes free

260

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:56:12 PM, on 4/25/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Hjeeet.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [jdgf894jrghoiiskd] C:\WINDOWS\TEMP\winlogan.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Service Pack 1] C:\WINDOWS\System32\vedxg6ame4.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [jdgf894jrghoiiskd] C:\WINDOWS\TEMP\winlogan.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{34CBAC89-5A56-4597-9D36-7EE5CDAE839F}: NameServer = 192.168.0.2,192.168.0.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{34CBAC89-5A56-4597-9D36-7EE5CDAE839F}: NameServer = 192.168.0.2,192.168.0.3
O20 - Winlogon Notify: !saswinlogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: lDbygiFghaRNwYW - {44A7743A-EE0D-DE90-4441-CB946BE9BCEF} - C:\WINDOWS\system32\kpdfw.dll
O23 - Service: avast! iAVS4 Control Service (aswupdsv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus (avast! antivirus) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner (avast! mail scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner (avast! web scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\WINDOWS\system32\spoolsv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 4693 bytes

Attached Files


  • 0

#8
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts

C:\Program Files\WinReanimator\Microsoft.VC80.CRT (Rogue.WinReanimator) -> No action taken.

the malwarebytes scan found a lot of infections, but none were removed. so could you rerun malwarebytes and do Full scan again.

When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

and then could you rerun combofix again and post the malwarebytes log and combofix log and a new hijackthis log in your next post

andrewuk
  • 0

#9
deekay_dk

deekay_dk

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
It seems MWB fixed it. The 2nd scan only found 2 small items. SDFix and ComboFix came back clean as well as HJT

Malwarebytes' Anti-Malware 1.11
Database version: 682

Scan type: Full Scan (C:\|)
Objects scanned: 155614
Time elapsed: 44 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\asc3550p (Rootkit.Agent) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP6\A0011153.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:09:43 PM, on 4/27/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O17 - HKLM\System\CS1\Services\Tcpip\..\{34CBAC89-5A56-4597-9D36-7EE5CDAE839F}: NameServer = 192.168.0.2,192.168.0.3
O20 - Winlogon Notify: !saswinlogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: lDbygiFghaRNwYW - {44A7743A-EE0D-DE90-4441-CB946BE9BCEF} - C:\WINDOWS\system32\kpdfw.dll
O23 - Service: avast! iAVS4 Control Service (aswupdsv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus (avast! antivirus) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner (avast! mail scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner (avast! web scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 4357 bytes



SDFix: Version 1.116

Run by Administrator on Sun 04/27/2008 at 12:45 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

No Trojan Files Found





Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-27 12:54:54
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

IPC error: 2 The system cannot find the file specified.
scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000002
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000007
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000023
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000004
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000004
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000004
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000007
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Services\MRxDAV\EncryptedDirectories]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000002
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000007
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000023
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000004
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000004
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000004
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000007
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\asc3550p]
"ErrorControl"=dword:00000000
"Start"=dword:00000002
"Group"="SCSI miniport"
"Tag"=dword:0000002a
"Type"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxDAV\EncryptedDirectories]
@=""

scanning hidden registry entries ...

scanning hidden files ...

C:\WINDOWS\Prefetch\PCHealth\UploadLB
C:\WINDOWS\Prefetch\PCHealth\UploadLB\Binaries
C:\WINDOWS\Prefetch\PCHealth\UploadLB\Binaries\UploadM.exe 138752 bytes executable
C:\WINDOWS\Prefetch\PCHealth\UploadLB\Config
C:\WINDOWS\Prefetch\PCHealth\UploadLB\Config\config.xml 466 bytes

scan completed successfully
hidden processes: 0
hidden services: 1
hidden files: 5


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

Remaining Files:
---------------


Files with Hidden Attributes:

Tue 22 Apr 2008 196 A.SHR --- "C:\BOOT.BAK"
Wed 30 Aug 2006 36,685 ...H. --- "C:\Program Files\eFax Messenger Plus 3.3\J2GPlus.exe-BarStateC"
Wed 29 Mar 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 4 Aug 2004 11,776 ..SH. --- "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMComReg.exe"
Sun 26 Aug 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Sat 7 Feb 2004 5,294,080 A..H. --- "C:\hp\patches\42WW1REC\src\App00153.exe"
Sat 7 Feb 2004 452,096 A..H. --- "C:\hp\patches\42WW1REC\src\App00292.exe"
Sat 7 Feb 2004 444,416 A..H. --- "C:\hp\patches\42WW1REC\src\App00491.exe"
Sat 7 Feb 2004 1,838,592 A..H. --- "C:\hp\patches\42WW1REC\src\App02995.exe"
Sat 7 Feb 2004 492,544 A..H. --- "C:\hp\patches\42WW1REC\src\App04827.exe"
Sat 7 Feb 2004 1,401,856 A..H. --- "C:\hp\patches\42WW1REC\src\App05447.exe"
Sat 7 Feb 2004 440,320 A..H. --- "C:\hp\patches\42WW1REC\src\App05705.exe"
Sat 7 Feb 2004 462,848 A..H. --- "C:\hp\patches\42WW1REC\src\App09961.exe"
Sat 7 Feb 2004 15,596,032 A..H. --- "C:\hp\patches\42WW1REC\src\App14604.exe"
Sat 7 Feb 2004 5,256,704 A..H. --- "C:\hp\patches\42WW1REC\src\App16827.exe"
Sat 7 Feb 2004 3,668,992 A..H. --- "C:\hp\patches\42WW1REC\src\App17421.exe"
Tue 10 Feb 2004 696,832 A..H. --- "C:\hp\patches\42WW1REC\src\App18716.exe"
Sat 7 Feb 2004 423,936 A..H. --- "C:\hp\patches\42WW1REC\src\App19169.exe"
Sat 7 Feb 2004 1,157,632 A..H. --- "C:\hp\patches\42WW1REC\src\App19718.exe"
Tue 10 Feb 2004 995,328 A..H. --- "C:\hp\patches\42WW1REC\src\App19895.exe"
Sat 7 Feb 2004 453,632 A..H. --- "C:\hp\patches\42WW1REC\src\App23281.exe"
Sat 7 Feb 2004 453,632 A..H. --- "C:\hp\patches\42WW1REC\src\App24464.exe"
Sat 7 Feb 2004 2,251,776 A..H. --- "C:\hp\patches\42WW1REC\src\App26962.exe"
Sat 7 Feb 2004 481,792 A..H. --- "C:\hp\patches\42WW1REC\src\App29358.exe"
Sat 7 Feb 2004 12,426,752 A..H. --- "C:\hp\patches\42WW1REC\src\App32391.exe"
Sat 7 Feb 2004 12,426,752 A..H. --- "C:\hp\patches\42WW1REC\src\App99990.exe"
Sat 7 Feb 2004 15,596,032 A..H. --- "C:\hp\patches\42WW1REC\src\App99992.exe"
Sat 7 Feb 2004 5,256,704 A..H. --- "C:\hp\patches\42WW1REC\src\App99993.exe"
Sat 7 Feb 2004 5,256,704 A..H. --- "C:\hp\patches\42WW1REC\src\xApp14604.exe"
Sun 26 Aug 2007 20 A..H. --- "C:\Documents and Settings\Default User\Application Data\Real\rhapsody\wmlicbackup\drmv1lic.bak"
Sun 26 Aug 2007 20 A..H. --- "C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\Real\rhapsody\wmlicbackup\drmv1lic.bak"
Sun 26 Aug 2007 20 A..H. --- "C:\WINDOWS\system32\config\systemprofile\Application Data\Real\rhapsody\wmlicbackup\drmv1lic.bak"

Finished!
  • 0

#10
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
in this post we will fix your file associations, update your java, remove some remaining infections and do a final scan.

the scan will likely take 2 hours, quite possibly much longer. so just let it run.

also, i notice that you have two antivirus programs running: AVAST and Norton (though it looks only like remnants of norton). therefore we will also remove the norton in this post. running more than one antivirus program can slow your system and indeed provide, less not more, protection.

i suspect the scan will pick up the odd item which we will remove in the following post. all going well i suspect we are almost done.


====STEP 1====
click on Start, click on Run
copy and paste the following in bold in the open window and then click OK
"%userprofile%\desktop\dss.exe" /daft
This will open up Deckard's File Association Tool
  • Click on the Scan button.
  • Select everything it is displaying there
  • Click the Fix button.
  • Then rescan with DAFT again - it should say now that "All associations are OK"
  • Close DAFT if you receive that message. This means that it is fixed now.
if that does not work then Please download DAFT and save it to your desktop and Double-click the daft.exe icon, and then follow the above instructions from "Click on the Scan button"

====STEP 2====
Clearing the Java cache:
there is a nice set of instructions http://www.java.com/.../5000020300.xml

Click Start > Control Panel.

Double-click the Java icon in the control panel and then the Java Control Panel will appear.

Click Settings under Temporary Internet Files and the Temporary Files Settings dialog box appears.

Click Delete Files and the Delete Temporary Files dialog box appears.

Make sure all three boxes are ticked: Downloaded Applets, Downloaded Applications and Other Files and then Click OK on Delete Temporary Files window.
Note: This deletes all the Downloaded Applications and Applets from the cache.

Click OK on Temporary Files Settings window.


Upgrading Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 6.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u6-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.

====STEP 3====
Go HERE and choose the product that is installed and then download the removal tool.
Run it and reboot.
This should get rid of Norton.


====STEP 4====
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


====STEP 5====
Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

====STEP 6====
i am pretty sure you dont but there is a chance that you may have some infections that target Hijackthis.

I will need you to rename Hijackthis:
To do this:
  • Go to Start
  • Right click and choose Explore
  • Navigate to this location C:\Program Files\TrendMicro\Hijackthis
  • Open the Hijackthis folder
  • Right click on the Hijackthis icon and click rename
  • rename it to Gotcha

====STEP 7====
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O21 - SSODL: lDbygiFghaRNwYW - {44A7743A-EE0D-DE90-4441-CB946BE9BCEF} - C:\WINDOWS\system32\kpdfw.dll

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.



====STEP 8====
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\kpdfw.dll


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.



In your next reply could i see:
1. the kaspersky log
2. the combofix log <== could you post this, it has lots of useful information
3. a new hijackthis log
4. some idea of how your machine in running now

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk
  • 0

#11
deekay_dk

deekay_dk

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Thanks, It will take me about 2 days to reply back again as I am leaving for town for a business trip. Please dont close the topic and I will reply back asap. Thanks
  • 0

#12
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
no problem, i will keep it open :)

safe journey
  • 0

#13
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
back with us?
  • 0

#14
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP