Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

BIG TROUBLE [RESOLVED]

Started by Chron8891 , May 08 2008 05:13 PM

  • This topic is locked This topic is locked

#1
Chron8891
Posted 08 May 2008 - 05:13 PM

Chron8891

    Member

  • Member
  • PipPip
  • 15 posts
My computer is having serious problems. Im getting insane amounts of popups. MAlware is taking over, processes are randomly opening. Theres some kind of Reneck Ads that took over the desktop and changed the background.
Here is the HiJackThis Log. I need to know everything to do, fast as posible. Much appreciated.

::EDIT::
Posted Logfile in Reply.

Edited by Chron8891, 08 May 2008 - 05:18 PM.

  • 0

Advertisements

#2
Chron8891
Posted 08 May 2008 - 05:17 PM

Chron8891

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Apparently the log got cut off so here it is again.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:07:41 PM, on 5/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\QW5uZSBSdXRsZWRnZQ\command.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\mrofinu1188.exe
C:\windows\system32\jjwnw64p.exe
C:\WINDOWS\System32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\qcntkkdm.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Windows Live Toolbar\msn_sl.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.whynotsea...e.com/start.php
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: qtvglped - {3D91099B-562D-49EC-BDBD-78C5DE9CAED9} - C:\WINDOWS\qtvglped.dll (file missing)
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1188.exe 61A847B5BBF72813339330466188719AB689201522886B092CBD44BD8689220221DD3257
O4 - HKLM\..\Run: [{25-5B-B5-5C-DW}] C:\windows\system32\jjwnw64p.exe DWram
O4 - HKLM\..\Run: [{1c6f2bbd-09ab-e9a4-8c7d-5edc76cd200f}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{44973b67-9c2a-1db7-cc23-2d175a5d5474}.dll" DllInit
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\qcntkkdm.exe DWram
O4 - HKLM\..\Run: [94525bf3] rundll32.exe "C:\WINDOWS\system32\flxtlsxt.dll",b
O4 - HKLM\..\Run: [BM9761686f] Rundll32.exe "C:\WINDOWS\system32\qkqwdcud.dll",s
O4 - HKLM\..\Run: [dbar_starter] C:\Documents and Settings\badman420\Application Data\Deskbar_{8EAF05CC-14F6-4643-95D1-77ED26A40204}\starter.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WinUpdater] "C:\Program Files\winvi\update.exe" /background
O4 - HKCU\..\Run: [WebSUpdater] "C:\Program Files\winvi\wupda.exe" /background
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\qcntkkdm.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\jjwnw64p.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\ie_banner_deny.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\scieplugin.dll
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.ieservice...om/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.ieservice...om/redirect.php (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1204587399750
O20 - AppInit_DLLs: C:\PROGRA~1\DEFEND~1\DEFEND~1.0\adialhk.dll
O23 - Service: Defender Pro Internet Security (AVP) - Defender Pro - C:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\avz.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\QW5uZSBSdXRsZWRnZQ\command.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 5645 bytes
  • 0

#3
Chron8891
Posted 08 May 2008 - 08:56 PM

Chron8891

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Bump...
  • 0

#4
JSntgRvr
Posted 08 May 2008 - 08:58 PM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,579 posts
Hi, Chron8891 :)

Welcome.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
Running SDFix:
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt in your next reply
Posted ImageDownload Deckard's System Scanner (DSS) from here or here to your Desktop. Note: You must be logged onto an account with administrator privileges.
  • Close all applications and windows.
  • Double-click on dss.exe to run it, and follow the prompts.
  • When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of both, the main.txt and the extra.txt in your next reply.
If the files are too long, attach them to a reply:
  • Scroll down and click the [Manage Attachments] button
  • Browse to the following folder:
    • C:\Deckard\System Scanner
  • Click Upload to upload these files one by one
  • Submit your reply

  • 0

#5
Chron8891
Posted 09 May 2008 - 12:59 AM

Chron8891

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Ok, I've done what you suggested.
The Ads or Malware on the Desktop are gone now, the computer is still running super slow though.

I've attached the Log Files. Thanks for your time.

Attached Files


  • 0

#6
JSntgRvr
Posted 09 May 2008 - 12:19 PM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,579 posts
Hi, Chron8891 :)

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.

Download the enclosed folder. Save and extract its contents to the desktop. It is a folder containing a Registry Entries file, LSAfix.reg . Once extracted, open the folder and double click on the LSAfix.reg file and select Yes when prompted to merge it into the registry.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - (no file)
O2 - BHO: (no name) - {6A6EAE1B-4AD6-4035-974D-504D6DBAA9C3} - C:\WINDOWS\system32\hgGwtTnM.dll (file missing)
O2 - BHO: MySidesearch Search Assistant - {9506910A-0F94-4ea1-B567-7070428B8B2B} - C:\WINDOWS\system32\mysidesearch_sidebar.dll
O2 - BHO: (no name) - {992CFEB9-FE49-4E64-B377-F97BC3728806} - C:\WINDOWS\system32\ssqQijjg.dll (file missing)
O2 - BHO: gooochi browser optimizer - {9d024223-33ed-6cea-c175-82dc5269d99f} - C:\WINDOWS\system32\{44973b67-9c2a-1db7-cc23-2d175a5d5474}.dll (file missing)
O2 - BHO: (no name) - {A7E81B89-DF38-40C8-A767-6FBECB65B862} - C:\WINDOWS\system32\vtUlKdDS.dll
O2 - BHO: {82387743-4e04-430a-2234-2a0f661a8f0d} - {d0f8a166-f0a2-4322-a034-40e434778328} - C:\WINDOWS\system32\isrbcycv.dll
O2 - BHO: (no name) - {E6F5A45F-2D7A-419D-BE5A-27FA6ED1611F} - C:\WINDOWS\system32\vtUoLDTL.dll
O4 - HKLM\..\Run: [94525bf3] rundll32.exe "C:\WINDOWS\system32\lyaeewyv.dll",b
O20 - Winlogon Notify: hgGwtTnM - hgGwtTnM.dll (file missing)
O20 - Winlogon Notify: vtUlKdDS - C:\WINDOWS\SYSTEM32\vtUlKdDS.dll
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm



Now close all windows and browsers, other than HiJackThis, then click Fix Checked.

Close Hijackthis.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]C:\WINDOWS\system32\vtUlKdDS.dllC:\WINDOWS\system32\isrbcycv.dllC:\WINDOWS\system32\vtUoLDTL.dllC:\WINDOWS\system32\lyaeewyv.dllC:\WINDOWS\privacy_danger\index.htmC:\WINDOWS\system32\vyweeayl.ini2  C:\WINDOWS\system32\lyaeewyv.dll  C:\WINDOWS\system32\isrbcycv.dll  C:\WINDOWS\system32\hbunlncg.exe  C:\WINDOWS\system32\cscnmifp.dll  C:\WINDOWS\system32\phnoausb.dll  C:\WINDOWS\system32\sneuoyrv.exe  C:\WINDOWS\system32\flxtlsxt.dll  C:\WINDOWS\system32\winpfz33.sys  C:\WINDOWS\system32\qkqwdcud.dll  C:\WINDOWS\system32\gvrvbrel.exe  C:\WINDOWS\system32\lgdmpypk.dll  C:\WINDOWS\system32\fwoncjpt.dll  C:\WINDOWS\system32\TCffOXyb.ini2  C:\WINDOWS\system32\byXOffCT.dll  C:\WINDOWS\system32\g93.exe  C:\WINDOWS\system32\qoMeEUMg.dll  C:\WINDOWS\system32\lxtuxsum.exe  C:\WINDOWS\system32\xgosuetw.dll  C:\WINDOWS\system32\tstfmjne.dll  C:\WINDOWS\system32\LTDLoUtv.ini2  C:\WINDOWS\system32\vtUoLDTL.dll  C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe  C:\WINDOWS\system32\gside.exe  C:\WINDOWS\system32\gjjiQqss.ini2C:\WINDOWS\system32\mysidesearch_sidebar.dllC:\WINDOWS\QW5uZSBSdXRsZWRnZQ  C:\WINDOWS\system32\xIT2  C:\WINDOWS\system32\ViBE  C:\WINDOWS\system32\ad1  C:\WINDOWS\system32\1019b  C:\Documents and Settings\All Users\Application Data\cvuzcpahHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6A6EAE1B-4AD6-4035-974D-504D6DBAA9C3}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9506910A-0F94-4ea1-B567-7070428B8B2B}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{992CFEB9-FE49-4E64-B377-F97BC3728806}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9d024223-33ed-6cea-c175-82dc5269d99f}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A7E81B89-DF38-40C8-A767-6FBECB65B862}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d0f8a166-f0a2-4322-a034-40e434778328}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E6F5A45F-2D7A-419D-BE5A-27FA6ED1611F}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\BM9761686fHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\94525bf3HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0\\SourceHKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0\\FriendlyNameHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{6A6EAE1B-4AD6-4035-974D-504D6DBAA9C3}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{A7E81B89-DF38-40C8-A767-6FBECB65B862}HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hgGwtTnMHKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtUlKdDS EmptyTemp[start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a Hijackthis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
  • 0

#7
Chron8891
Posted 11 May 2008 - 07:53 PM

Chron8891

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Here is the HiJackThis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:51:48 PM, on 5/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\avz.exe
C:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\avp.exe
C:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\avz.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: {feff17c3-d214-510a-1bc4-7b28aeaefe22} - {22efeaea-82b7-4cb1-a015-412d3c71ffef} - C:\WINDOWS\system32\fwfayreq.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A1AAD61C-8B51-4FCF-8A77-56DC91A4A8E5} - (no file)
O2 - BHO: (no name) - {A7E81B89-DF38-40C8-A767-6FBECB65B862} - C:\WINDOWS\system32\vtUlKdDS.dll
O2 - BHO: (no name) - {A8EC84CE-319B-4955-AA96-7EFE984D0D2F} - C:\WINDOWS\system32\geBrRIYO.dll
O2 - BHO: (no name) - {AD3418C5-8088-416B-82E1-E76692A6876D} - (no file)
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\avp.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\ie_banner_deny.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\scieplugin.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1204587399750
O20 - AppInit_DLLs: C:\PROGRA~1\DEFEND~1\DEFEND~1.0\adialhk.dll
O20 - Winlogon Notify: vtUlKdDS - C:\WINDOWS\SYSTEM32\vtUlKdDS.dll
O23 - Service: Defender Pro Internet Security (AVP) - Defender Pro - C:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\avz.exe

--
End of file - 4392 bytes
  • 0

#8
Chron8891
Posted 11 May 2008 - 08:04 PM

Chron8891

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Here is the MAlwareByte's Log

Malwarebytes' Anti-Malware 1.12
Database version: 740

Scan type: Quick Scan
Objects scanned: 64791
Time elapsed: 54 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 81
Registry Values Infected: 7
Registry Data Items Infected: 1
Folders Infected: 7
Files Infected: 47

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\vtUoLDTL.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\yugqsanb.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\mysidesearch_sidebar.dll (Adware.BHO) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9d0a102d-0f5e-4d9e-bd5d-326321fb3f62} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{9d0a102d-0f5e-4d9e-bd5d-326321fb3f62} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{9506910a-0f94-4ea1-b567-7070428b8b2b} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1e404d48-670a-4085-a6a0-d195793ddd33} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1e404d48-670a-4085-a6a0-d195793ddd33} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9506910a-0f94-4ea1-b567-7070428b8b2b} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{faba076a-478a-4c32-a0a5-c774607901c2} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{faba076a-478a-4c32-a0a5-c774607901c2} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{8d71eeb8-a1a7-4733-8fa2-1cac015c967d} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{9f593aac-ca4c-4a41-a7ff-a00812192d61} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{749ec66f-a838-4b38-b8e5-e65d905fff74} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1037b06c-84b7-4240-8d80-485810a0497d} (Adware.Mirar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{54b287f9-fd90-4457-b65e-cb91560c021d} (Adware.Mirar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6e4c7afc-9915-4036-b7f9-8b3f1710788f} (Adware.Mirar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{566dede9-9ed8-45da-9be6-9b2eeab17f49} (Adware.Mirar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9a9c9b68-f908-4aab-8d0c-10ea8997f37e} (Adware.Mirar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\dbreg.dbar.1 (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\dbreg.dbarbho.1 (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\dbreg.dbarenabler.1 (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{8f15b157-40d9-4b20-8d3b-b1f8b475b58d} (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a0881aa1-68be-41ac-9c0d-4c8a69c6c72c} (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e827ffd9-95d1-4b49-beb3-5d49e688c108} (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{80985322-3f89-4873-9bce-9297d217ccad} (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d263b532-c528-49e5-8bb6-80fa67332c9a} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{7165223d-d2c9-422b-8126-411b11842b8b} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\cuskina.avideo (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f039c188-d8c7-4b6e-b6cc-a5e789b11329} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{f039c188-d8c7-4b6e-b6cc-a5e789b11329} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0656a137-b161-cadd-9777-e37a75727e78} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0b682cc1-fb40-4006-a5dd-99edd3c9095d} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0e1230f8-ea50-42a9-983c-d22abc2eeb4c} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9dd4258a-7138-49c4-8d34-587879a5c7a4} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9dd4258a-7138-49c4-8d34-587879a5c7a4} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b8c0220d-763d-49a4-95f4-61dfdec66ee6} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b8c0220d-763d-49a4-95f4-61dfdec66ee6} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{65bbf06c-ea06-4818-92a3-f3550d0e1004} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e94eb13e-d78f-0857-7734-5e67a49ffff1} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d70e9b0f-aabc-4066-8176-c6de84d92fa1} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{000000da-0786-4633-87c6-1aa7a4429ef1} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{000000da-0786-4633-87c6-1aa7a4429ef1} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{54645654-2225-4455-44a1-9f4543d34545} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5c7f15e1-f31a-44fd-aa1a-2ec63aaffd3a} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6a6eae1b-4ad6-4035-974d-504d6dbaa9c3} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6a6eae1b-4ad6-4035-974d-504d6dbaa9c3} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\pornpro.pornpro_bho (Adware.PlayaZ) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\pornpro.pornpro_bho.1 (Adware.PlayaZ) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mysidesearchsearchassistant (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gooochi (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{565acb1f-f7b0-4870-8b0d-1cd4754a9a9c} (Adware.PlayaZ) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{665b7b03-76e2-4330-a107-c57bef3f949d} (Adware.PlayaZ) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\contexttool (Adware.PlayaZ) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\playmp3 (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\pc-cleaner (Rogue.PC-Cleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\Sidebar.DLL (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\MySidesearch (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\dpcproxy (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\logons (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\typelib (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\HOL5_VXIEWER.FULL.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Classes\HOL5_VXIEWER.FULL.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Classes\applications\accessdiver.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Invictus (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\MediaHoldings (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Mirar (AdWare.Mirar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\PlayMP3 (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\VirusHeat 4.3.exe 4.3 (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\winvi (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\winvi (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\videoPl.chl (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\multimediaControls.chl (Trojan.Zlob) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\94525bf3 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\{9034a523-d068-4be8-a284-9df278be776e} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{0656a137-b161-cadd-9777-e37a75727e78} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{0e1230f8-ea50-42a9-983c-d22abc2eeb4c} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6a6eae1b-4ad6-4035-974d-504d6dbaa9c3} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SystemCheck2 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM9761686f (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\vtuoldtl -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\contexttool (Adware.PlayaZ) -> Quarantined and deleted successfully.
C:\Program Files\PlayMP3z (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
C:\Program Files\PC-Cleaner (Rogue.PC-Cleaner) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Start Menu\Programs\VirusHeat 4.3 (Rogue.VirusHeat) -> Quarantined and deleted successfully.
C:\Documents and Settings\Anne Rutledge\Start Menu\Programs\VirusHeat 4.3 (Rogue.VirusHeat) -> Quarantined and deleted successfully.
C:\Documents and Settings\badman420\Start Menu\Programs\PlayMP3z (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
C:\Documents and Settings\Anne Rutledge\Desktop\virii (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\byXOffCT.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TCffOXyb.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TCffOXyb.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vtUoLDTL.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\LTDLoUtv.ini (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\LTDLoUtv.ini2 (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\yugqsanb.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\bnasqguy.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mysidesearch_sidebar.dll (Adware.BHO) -> Delete on reboot.
C:\WINDOWS\system32\g93.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe (Adware.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\{44973b67-9c2a-1db7-cc23-2d175a5d5474}.dll-uninst.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\br217.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\badman420\Local Settings\Temporary Internet Files\Content.IE5\0ZLJYQJ9\dm[1].exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\badman420\Local Settings\Temporary Internet Files\Content.IE5\A3QZ6XAR\webupdater[1].exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\badman420\Local Settings\Temporary Internet Files\Content.IE5\KDE7WLMR\installer[1].exe (Trojan.Proxy) -> Quarantined and deleted successfully.
C:\Documents and Settings\badman420\Local Settings\Temporary Internet Files\Content.IE5\X3JB5XOE\Codec[2].exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Anne Rutledge\Local Settings\Temporary Internet Files\Content.IE5\6VILKT4H\g93[1].exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\contexttool\ContextHelper.dat (Adware.PlayaZ) -> Quarantined and deleted successfully.
C:\Program Files\contexttool\ContextTool-2.dll (Adware.PlayaZ) -> Quarantined and deleted successfully.
C:\Program Files\contexttool\pcre3.dll (Adware.PlayaZ) -> Quarantined and deleted successfully.
C:\Program Files\contexttool\uninstall.exe (Adware.PlayaZ) -> Quarantined and deleted successfully.
C:\Program Files\PlayMP3z\PlayMP3.exe (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
C:\Program Files\PlayMP3z\uninstall.exe (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
C:\Program Files\PC-Cleaner\PC-Cleaner.db (Rogue.PC-Cleaner) -> Quarantined and deleted successfully.
C:\Program Files\PC-Cleaner\PC-Cleaner.exe (Rogue.PC-Cleaner) -> Quarantined and deleted successfully.
C:\Program Files\PC-Cleaner\pccleaner.pkg (Rogue.PC-Cleaner) -> Quarantined and deleted successfully.
C:\Program Files\PC-Cleaner\program.info (Rogue.PC-Cleaner) -> Quarantined and deleted successfully.
C:\Program Files\PC-Cleaner\Uninstall.exe (Rogue.PC-Cleaner) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Start Menu\Programs\VirusHeat 4.3\Uninstall VirusHeat 4.3.lnk (Rogue.VirusHeat) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Start Menu\Programs\VirusHeat 4.3\VirusHeat 4.3 Website.lnk (Rogue.VirusHeat) -> Quarantined and deleted successfully.
C:\Documents and Settings\Anne Rutledge\Start Menu\Programs\VirusHeat 4.3\Uninstall VirusHeat 4.3.lnk (Rogue.VirusHeat) -> Quarantined and deleted successfully.
C:\Documents and Settings\Anne Rutledge\Start Menu\Programs\VirusHeat 4.3\VirusHeat 4.3 Website.lnk (Rogue.VirusHeat) -> Quarantined and deleted successfully.
C:\Documents and Settings\Anne Rutledge\Start Menu\Programs\VirusHeat 4.3\VirusHeat 4.3.lnk (Rogue.VirusHeat) -> Quarantined and deleted successfully.
C:\Documents and Settings\badman420\Start Menu\Programs\PlayMP3z\Run PlayMP3z.lnk (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winpfz33.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jfjsbdck.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\qoMeEUMg.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Anne Rutledge\Desktop\blackbird.jpg (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Anne Rutledge\Desktop\EditorFKWP1.5.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Anne Rutledge\Desktop\EditorFKWP2.0.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Anne Rutledge\Desktop\fwebd.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Anne Rutledge\Desktop\FWebdEditor.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Anne Rutledge\Start Menu\Programs\Startup\DW_Start.lnk (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Anne Rutledge\Start Menu\VirusHeat 4.3.lnk (Rogue.VirusHeat) -> Quarantined and deleted successfully.
C:\Documents and Settings\Anne Rutledge\Application Data\Microsoft\Internet Explorer\Quick Launch\VirusHeat 4.3.lnk (Rogue.VirusHeat) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Favorites\Online Security Test.url (Rogue.Link) -> Quarantined and deleted successfully.
  • 0

#9
JSntgRvr
Posted 11 May 2008 - 08:38 PM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,579 posts
Hi, Chron8891 :)

I removed the OTMoveIT report as it did not work. The script appeared as a single line. In the next fix make sure the lines pasted appears on the windows as single lines, but not as a single line. For example, they should appear as:

1
2
3
4

And not as, 1 2 3 4... etc

1. Please download The Avenger by Swandog46 to your Desktop.
  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Begin copying here:Files to delete:C:\WINDOWS\system32\vtUlKdDS.dllC:\WINDOWS\system32\isrbcycv.dllC:\WINDOWS\system32\vtUoLDTL.dllC:\WINDOWS\system32\lyaeewyv.dllC:\WINDOWS\privacy_danger\index.htmC:\WINDOWS\system32\vyweeayl.ini2C:\WINDOWS\system32\lyaeewyv.dllC:\WINDOWS\system32\isrbcycv.dllC:\WINDOWS\system32\hbunlncg.exeC:\WINDOWS\system32\cscnmifp.dllC:\WINDOWS\system32\phnoausb.dllC:\WINDOWS\system32\sneuoyrv.exeC:\WINDOWS\system32\flxtlsxt.dllC:\WINDOWS\system32\winpfz33.sysC:\WINDOWS\system32\qkqwdcud.dllC:\WINDOWS\system32\gvrvbrel.exeC:\WINDOWS\system32\lgdmpypk.dllC:\WINDOWS\system32\fwoncjpt.dllC:\WINDOWS\system32\TCffOXyb.ini2C:\WINDOWS\system32\byXOffCT.dllC:\WINDOWS\system32\g93.exeC:\WINDOWS\system32\qoMeEUMg.dllC:\WINDOWS\system32\lxtuxsum.exeC:\WINDOWS\system32\xgosuetw.dllC:\WINDOWS\system32\tstfmjne.dllC:\WINDOWS\system32\LTDLoUtv.ini2C:\WINDOWS\system32\vtUoLDTL.dllC:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exeC:\WINDOWS\system32\gside.exeC:\WINDOWS\system32\gjjiQqss.ini2C:\WINDOWS\system32\mysidesearch_sidebar.dllFolders to delete:C:\WINDOWS\QW5uZSBSdXRsZWRnZQC:\WINDOWS\system32\xIT2C:\WINDOWS\system32\ViBEC:\WINDOWS\system32\ad1C:\WINDOWS\system32\1019bC:\Documents and Settings\All Users\Application Data\cvuzcpahRegistry Keys to delete:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6A6EAE1B-4AD6-4035-974D-504D6DBAA9C3}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9506910A-0F94-4ea1-B567-7070428B8B2B}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{992CFEB9-FE49-4E64-B377-F97BC3728806}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9d024223-33ed-6cea-c175-82dc5269d99f}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A7E81B89-DF38-40C8-A767-6FBECB65B862}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d0f8a166-f0a2-4322-a034-40e434778328}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E6F5A45F-2D7A-419D-BE5A-27FA6ED1611F}HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hgGwtTnMHKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtUlKdDSReistry values to delete:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | BM9761686fHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | 94525bf3HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0 | SourceHKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0 | FriendlyNameHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks | {6A6EAE1B-4AD6-4035-974D-504D6DBAA9C3}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks | {A7E81B89-DF38-40C8-A767-6FBECB65B862}

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
  • Right click on the window under Input script here:, and select Paste.
  • You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh Hijackthis log .
  • 0

#10
Chron8891
Posted 11 May 2008 - 10:27 PM

Chron8891

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Here is the Avenger Log

//////////////////////////////////////////
  Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Sun May 11 22:14:32 2008

22:14:13: Error: Invalid registry syntax in command:
"Reistry values to delete:"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line.  (Registry key deletion mode)  
22:14:17: Error: Invalid registry syntax in command:
"HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0 | Source"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line.  (Registry key deletion mode)  
22:14:18: Error: Invalid registry syntax in command:
"HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0 | FriendlyName"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line.  (Registry key deletion mode)  


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\system32\vtUlKdDS.dll" deleted successfully.

Error:  file "C:\WINDOWS\system32\isrbcycv.dll" not found!
Deletion of file "C:\WINDOWS\system32\isrbcycv.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:\WINDOWS\system32\vtUoLDTL.dll" not found!
Deletion of file "C:\WINDOWS\system32\vtUoLDTL.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:\WINDOWS\system32\lyaeewyv.dll" not found!
Deletion of file "C:\WINDOWS\system32\lyaeewyv.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  could not open file "C:\WINDOWS\privacy_danger\index.htm"
Deletion of file "C:\WINDOWS\privacy_danger\index.htm" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
  --> bad path / the parent directory does not exist


Error:  file "C:\WINDOWS\system32\vyweeayl.ini2" not found!
Deletion of file "C:\WINDOWS\system32\vyweeayl.ini2" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:\WINDOWS\system32\lyaeewyv.dll" not found!
Deletion of file "C:\WINDOWS\system32\lyaeewyv.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:\WINDOWS\system32\isrbcycv.dll" not found!
Deletion of file "C:\WINDOWS\system32\isrbcycv.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist

File "C:\WINDOWS\system32\hbunlncg.exe" deleted successfully.
File "C:\WINDOWS\system32\cscnmifp.dll" deleted successfully.

Error:  file "C:\WINDOWS\system32\phnoausb.dll" not found!
Deletion of file "C:\WINDOWS\system32\phnoausb.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist

File "C:\WINDOWS\system32\sneuoyrv.exe" deleted successfully.

Error:  file "C:\WINDOWS\system32\flxtlsxt.dll" not found!
Deletion of file "C:\WINDOWS\system32\flxtlsxt.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:\WINDOWS\system32\winpfz33.sys" not found!
Deletion of file "C:\WINDOWS\system32\winpfz33.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist

File "C:\WINDOWS\system32\qkqwdcud.dll" deleted successfully.
File "C:\WINDOWS\system32\gvrvbrel.exe" deleted successfully.

Error:  file "C:\WINDOWS\system32\lgdmpypk.dll" not found!
Deletion of file "C:\WINDOWS\system32\lgdmpypk.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist

File "C:\WINDOWS\system32\fwoncjpt.dll" deleted successfully.

Error:  file "C:\WINDOWS\system32\TCffOXyb.ini2" not found!
Deletion of file "C:\WINDOWS\system32\TCffOXyb.ini2" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:\WINDOWS\system32\byXOffCT.dll" not found!
Deletion of file "C:\WINDOWS\system32\byXOffCT.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:\WINDOWS\system32\g93.exe" not found!
Deletion of file "C:\WINDOWS\system32\g93.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:\WINDOWS\system32\qoMeEUMg.dll" not found!
Deletion of file "C:\WINDOWS\system32\qoMeEUMg.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist

File "C:\WINDOWS\system32\lxtuxsum.exe" deleted successfully.

Error:  file "C:\WINDOWS\system32\xgosuetw.dll" not found!
Deletion of file "C:\WINDOWS\system32\xgosuetw.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist

File "C:\WINDOWS\system32\tstfmjne.dll" deleted successfully.

Error:  file "C:\WINDOWS\system32\LTDLoUtv.ini2" not found!
Deletion of file "C:\WINDOWS\system32\LTDLoUtv.ini2" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:\WINDOWS\system32\vtUoLDTL.dll" not found!
Deletion of file "C:\WINDOWS\system32\vtUoLDTL.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe" not found!
Deletion of file "C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist

File "C:\WINDOWS\system32\gside.exe" deleted successfully.
File "C:\WINDOWS\system32\gjjiQqss.ini2" deleted successfully.

Error:  file "C:\WINDOWS\system32\mysidesearch_sidebar.dll" not found!
Deletion of file "C:\WINDOWS\system32\mysidesearch_sidebar.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist

Folder "C:\WINDOWS\QW5uZSBSdXRsZWRnZQ" deleted successfully.
Folder "C:\WINDOWS\system32\xIT2" deleted successfully.
Folder "C:\WINDOWS\system32\ViBE" deleted successfully.
Folder "C:\WINDOWS\system32\ad1" deleted successfully.
Folder "C:\WINDOWS\system32\1019b" deleted successfully.
Folder "C:\Documents and Settings\All Users\Application Data\cvuzcpah" deleted successfully.

Error:  registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6A6EAE1B-4AD6-4035-974D-504D6DBAA9C3}" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6A6EAE1B-4AD6-4035-974D-504D6DBAA9C3}" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9506910A-0F94-4ea1-B567-7070428B8B2B}" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9506910A-0F94-4ea1-B567-7070428B8B2B}" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{992CFEB9-FE49-4E64-B377-F97BC3728806}" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{992CFEB9-FE49-4E64-B377-F97BC3728806}" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9d024223-33ed-6cea-c175-82dc5269d99f}" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9d024223-33ed-6cea-c175-82dc5269d99f}" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist

Registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A7E81B89-DF38-40C8-A767-6FBECB65B862}" deleted successfully.

Error:  registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d0f8a166-f0a2-4322-a034-40e434778328}" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d0f8a166-f0a2-4322-a034-40e434778328}" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E6F5A45F-2D7A-419D-BE5A-27FA6ED1611F}" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E6F5A45F-2D7A-419D-BE5A-27FA6ED1611F}" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  registry key "HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hgGwtTnM" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hgGwtTnM" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist

Registry key "HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtUlKdDS" deleted successfully.

Error:  registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | BM9761686f" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | BM9761686f" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | 94525bf3" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | 94525bf3" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks | {6A6EAE1B-4AD6-4035-974D-504D6DBAA9C3}" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks | {6A6EAE1B-4AD6-4035-974D-504D6DBAA9C3}" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks | {A7E81B89-DF38-40C8-A767-6FBECB65B862}" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks | {A7E81B89-DF38-40C8-A767-6FBECB65B862}" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Completed script processing.

*******************

Finished!  Terminate.

  • 0

Advertisements

#11
Chron8891
Posted 11 May 2008 - 10:30 PM

Chron8891

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Here is the HiJackThis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:29:54 PM, on 5/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\avp.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\avz.exe
C:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\avz.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\avp.exe"
O4 - HKLM\..\Run: [94525bf3] rundll32.exe "C:\WINDOWS\system32\gcvaedvt.dll",b
O4 - HKLM\..\Run: [BM9761686f] Rundll32.exe "C:\WINDOWS\system32\coeacnhe.dll",s
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\ie_banner_deny.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\scieplugin.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1204587399750
O20 - AppInit_DLLs: C:\PROGRA~1\DEFEND~1\DEFEND~1.0\adialhk.dll
O23 - Service: Defender Pro Internet Security (AVP) - Defender Pro - C:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\avz.exe

--
End of file - 3757 bytes

  • 0

#12
JSntgRvr
Posted 12 May 2008 - 05:07 PM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,579 posts
Hi, Chron8891 :)

Right click on your desktop and select Properties. Select the Desktop tab, then click on Customize Desktop. Click on the Web tab. Delete all lines therein except for My Current Home Page. Click Ok on your way our of the properties window.

Please run DSS once again and post the resulting Main.txt report.
  • 0

#13
Chron8891
Posted 13 May 2008 - 12:23 AM

Chron8891

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Here is the DSS Log. I've also attached some JPG's of messages and pop ups I keep getting.

Deckard's System Scanner v20071014.68
Run by badman420 on 2008-05-12 23:10:38
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 248 MiB (512 MiB recommended).


-- HijackThis (run as badman420.exe) -------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:10:41 PM, on 5/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\badman420\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\BADMAN~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: (no name) - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {8CA63FF4-8B5A-4CB7-9370-13995BD65856} - C:\WINDOWS\system32\geBrRIYO.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A1AAD61C-8B51-4FCF-8A77-56DC91A4A8E5} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {AD3418C5-8088-416B-82E1-E76692A6876D} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: {84a49d0d-0a69-3e79-4484-5fb9ca8b765b} - {b567b8ac-9bf5-4844-97e3-96a0d0d94a48} - C:\WINDOWS\system32\dspiamst.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\avp.exe"
O4 - HKLM\..\Run: [94525bf3] rundll32.exe "C:\WINDOWS\system32\ngtluhdq.dll",b
O4 - HKLM\..\Run: [BM9761686f] Rundll32.exe "C:\WINDOWS\system32\beiyiyyg.dll",s
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\scieplugin.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1204587399750
O20 - AppInit_DLLs: C:\PROGRA~1\DEFEND~1\DEFEND~1.0\adialhk.dll
O23 - Service: Defender Pro Internet Security (AVP) - Defender Pro - C:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\avz.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 4936 bytes

-- Files created between 2008-04-12 and 2008-05-12 -----------------------------

2008-05-12 22:09:35 116736 --a------ C:\WINDOWS\system32\dspiamst.dll
2008-05-12 22:06:33 2048 --a------ C:\WINDOWS\system32\iwevmnuu.exe
2008-05-12 22:03:35 95232 --a------ C:\WINDOWS\system32\ngtluhdq.dll
2008-05-12 22:00:40 109568 --a------ C:\WINDOWS\system32\beiyiyyg.dll
2008-05-12 13:14:44 0 d-------- C:\Documents and Settings\Anne Rutledge\Application Data\Google
2008-05-12 01:06:42 0 d-------- C:\Documents and Settings\David\Application Data\Google
2008-05-11 22:43:49 0 d-------- C:\Documents and Settings\badman420\Application Data\Google
2008-05-11 22:39:13 0 d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-05-11 22:06:56 94720 -----n--- C:\WINDOWS\system32\edyhlluh.dll
2008-05-11 22:03:55 2048 --a------ C:\WINDOWS\system32\xdvvqtvo.exe
2008-05-11 21:58:00 109056 --a------ C:\WINDOWS\system32\wplvlapn.dll
2008-05-11 20:07:42 109056 --a------ C:\WINDOWS\system32\coeacnhe.dll
2008-05-11 20:06:42 291150 --ahs---- C:\WINDOWS\system32\tCfLmnpo.ini2
2008-05-11 20:06:33 371200 --a------ C:\WINDOWS\system32\opnmLfCt.dll
2008-05-11 19:57:03 0 d-------- C:\Documents and Settings\David\Application Data\Malwarebytes
2008-05-11 19:26:22 0 d-------- C:\Documents and Settings\David\Contacts
2008-05-11 18:51:47 2048 --a------ C:\WINDOWS\system32\tbycmnld.exe
2008-05-11 18:51:18 109056 --a------ C:\WINDOWS\system32\lyoqyuix.dll
2008-05-11 18:45:20 405925 --ahs---- C:\WINDOWS\system32\OYIRrBeg.ini2
2008-05-11 18:45:13 371200 --a------ C:\WINDOWS\system32\geBrRIYO.dll
2008-05-11 16:15:09 0 d-------- C:\Documents and Settings\badman420\Application Data\Malwarebytes
2008-05-11 16:12:59 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-11 16:12:52 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-11 15:51:06 0 d-------- C:\Documents and Settings\David\Application Data\Macromedia
2008-05-10 22:20:29 2048 --a------ C:\WINDOWS\system32\ogqbcdal.exe
2008-05-09 22:22:50 93696 --a------ C:\WINDOWS\system32\dfujnthe.dll
2008-05-09 22:19:50 2048 --a------ C:\WINDOWS\system32\kweaxrjf.exe
2008-05-09 22:16:57 109056 --a------ C:\WINDOWS\system32\rrxgcrvx.dll
2008-05-08 20:08:27 0 d-------- C:\WINDOWS\ERUNT
2008-05-08 19:53:24 0 d-------- C:\Documents and Settings\David\Application Data\Adobe
2008-05-08 19:46:39 0 d-------- C:\Documents and Settings\David\Application Data\Identities
2008-05-08 19:45:36 0 dr------- C:\Documents and Settings\David\Favorites
2008-05-08 19:45:36 0 d-------- C:\Documents and Settings\David\Desktop
2008-05-08 19:45:36 0 d---s---- C:\Documents and Settings\David\Cookies
2008-05-08 19:45:36 0 dr-h----- C:\Documents and Settings\David\Application Data
2008-05-08 19:45:36 0 d---s---- C:\Documents and Settings\David\Application Data\Microsoft
2008-05-08 19:45:35 0 d--h----- C:\Documents and Settings\David\Templates
2008-05-08 19:45:35 0 dr------- C:\Documents and Settings\David\Start Menu
2008-05-08 19:45:35 0 dr-h----- C:\Documents and Settings\David\SendTo
2008-05-08 19:45:35 0 dr-h----- C:\Documents and Settings\David\Recent
2008-05-08 19:45:35 0 d--h----- C:\Documents and Settings\David\PrintHood
2008-05-08 19:45:35 0 d--h----- C:\Documents and Settings\David\NetHood
2008-05-08 19:45:35 0 dr------- C:\Documents and Settings\David\My Documents
2008-05-08 19:45:35 0 d--h----- C:\Documents and Settings\David\Local Settings
2008-05-08 19:45:34 786432 --ah----- C:\Documents and Settings\David\NTUSER.DAT
2008-05-08 19:16:52 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-05-08 19:16:52 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-05-08 19:16:52 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-05-08 19:16:52 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-05-08 19:16:52 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-05-08 19:16:50 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-05-08 19:16:50 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-05-08 19:16:50 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-05-08 19:16:50 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-05-08 19:16:50 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-05-08 19:16:50 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-05-08 19:16:50 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-05-08 19:16:50 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-05-08 19:16:50 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-05-08 16:05:10 0 d-------- C:\Program Files\Trend Micro
2008-05-08 16:02:34 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-05-08 16:02:33 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-05-08 16:00:43 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-05-08 01:47:45 0 d-------- C:\Program Files\Full Tilt Poker
2008-05-08 00:31:18 0 d-------- C:\Program Files\HoldemInspector2
2008-05-05 16:51:17 0 d-------- C:\Program Files\PartyGaming
2008-05-05 12:34:22 0 d-------- C:\WINDOWS\pss
2008-05-05 00:52:41 0 d-------- C:\Documents and Settings\badman420\Shared
2008-05-05 00:52:39 0 d-------- C:\Documents and Settings\badman420\Incomplete
2008-05-05 00:51:52 0 d-------- C:\Documents and Settings\badman420\Application Data\FrostWire
2008-05-04 18:26:16 0 d-------- C:\Program Files\Java
2008-05-04 18:25:43 0 d-------- C:\Program Files\Common Files\Java
2008-05-04 18:24:06 0 d-------- C:\Documents and Settings\badman420\Application Data\Sun
2008-05-04 18:21:34 0 d-------- C:\Program Files\FrostWire
2008-05-04 18:21:22 0 d-------- C:\Program Files\AskSBar
2008-05-03 18:37:11 0 d-------- C:\WINDOWS\system32\URTTemp
2008-05-02 19:05:57 0 d-------- C:\Program Files\PartyGaming.Net
2008-04-21 05:43:46 0 d-------- C:\Documents and Settings\badman420\Application Data\TmpRecentIcons
2008-04-20 21:56:51 0 d-------- C:\Documents and Settings\Anne Rutledge\Application Data\TmpRecentIcons
2008-04-12 10:24:14 0 d-------- C:\Documents and Settings\Anne Rutledge\Contacts


-- Find3M Report ---------------------------------------------------------------

2008-05-11 22:42:36 0 d-------- C:\Program Files\Google
2008-05-08 02:18:22 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-04 22:26:29 0 d-------- C:\Program Files\Common Files\InstallShield
2008-05-04 18:25:43 0 d-------- C:\Program Files\Common Files
2008-04-07 10:34:26 0 d-------- C:\Program Files\Windows Media Connect 2
2008-04-07 05:56:59 0 d-------- C:\Program Files\Windows Live Toolbar
2008-04-07 05:55:21 0 d-------- C:\Program Files\Windows Live Favorites
2008-04-04 01:58:55 0 d-------- C:\Program Files\Windows Live
2008-04-04 01:55:47 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-30 02:29:12 0 d-------- C:\Documents and Settings\badman420\Application Data\Macromedia
2008-03-30 02:22:20 0 d-------- C:\Documents and Settings\badman420\Application Data\Adobe
2008-03-30 00:50:13 0 d-------- C:\Documents and Settings\badman420\Application Data\Identities
2008-03-29 16:38:28 0 d-------- C:\Program Files\Defender Pro
2008-03-03 15:58:23 0 -rahs---- C:\MSDOS.SYS
2008-03-03 15:58:23 0 -rahs---- C:\IO.SYS
2008-03-03 15:58:23 0 --a------ C:\CONFIG.SYS
2008-03-03 15:58:23 0 --a------ C:\AUTOEXEC.BAT
2008-03-03 15:54:48 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-03-03 08:46:53 62 --ahs---- C:\Documents and Settings\badman420\Application Data\desktop.ini


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8CA63FF4-8B5A-4CB7-9370-13995BD65856}]
05/11/2008 06:45 PM 371200 --a------ C:\WINDOWS\system32\geBrRIYO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A1AAD61C-8B51-4FCF-8A77-56DC91A4A8E5}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AD3418C5-8088-416B-82E1-E76692A6876D}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b567b8ac-9bf5-4844-97e3-96a0d0d94a48}]
05/12/2008 10:09 PM 116736 --a------ C:\WINDOWS\system32\dspiamst.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL [05/04/2008 06:21 PM 267592]

[-HKEY_CLASSES_ROOT\CLSID\{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [10/16/2002 06:24 AM C:\WINDOWS\SOUNDMAN.EXE]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [10/15/2002 11:18 AM]
"AVP"="C:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\avp.exe" [08/07/2007 04:00 PM]
"94525bf3"="C:\WINDOWS\system32\ngtluhdq.dll" [05/12/2008 10:03 PM]
"BM9761686f"="C:\WINDOWS\system32\beiyiyyg.dll" [05/12/2008 10:00 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [10/18/2007 11:34 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [5/11/2008 10:39:10 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{A7E81B89-DF38-40C8-A767-6FBECB65B862}"= C:\WINDOWS\system32\vtUlKdDS.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\DEFEND~1\DEFEND~1.0\adialhk.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVP]
"C:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\avp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fsvvcyfq]
C:\WINDOWS\system32\qhezsbsj.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
"C:\Program Files\Windows Defender\MSASCui.exe" -hide




-- End of Deckard's System Scanner: finished at 2008-05-12 23:12:07 ------------

Attached Thumbnails

  • error.JPG
  • error2.JPG

  • 0

#14
JSntgRvr
Posted 13 May 2008 - 11:01 AM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,579 posts
Hi, Chron8891 :)

Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Begin copying here:Files to delete:C:\WINDOWS\system32\dspiamst.dll  C:\WINDOWS\system32\iwevmnuu.exe  C:\WINDOWS\system32\ngtluhdq.dll  C:\WINDOWS\system32\beiyiyyg.dll  C:\WINDOWS\system32\edyhlluh.dll  C:\WINDOWS\system32\xdvvqtvo.exe  C:\WINDOWS\system32\wplvlapn.dll  C:\WINDOWS\system32\coeacnhe.dll  C:\WINDOWS\system32\tCfLmnpo.ini2  C:\WINDOWS\system32\opnmLfCt.dll  C:\WINDOWS\system32\tbycmnld.exe  C:\WINDOWS\system32\lyoqyuix.dll  C:\WINDOWS\system32\OYIRrBeg.ini2  C:\WINDOWS\system32\geBrRIYO.dll  C:\WINDOWS\system32\ogqbcdal.exe  C:\WINDOWS\system32\dfujnthe.dll  C:\WINDOWS\system32\kweaxrjf.exe  C:\WINDOWS\system32\rrxgcrvx.dll  C:\WINDOWS\system32\geBrRIYO.dllC:\WINDOWS\system32\dspiamst.dllC:\WINDOWS\system32\ngtluhdq.dllC:\WINDOWS\system32\beiyiyyg.dllC:\WINDOWS\system32\qhezsbsj.exeRegistry keys to delete:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8CA63FF4-8B5A-4CB7-9370-13995BD65856}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A1AAD61C-8B51-4FCF-8A77-56DC91A4A8E5}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AD3418C5-8088-416B-82E1-E76692A6876D}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b567b8ac-9bf5-4844-97e3-96a0d0d94a48}HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fsvvcyfqRegistry values to delete:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | 94525bf3HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | BM9761686fHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks | {A7E81B89-DF38-40C8-A767-6FBECB65B862}

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Now, open the avenger folder and start The Avenger program by clicking on its icon.
  • Right click on the window under Input script here:, and select Paste.
  • You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.
The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
Please copy/paste the content of c:\avenger.txt into your reply along with a DSS main.txt log .
  • 0

#15
Chron8891
Posted 14 May 2008 - 10:29 PM

Chron8891

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: file "C:\WINDOWS\system32\dspiamst.dll" not found!
Deletion of file "C:\WINDOWS\system32\dspiamst.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\WINDOWS\system32\iwevmnuu.exe" deleted successfully.

Error: file "C:\WINDOWS\system32\ngtluhdq.dll" not found!
Deletion of file "C:\WINDOWS\system32\ngtluhdq.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\WINDOWS\system32\beiyiyyg.dll" deleted successfully.

Error: file "C:\WINDOWS\system32\edyhlluh.dll" not found!
Deletion of file "C:\WINDOWS\system32\edyhlluh.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\WINDOWS\system32\xdvvqtvo.exe" deleted successfully.
File "C:\WINDOWS\system32\wplvlapn.dll" deleted successfully.
File "C:\WINDOWS\system32\coeacnhe.dll" deleted successfully.
File "C:\WINDOWS\system32\tCfLmnpo.ini2" deleted successfully.
File "C:\WINDOWS\system32\opnmLfCt.dll" deleted successfully.
File "C:\WINDOWS\system32\tbycmnld.exe" deleted successfully.
File "C:\WINDOWS\system32\lyoqyuix.dll" deleted successfully.
File "C:\WINDOWS\system32\OYIRrBeg.ini2" deleted successfully.
File "C:\WINDOWS\system32\geBrRIYO.dll" deleted successfully.
File "C:\WINDOWS\system32\ogqbcdal.exe" deleted successfully.
File "C:\WINDOWS\system32\dfujnthe.dll" deleted successfully.
File "C:\WINDOWS\system32\kweaxrjf.exe" deleted successfully.
File "C:\WINDOWS\system32\rrxgcrvx.dll" deleted successfully.

Error: file "C:\WINDOWS\system32\geBrRIYO.dll" not found!
Deletion of file "C:\WINDOWS\system32\geBrRIYO.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\dspiamst.dll" not found!
Deletion of file "C:\WINDOWS\system32\dspiamst.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\ngtluhdq.dll" not found!
Deletion of file "C:\WINDOWS\system32\ngtluhdq.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\beiyiyyg.dll" not found!
Deletion of file "C:\WINDOWS\system32\beiyiyyg.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\qhezsbsj.exe" not found!
Deletion of file "C:\WINDOWS\system32\qhezsbsj.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}" deleted successfully.

Error: registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8CA63FF4-8B5A-4CB7-9370-13995BD65856}" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8CA63FF4-8B5A-4CB7-9370-13995BD65856}" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A1AAD61C-8B51-4FCF-8A77-56DC91A4A8E5}" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AD3418C5-8088-416B-82E1-E76692A6876D}" deleted successfully.

Error: registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b567b8ac-9bf5-4844-97e3-96a0d0d94a48}" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b567b8ac-9bf5-4844-97e3-96a0d0d94a48}" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Registry key "HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fsvvcyfq" deleted successfully.
Registry value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|94525bf3" deleted successfully.
Registry value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|BM9761686f" deleted successfully.
Registry value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks|{A7E81B89-DF38-40C8-A767-6FBECB65B862}" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP