Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojan Downloader came back_Need Advice


  • This topic is locked This topic is locked

#1
MNHerbie

MNHerbie

    Member

  • Member
  • PipPip
  • 24 posts
Running XP SP2. It appears that I have the trojandownloader (and other stuff) after 'disinfecting' my computer a couple months ago. I thought I got rid of it.... You will see that I have several spyware and antivirus software systems installed, but its a convoluted mess, so I need some advice on what to uninstall. Are the free anti virus programs pretty effective with the trojan viruses?
I ran SDfix and allowed it to fix what it found ~ and it found a lot! Not good...
I then ran a hijackthis log only (no fixes).
Would appreciate your opinion and advice - keep up the good work!!
SDFix Log:

SDFix: Version 1.182
Run by John on Wed 05/14/2008 at 11:08 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name :
MsSecurity1.209.4
ATMEPVCC

Path :
C:\WINDOWS\b2new.exe service
System32\drivers\atmepvcc.sys

MsSecurity1.209.4 - Deleted
ATMEPVCC - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default Desktop Wallpaper

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"midi2"="wdmaud.drv"

Restoring .midi2 driver registry value to wdmaud.drv

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\SYSTEM32\QKCJVI.SYZ - Deleted
C:\WINDOWS\SYSTEM32\ULWHIL.SYZ - Deleted
C:\WINDOWS\SYSTEM32\V2V47Q.SYZ - Deleted
C:\WINDOWS\SYSTEM32\XQMYKS.SYZ - Deleted
C:\Temp\1cb\syscheck.log - Deleted
C:\Program Files\ISM\ism.exe - Deleted
C:\Program Files\ISM\Uninstall.exe - Deleted
C:\Program Files\JavaCore\JavaCore.exe - Deleted
C:\Program Files\JavaCore\UnInstall.exe - Deleted
C:\Program Files\NoDNS\NoDNS.exe - Deleted
C:\Program Files\NoDNS\UnInstall.exe - Deleted
C:\Program Files\nvcoi\mst.stt - Deleted
C:\Program Files\nvcoi\nvcoi.exe - Deleted
C:\Program Files\QdrDrive\QdrDrive12.dll - Deleted
C:\Program Files\QdrDrive\qdrloader.exe - Deleted
C:\Program Files\QdrPack\dicts.gz - Deleted
C:\Program Files\QdrPack\QdrPack14.exe - Deleted
C:\Program Files\QdrPack\QdrPack15.exe - Deleted
C:\Program Files\QdrPack\trgts.gz - Deleted
C:\Program Files\QdrModule\dic.gz - Deleted
C:\Program Files\QdrModule\dicy.gz - Deleted
C:\Program Files\QdrModule\kwd.gz - Deleted
C:\Program Files\QdrModule\pckr.dat - Deleted
C:\Program Files\QdrModule\QdrModule13.exe - Deleted
C:\Program Files\QdrModule\QdrModule15.exe - Deleted
C:\Program Files\Sysmnt\Ssmgr.exe - Deleted
C:\Program Files\Temporary\InsiDERInst.exe - Deleted
C:\Program Files\winvi\Uninst.exe - Deleted
C:\Program Files\winvi\update.exe - Deleted
C:\Program Files\winvi\version.ini - Deleted
C:\Program Files\winvi\wupda.exe - Deleted
C:\Program Files\winvi\dsktp\AC_RunActiveContent.js - Deleted
C:\Program Files\winvi\dsktp\desktop.html - Deleted
C:\Program Files\winvi\dsktp\internetDetection.swf - Deleted
C:\Program Files\winvi\dsktp\settings.sol - Deleted
C:\WINDOWS\b116.exe - Deleted
C:\WINDOWS\b152.exe - Deleted
C:\WINDOWS\b153.exe - Deleted
C:\WINDOWS\b154.exe - Deleted
C:\WINDOWS\mrofinu1000106.exe - Deleted
C:\WINDOWS\mrofinu72.exe - Deleted
C:\WINDOWS\system32\000070.exe - Deleted
C:\WINDOWS\system32\000090.exe - Deleted
C:\Documents and Settings\John\Start Menu\Programs\Startup\Deewoo.lnk - Deleted
C:\Documents and Settings\John\Start Menu\Programs\Startup\DW_Start.lnk - Deleted
C:\WINDOWS\123messenger.per - Deleted
C:\WINDOWS\apphelp32.dll - Deleted
C:\WINDOWS\asferror32.dll - Deleted
C:\WINDOWS\asycfilt32.dll - Deleted
C:\WINDOWS\athprxy32.dll - Deleted
C:\WINDOWS\ati2dvaa32.dll - Deleted
C:\WINDOWS\ati2dvag32.dll - Deleted
C:\WINDOWS\audiosrv32.dll - Deleted
C:\WINDOWS\autodisc32.dll - Deleted
C:\WINDOWS\avifile32.dll - Deleted
C:\WINDOWS\avisynthex32.dll - Deleted
C:\WINDOWS\aviwrap32.dll - Deleted
C:\WINDOWS\browserad.dll - Deleted
C:\WINDOWS\cdsm32.dll - Deleted
C:\WINDOWS\changeurl_30.dll - Deleted
C:\WINDOWS\index.html - Deleted
C:\WINDOWS\Installer\id53.exe - Deleted
C:\WINDOWS\licencia.txt - Deleted
C:\WINDOWS\megavid.cdt - Deleted
C:\WINDOWS\msa64chk.dll - Deleted
C:\WINDOWS\msapasrc.dll - Deleted
C:\WINDOWS\mspphe.dll - Deleted
C:\WINDOWS\muotr.so - Deleted
C:\WINDOWS\ntnut.exe - Deleted
C:\WINDOWS\saiemod.dll - Deleted
C:\WINDOWS\shdocpe.dll - Deleted
C:\WINDOWS\shdocpl.dll - Deleted
C:\WINDOWS\system32\adult.txt - Deleted
C:\WINDOWS\system32\drivers\core.cache.dsk - Deleted
C:\WINDOWS\system32\finance.txt - Deleted
C:\WINDOWS\system32\lt.res - Deleted
C:\WINDOWS\system32\MSNSA32.dll - Deleted
C:\WINDOWS\system32\ntnut32.exe - Deleted
C:\WINDOWS\system32\other.txt - Deleted
C:\WINDOWS\system32\pac.txt - Deleted
C:\WINDOWS\system32\pharma.txt - Deleted
C:\WINDOWS\system32\rwwnw64d.exe - Deleted
C:\WINDOWS\system32\sft.res - Deleted
C:\WINDOWS\system32\shdocpe.dll - Deleted
C:\WINDOWS\system32\sockins32.dll - Deleted
C:\WINDOWS\system32\WER8274.DLL - Deleted
C:\WINDOWS\system32\wmsdkns.exe - Deleted
C:\WINDOWS\telefonos.txt - Deleted
C:\WINDOWS\textos.txt - Deleted
C:\WINDOWS\winsb.dll - Deleted
C:\WINDOWS\system32\12197002771.CPX - Deleted
C:\WINDOWS\system32\121970027712.CPX - Deleted
C:\WINDOWS\system32\1219700277133.CPX - Deleted
C:\WINDOWS\system32\12197002772.CPX - Deleted
C:\WINDOWS\system32\121970027733.CPX - Deleted
C:\WINDOWS\system32\drivers\ATMEPVCC.sys - Deleted



Folder C:\Program Files\ISM - Removed
Folder C:\Program Files\JavaCore - Removed
Folder C:\Program Files\NoDNS - Removed
Folder C:\Program Files\nvcoi - Removed
Folder C:\Program Files\QdrDrive - Removed
Folder C:\Program Files\QdrPack - Removed
Folder C:\Program Files\QdrModule - Removed
Folder C:\Program Files\Sysmnt - Removed
Folder C:\Program Files\Temporary - Removed
Folder C:\Program Files\winvi - Removed
Folder C:\Temp\1cb - Removed
Folder C:\Temp\tn3 - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1359.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-14 23:28:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Application Loader"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe:*:Enabled:AOLTsMon"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe:*:Enabled:AOLTopSpeed"
"C:\\Program Files\\Common Files\\AOL\\1158032944\\EE\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1158032944\\EE\\AOLServiceHost.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"="C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"="C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe:*:Enabled:AOL"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Common Files\\AOL\\1158032944\\EE\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1158032944\\EE\\aolsoftware.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe:*:Enabled:AOL TopSpeed"
"C:\\DOCUME~1\\John\\LOCALS~1\\Temp\\vqQv.exe"="C:\\DOCUME~1\\John\\LOCALS~1\\Temp\\vqQv.exe:*:Enabled:DHCP Client"
"C:\\WINDOWS\\system32\\cssrss.exe"="C:\\WINDOWS\\system32\\cssrss.exe:*:Enabled:DHCP Client"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sat 7 Jul 2007 4 A..H. --- "C:\WINDOWS\uccspecb.sys"
Tue 12 Jul 2005 54,872 A..H. --- "C:\Program Files\America Online 9.0\AOLphx.exe"
Tue 12 Jul 2005 31,832 A..H. --- "C:\Program Files\America Online 9.0\rbm.exe"
Fri 9 May 2008 88 ..SHR --- "C:\WINDOWS\system32\74042EF0CD.sys"
Tue 29 Apr 2008 56 ..SHR --- "C:\WINDOWS\system32\CDF02E0474.sys"
Fri 9 May 2008 5,852 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Fri 7 Oct 2005 1,847,296 ...HR --- "C:\Program Files\Microsoft Works Suite 2006\Setup\LAUNCHER.EXE"
Fri 7 Oct 2005 62,464 ...HR --- "C:\Program Files\Microsoft Works Suite 2006\Setup\MNYINSTA.DLL"
Fri 7 Oct 2005 95,232 ...HR --- "C:\Program Files\Microsoft Works Suite 2006\Setup\RMVSUITE.EXE"
Fri 7 Oct 2005 36,864 ...HR --- "C:\Program Files\Microsoft Works Suite 2006\Setup\SETUPLNG.DLL"
Fri 7 Oct 2005 20,480 ...HR --- "C:\Program Files\Microsoft Works Suite 2006\Setup\UNREGWTR.EXE"
Sat 6 Jan 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Sun 16 Mar 2008 89,088 ..SHR --- "C:\Documents and Settings\John\Application Data\??stem\dvdplay.exe"
Mon 28 Jan 2008 230,400 ..SHR --- "C:\Documents and Settings\John\My Documents\?icrosoft.NET\n?tdde.exe"
Tue 13 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\069dce5b3a6a576c9856befb57fca0a9\BIT2CD.tmp"
Wed 7 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\BIT489.tmp"
Mon 26 Nov 2001 102,467 A..H. --- "C:\Documents and Settings\John\Desktop\System Volume Information\_restore{15F76BDB-4348-451B-B0F5-24526EBF4DB0}\RP14\A0005394.exe"
Sat 20 Oct 2007 8 A..H. --- "C:\Documents and Settings\Blake\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Sat 20 Oct 2007 8 A..H. --- "C:\Documents and Settings\Blake\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Sat 20 Oct 2007 8 A..H. --- "C:\Documents and Settings\Blake\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Sat 20 Oct 2007 8 A..H. --- "C:\Documents and Settings\Blake\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"

Finished!


HIJACKTHIS LOG FIle after running SDFix:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:46:32 PM, on 5/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton Ghost\Agent\GhostTray.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\Common Files\AOL\1158032944\ee\aolsoftware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Bat\X_Bat.exe
C:\WINDOWS\system32\msiexec.exe
c:\program files\common files\aol\1158032944\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
c:\program files\common files\aol\1158032944\ee\aolsoftware.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: {EA551C00-2AE5-11d3-8592-00A0C98E9EA4} - - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: BatBHO - {63F7460B-C831-4142-A4AA-5EC303EC4343} - C:\Program Files\Bat\Bat.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: (no name) - {8041E642-8CFC-4720-BC9D-D2DB8904286F} - (no file)
O2 - BHO: gooochi browser optimizer - {8f8a6db6-59e8-6034-eb1a-ff6357af5471} - C:\WINDOWS\system32\{f74a73a9-6dba-ead1-7bd4-9ddfa630e4d9}.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P19 "EPSON Stylus CX6400" /O6 "USB001" /M "Stylus CX6400"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1158032944\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [NAV CfgWiz] "C:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOLAspSunset2] C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\updates\aspapp\sunsetAsp2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0\bin\jusched.exe
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\kcntqkdm.exe DWram
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [RegPowerClean] "C:\Program Files\Winferno\RegistryPowerCleaner\RegPowerClean.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - Startup: Bat - Auto Update.lnk = C:\Program Files\Bat\Bat.exe
O4 - Startup: Epson all-in-one Registration.lnk = F:\Titles\EpsonReg\EpsonReg.EXE
O4 - Startup: Event Reminder.lnk = H:\pmw\PMREMIND.EXE
O4 - Startup: Registration Pacific Fighters.LNK = F:\registration_us\RegistrationReminder.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Search - ?p=ZSYYYYYYKDUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1157601180667
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1187663588765
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai....oke/Coupons.cab
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} (Java Plug-in 1.4.2_03) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} (Playtime Games Launcher) - http://aolsvc.aol.co...ameLauncher.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Safety Settings Service - America Online, Inc. - C:\WINDOWS\system32\tdiins.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 13704 bytes
  • 0

Advertisements


#2
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello MNHerbie

Welcome to G2Go. :)
=====================
DO not make multiple topics please post a topic in the waiting room if you do not get a reply.

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

#3
MNHerbie

MNHerbie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Kahdah...
Thanks for the reply.
I'm having trouble connecting to the internet, so I'm reading your reply from work. AOL will startup, but just as the welcome screen comes up, it kicks me out. I also started getting the "DCOM error message" which would shut the computer off after 1 minute, but was able to circumvent that by turning off the timer at startup.
Internet explorer gives an error message, so I can't go that route either.
Because I can't get on the internet, I will try to save DSS and run it off CD...not sure if that will work or not.
thanks, again.
  • 0

#4
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Copy it from the cd to the affected computers desktop and then run it like that.
THen please post the logs.
Thanks.
  • 0

#5
MNHerbie

MNHerbie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Kahdah ~
I copied DSS to a CD at work and tried to run it at home. The DSS scan stalled shortly after starting when it was 'backing up registry hives'.

The 1st error that I received was:
"bat has encountered a problem and needs to close" (this is the standard microsoft popup window that lets you report a problem. It has the 'send' / 'don't send' button at the bottom) I see this error routinely since the computers been infected as I startup, so DSS had nothing to do with the error as far as I can tell.

The 2nd error I recieved was:
"dss.exe has encountered a problem and needs to close". This stalled out the DSS scan.

The 3rd error I received was:
"Internet explorer has encountered a problem and needs to close" I also see this routinely since the computer has been infected.

The 4th error I received was:
"windows explorer has encountered a problem and needs to close'. If I just leave this window up and do not acknowledge it by selecting "send" or "don't send", the system is actually pretty stable. I can use all my desktop programs (word, etc). But, if I acknowledge that popup, it shuts down the system.


I was able to run SDfix a few days ago as shown by previous post, but now it will not run at all and gets hung up at "50% complete" when running in safe mode.

The other thing that I notice is that AOL tries to startup when I start the computer. AOL was never on the startup menu ~ but yet it tries to startup.
When I do try to sign on to AOL, it connects for a few seconds and then kicks me out. Its a little strange, because AOL will sometimes sign on for 5 or 6 seconds (long enough to open email), but sometimes only for a half second. Internet explorer doesn't work at all.

I appreciate your help - let me know if you have any advice or things to try.

One other item. I used to have Norton Ghost, which expired early last year. Would there be some type of restore point that I can get to through Norton Ghost? Or, would this restore point be too old or not accessible if I let the Norton Ghost subscription lapse? I've browsed around in Norton Ghost, but it keeps saying I need to re-subscribe.

Thanks again....
  • 0

#6
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Ok copy this tool to the cd and then copy it to the affected computers desktop then follow the prompts.

Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#7
MNHerbie

MNHerbie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Kahdah ~
I copied combofix (which helped me the 1st time I ran into troubles) onto a CD at work and brought it home. On my home computer, combofix would not even initialize. I tried opening it from the CD, saving it to the desktop, but just couldn't get it to do anything. Any ideas on how to get combofix to initialize?
Like I said, everything seems to be working fine locally, but I can't connect to the internet via AOL for more than a few seconds before it kicks me back to the AOL signon screen.

So, I ran the hijackthis program even though I didn't get combofix to run. Hijackthis ran normally, but when it went to dump the scan into notepad, a micrsoft popup occurred stating that windows was closing down notepad to protect the system. I didn't see any options to dump the hijackthis scan into word (which works fine, along with excel), so I copied and pasted the screenshots of the hijackthis log into Word. I copied the word file onto a CD and brought it into work, but my work laptop reads the CD as being blank, even though I know the file was on there. I'll try to get the file off the CD, but it may be tomorrow.

Appreciate the help - let me know if you have any suggestions on getting combofix or another scan & fix tool to run.

thanks!!
  • 0

#8
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hi please try to rename Combofix to this > Combo-Fix.

See if it will run if it will run then please.
========================
If it will not run then do the following:

Copy this file to the cd.
Then put it on the desktop of the infected comouter.

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
  • 0

#9
MNHerbie

MNHerbie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Kahdah ~
I will try your suggestions and let you know how they work. I am out of town for the memorial day weekend and will not be back until Monday.
I am also attaching a .pdf file that contains my hijack this log - recall that notepad will not open up for me at this point, so I had to do screen captures into Word and scan them. (hopefully, the attachment works...)

thanks and have a great weekend.

Attached Files


Edited by MNHerbie, 22 May 2008 - 08:24 AM.

  • 0

#10
MNHerbie

MNHerbie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Adding page 2 of my hijack this logfile since I'm limited to 500K per attachment...

Attached Files


  • 0

Advertisements


#11
MNHerbie

MNHerbie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Page 3 of hijackthis log.....

Attached Files


  • 0

#12
MNHerbie

MNHerbie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Page 4 - final.
I did check in my C:\windows\system32 folder and it does appear that the notepad.exe file is there....not sure why word and excel work fine, but notepad gets shut down by windows with a statement that says something to the effect of 'to protect your computer windows is shutting down notepad...'

Attached Files


  • 0

#13
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Okay it seems that the malware has corrupted the file associations so notepad and other programs cannot be used.
First I would like to see if this will work.
Save this file to cd then place it on the desktop or even try to run it from the cd if it will.
Please download DAFT and save it to your desktop:
  • Double-click the daft.exe icon.
  • Click on the Scan button.
  • Select everything it is displaying there
  • Click the Fix button.
  • Then rescan with DAFT again - it should say now that "All associations are OK"
  • Close DAFT if you receive that message. This means that it is fixed now.

=========
Then try to run Combofix right after applying the daft program.
If Combofix still will not run then go ahead with my previous instructions.

Also whenever you can and you also have a great weekend. :)
  • 0

#14
MNHerbie

MNHerbie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Kahdah ~
Hope you had a relaxing weekend....
I didn't see your directions to run DAFT until this morning, so I was working off of your previous directions. Some success to report.

I first tried to run Combofix with no luck - it wouldn't even initialize. I then changed the file name to Combo-Fix as instructed. When I did that, the application would unzip, but it would get hung up (it would show the blue combo-fix box with the blinking cursor, but nothing would happen).
I then rebooted and ran combo-fix in safe mode. It ran successfully in safe mode and deleted a lot of files. I copied down as many files as I could by hand in the event that notepad wouldn't work. When Combofix was completed, it rebooted and got stuck at the screen that said "Preparing log report Do not run any programs until Combofix has completed". I wrote down these files as deleted by Combofix, but I also missed some (keep in mind, there may some typos since I am hand typing these):
Deleted by ComboFix:

C:\windows\b2new.exe
C:\programfiles\ISM\ism.exe
C:\programfiles\ISM
C:\windows\system32\msinet.oca
C:\windows\system32\msixu.dll
C:\windows\system32\ctfmona.exe
C:\windows\mainms.vpi
C:\windows\IFN.exe
C:\windows\updatetc.exe
C:\windows\promogif1.gif, promogif2.gif and promogif3.gif (3 files)
C:\windows\swim32.dll
C:\documents and settings\John\start menu\programs\internet speed monitor

After Combofix ran and rooted, spybot kept popping up with registry and key changes. I think spybot automatically came up at the reboot, so that may have interfered with Combofix trying to complete the log report. That's why I dislike spybot, it asks you to make decisions about key changes and registry changes, but on some of them you don't know whether or not to accept them.

So, after combofix ran, notepad started working again and I stopped getting a lot of the windows generated error messages. However, internet explorer and AOL still refuse to work...AOL starts up but after 3 to 5 seconds, it goes back to the signon screen. What do you think about uninstalling AOL and reloading it from a CD?? Before I get back on the internet, I'd like to download a firewall - any recommendations? I used to use Zone Alarm, but I'm not sure if it got deleted or deactivated because I no longer see it.

I then ran Malwarebytes. Malwarebytes asks for an interent connection so it can assure that that latest version is being used, but my internet connection wasn't working. Here is the logfile from Malwarebytes ~ this is a lot of information. Several of the files deleted are referenced by Malwarebytes as "fake dropped malware"....I'm curious what that means.
Thanks for all the help and advice ~ I'll await your reply:

-----------------------------------------------------------------------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.12
Database version: 722

Scan type: Quick Scan
Objects scanned: 39653
Time elapsed: 4 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 49
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 17
Files Infected: 59

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{9506910a-0f94-4ea1-b567-7070428b8b2b} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1e404d48-670a-4085-a6a0-d195793ddd33} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1e404d48-670a-4085-a6a0-d195793ddd33} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{faba076a-478a-4c32-a0a5-c774607901c2} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{9f593aac-ca4c-4a41-a7ff-a00812192d61} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{749ec66f-a838-4b38-b8e5-e65d905fff74} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{5a148cf2-9c7b-4499-8e25-c9383a5e8680} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{5b4c3b43-49b6-42a7-a602-f7acdca0d409} (Adware.OneStepSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{5b4c3b43-49b6-42a7-a602-f7acdca0d409} (Adware.OneStepSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{f663b917-591f-4172-8d87-3d7d729007ca} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bat.batbho (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{63f7460b-c831-4142-a4aa-5ec303ec4343} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{63f7460b-c831-4142-a4aa-5ec303ec4343} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bat.batbho.1 (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d279bc2b-a85b-4559-8fd9-ddc55f5d402d} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{b80a3586-caa5-41c8-89bf-e617f0b6cfbf} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{66186f05-bbbb-4a39-864f-72d84615c679} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{13197ace-6851-45c3-a7ff-c281324d5489} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4e1075f4-eec4-4a86-add7-cd5f52858c31} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8674aea0-9d3d-11d9-99dc-00600f9a01f1} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{965a592f-8efa-4250-8630-7960230792f1} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765728274} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fc3a74e5-f281-4f10-ae1e-733078684f3c} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{2eff3cf7-99c1-4c29-bc2b-68e057e22340} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{98d9753d-d73b-42d5-8c85-4469cda897ab} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mysidesearchsearchassistant (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\onestepsearch (Adware.OneStepSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gooochi (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\BndFibu7.DLL (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bndfibu7.band (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bndfibu7.band.1 (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bndfibu7.bho (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bndfibu7.bho.1 (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\OneStepSearch (Adware.OneStepSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\BATCO (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Batco (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\bat.DLL (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Bat (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Bat (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\winvi (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\winvi (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Software\Mozilla\Firefox\Extensions\{59a40ac9-e67d-4155-b31d-4b7330fcd2d6} (Adware.PurityScan) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ExploreUpdSched (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform\ZangoToolbar 4.8.2 (Adware.Zango) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\OneStepSearch (Adware.OneStepSearch) -> Quarantined and deleted successfully.
C:\Program Files\Bat (Adware.Batco) -> Quarantined and deleted successfully.
C:\Program Files\Tencent (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Tencent\QQ Games (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Tencent\QQ Games\config (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Tencent\QQ Games\Download (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Tencent\QQ Games\Plugin (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Tencent\QQ Games\ProtHand (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Tencent\QQ Games\QQ Treasure Hunter (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Tencent\QQ Games\config\Dynamic (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Tencent\QQ Games\config\Original (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Tencent\QQ Games\config\Users (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Tencent\QQ Games\config\Dynamic\DirBlock (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Tencent\QQ Games\config\Users\13140783 (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Tencent\QQ Games\config\Users\13153092 (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Rabio\Search Enhancer (Adware.SearchEnhancer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Rabio (Adware.Rabio) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\mysidesearch_sidebar.dll (Adware.BHO) -> Quarantined and deleted successfully.
C:\Program Files\Bat\Bat.dll (Adware.Batco) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\msimg32.dll_old (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\blackster.scr (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jpwnw64o.exe (Adware.ZeroSearch) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe (Adware.BHO) -> Quarantined and deleted successfully.
C:\Program Files\OneStepSearch\home.js (Adware.OneStepSearch) -> Quarantined and deleted successfully.
C:\Program Files\OneStepSearch\onestep.dll (Adware.OneStepSearch) -> Quarantined and deleted successfully.
C:\Program Files\OneStepSearch\onestep.exe (Adware.OneStepSearch) -> Quarantined and deleted successfully.
C:\Program Files\OneStepSearch\osopt.exe (Adware.OneStepSearch) -> Quarantined and deleted successfully.
C:\Program Files\OneStepSearch\readme.html (Adware.OneStepSearch) -> Quarantined and deleted successfully.
C:\Program Files\OneStepSearch\uninstall.exe (Adware.OneStepSearch) -> Quarantined and deleted successfully.
C:\Program Files\Bat\Bat.dll.intermediate.manifest (Adware.Batco) -> Quarantined and deleted successfully.
C:\Program Files\Bat\Bat.exe (Adware.Batco) -> Quarantined and deleted successfully.
C:\Program Files\Bat\Bat.info (Adware.Batco) -> Quarantined and deleted successfully.
C:\Program Files\Bat\Bat.original (Adware.Batco) -> Quarantined and deleted successfully.
C:\Program Files\Bat\Info.dll (Adware.Batco) -> Quarantined and deleted successfully.
C:\Program Files\Bat\un_BatSetup_15041.exe (Adware.Batco) -> Quarantined and deleted successfully.
C:\Program Files\Bat\un_BatSetup_15041.txt (Adware.Batco) -> Quarantined and deleted successfully.
C:\Program Files\Bat\X_Bat.exe (Adware.Batco) -> Quarantined and deleted successfully.
C:\Program Files\Bat\X_Bat.log (Adware.Batco) -> Quarantined and deleted successfully.
C:\Program Files\Tencent\QQ Games\configSave.ini (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Tencent\QQ Games\InstallHelper.dll (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Tencent\QQ Games\QQGamesD.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Tencent\QQ Games\tmpGameID.txt (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Tencent\QQ Games\vistaQG.bat (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Tencent\QQ Games\config\config (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Tencent\QQ Games\config\defaultlogin.swf (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Tencent\QQ Games\config\PositionInfo.data (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Tencent\QQ Games\config\Dynamic\Account.cfg (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Tencent\QQ Games\config\Dynamic\Common.ini (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Tencent\QQ Games\config\Dynamic\DynaCfg.ini (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Tencent\QQ Games\config\Dynamic\GameInfo.dat (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Tencent\QQ Games\config\Dynamic\Info.ini (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Tencent\QQ Games\config\Dynamic\LocalVersion.cfg (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Tencent\QQ Games\config\Dynamic\NewDownRecord.cfg (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Tencent\QQ Games\config\Dynamic\SvrInfo.dat (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Tencent\QQ Games\config\Dynamic\DirBlock\1007.dat (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Tencent\QQ Games\config\Dynamic\DirBlock\1008.dat (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Tencent\QQ Games\config\Dynamic\DirBlock\1022.dat (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Tencent\QQ Games\config\Dynamic\DirBlock\1023.dat (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Tencent\QQ Games\config\Dynamic\DirBlock\1070.dat (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Tencent\QQ Games\config\Original\BossKey.ini (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Tencent\QQ Games\config\Original\ConnSvrst.ini (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Tencent\QQ Games\config\Original\ConnSvrsu.ini (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Tencent\QQ Games\config\Original\LoginConfig.ini (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Tencent\QQ Games\config\Users\13140783\Config.ini (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Tencent\QQ Games\config\Users\13140783\profile.ini (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Tencent\QQ Games\config\Users\13153092\Config.ini (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Tencent\QQ Games\config\Users\13153092\profile.ini (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Tencent\QQ Games\Download\Update.ini (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Tencent\QQ Games\Plugin\Uninstall.EXE (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Tencent\QQ Games\ProtHand\GmpbProt.map (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Tencent\QQ Games\QQ Treasure Hunter\twin.ini (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Tencent\QQ Games\QQ Treasure Hunter\Uninstall.EXE (Adware.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\{f74a73a9-6dba-ead1-7bd4-9ddfa630e4d9}.dll-uninst.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kcntqkdm.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\John\~.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\John\Start Menu\Programs\Startup\Bat - Auto Update.lnk (Adware.Batco) -> Quarantined and deleted successfully.
  • 0

#15
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
OKay great can you nowtry to run thedss program that you have already.
Double click on it and let it run.
Then post those logs please.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP