Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

PLs check hijjackthis.log [RESOLVED]


  • This topic is locked This topic is locked

#1
Norazam

Norazam

    New Member

  • Member
  • Pip
  • 9 posts
I`m not sure which one to delete virus or spyware my pc desktop..pls give ur advise thank`s

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:46:24, on 25/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20772)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\aDefragService.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragActivityMonitor.exe
C:\Program Files\The Name Technology\Kamus 3000\Kamus3000.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Documents and Settings\Azam\lsass.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\The Name Technology\Kamus 3000\KamusNetDetect.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Program Files\XPC Tools\Driver Updater Pro\DriverUpdaterPro.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\AcroTray.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\AcroDist.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! uC - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: IDMIEHlprObj Class - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: (no name) - {5A630EB7-43AC-4DA6-94B9-311C740A6166} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {8A290466-39BD-419B-93DB-0E9599506654} - C:\WINDOWS\system32\jkkHYoPI.dll
O2 - BHO: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! uC - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Kamus 3000] C:\Program Files\The Name Technology\Kamus 3000\Kamus3000.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [LSA Shellu] C:\Documents and Settings\Azam\lsass.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DefragTaskBar] "C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [XPRepairPro2007] C:\Program Files\XP Repair Pro 2007\XPRepairPro.exe /r
O4 - HKCU\..\Run: [DriverUpdaterPro] C:\Program Files\XPC Tools\Driver Updater Pro\DriverUpdaterPro.exe -t
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: Reboot.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O20 - Winlogon Notify: Antiwpa - C:\WINDOWS\SYSTEM32\antiwpa.dll
O20 - Winlogon Notify: jkkHYoPI - C:\WINDOWS\SYSTEM32\jkkHYoPI.dll
O23 - Service: AshampooDefragService - - C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\aDefragService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\QXphbQ\command.exe (file missing)
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 9860 bytes
  • 0

Advertisements


#2
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Hi there,

Welcome to GeeksToGo. My name is RatHat, and I will help you get through the process of cleaning the malware from your computer.


OK firstly, I need you to print out each post I make so that you can refer to it while we fix your computer. This is because there will be times when you are unable to be online to read my instructions, and I will want you to do everything very carefully. I also need you to follow my instructions in the order that they are given. If however, you cannot carry out one of them, please continue on with the next and let me know what you were unsuccessful with. Please ensure you turn off word wrap in Notepad. To do this, open Notepad, choose Format, then Un-check Word Wrap. (Word Wrap makes reading your log difficult).

Next, I would like to make sure that you can view hidden files and folders;
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading SELECT Show hidden files and folders.
  • UNCHECK the Hide protected operating system files (recommended) option.
  • UNCHECK the Hide extensions for known file types option.
  • Click Yes to confirm.
  • Click OK.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please uninstall the following programs:

Limewire, and any other P2P programs you currently have installed.

  • Go to Start then Settings, then Control Panel
  • Choose Add or Remove Programs
  • Remove all of the above
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please read this Combofix tutorial before continuing, then follow the instructions below.

Please ensure you read this guide carefully and install the Recovery Console first.

Next, download ComboFix from Here or Here to your Desktop.

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System.

Posted Image

Download the file & save it as it's originally named, next to ComboFix.exe.

Posted Image

Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you. Save this log to your desktop as Combofix.txt and post it in your next reply.

(Note: Combofix will also save the report to C:\Combofix.txt)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please run an online scan with Kaspersky WebScanner. Note: You must use Internet Explorer to run this scan.

Click the Accept button.

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display the results if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop as Kaspersky.txt.
  • Copy and paste that information in your next post.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


So in your next reply, please include the following logs:
  • The contents of Combofix.txt
  • The contents of the MBAM log
  • The contents of Kaspersky.txt
Note that you may have to split your replies into two or three posts to ensure that the logs are complete.

Finally, please let me know about Kamus 3000. Is it a cracked copy, as if so it could be infected.

Regards,
RatHat
  • 0

#3
Norazam

Norazam

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts

Hi there,

Welcome to GeeksToGo. My name is RatHat, and I will help you get through the process of cleaning the malware from your computer.


OK firstly, I need you to print out each post I make so that you can refer to it while we fix your computer. This is because there will be times when you are unable to be online to read my instructions, and I will want you to do everything very carefully. I also need you to follow my instructions in the order that they are given. If however, you cannot carry out one of them, please continue on with the next and let me know what you were unsuccessful with. Please ensure you turn off word wrap in Notepad. To do this, open Notepad, choose Format, then Un-check Word Wrap. (Word Wrap makes reading your log difficult).

Next, I would like to make sure that you can view hidden files and folders;

  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading SELECT Show hidden files and folders.
  • UNCHECK the Hide protected operating system files (recommended) option.
  • UNCHECK the Hide extensions for known file types option.
  • Click Yes to confirm.
  • Click OK.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please uninstall the following programs:

Limewire, and any other P2P programs you currently have installed.

  • Go to Start then Settings, then Control Panel
  • Choose Add or Remove Programs
  • Remove all of the above
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please read this Combofix tutorial before continuing, then follow the instructions below.

Please ensure you read this guide carefully and install the Recovery Console first.

Next, download ComboFix from Here or Here to your Desktop.

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System.

Posted Image

Download the file & save it as it's originally named, next to ComboFix.exe.

Posted Image

Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you. Save this log to your desktop as Combofix.txt and post it in your next reply.

(Note: Combofix will also save the report to C:\Combofix.txt)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please run an online scan with Kaspersky WebScanner. Note: You must use Internet Explorer to run this scan.

Click the Accept button.

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display the results if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop as Kaspersky.txt.
  • Copy and paste that information in your next post.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


So in your next reply, please include the following logs:
  • The contents of Combofix.txt
  • The contents of the MBAM log
  • The contents of Kaspersky.txt
Note that you may have to split your replies into two or three posts to ensure that the logs are complete.

Finally, please let me know about Kamus 3000. Is it a cracked copy, as if so it could be infected.

Regards,
RatHat


Thank`s RatHat

After follow for ur instruction this`s my result combofix..

so what ur recommend anti virus can I use ..I`mean anti virus friendly user....
thank`s

ComboFix 08-05-25.4 - Azam 2008-05-26 22:48:56.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.57 [GMT 8:00]
Running from: C:\Documents and Settings\Azam\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Azam\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Program Files\network monitor
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\BM2b1af081.xml
C:\WINDOWS\Fonts\'
C:\WINDOWS\Fonts\a.zip
C:\WINDOWS\pskt.ini
C:\WINDOWS\QXphbQ\
C:\WINDOWS\system32\jkkHYoPI.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\omxvyyrg.ini
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\VDMVwGgh.ini
C:\WINDOWS\system32\VDMVwGgh.ini2
C:\WINDOWS\system32\xsbvntxq.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_NETWORK_MONITOR
-------\Service_cmdService
-------\Service_Network Monitor


((((((((((((((((((((((((( Files Created from 2008-04-26 to 2008-05-26 )))))))))))))))))))))))))))))))
.

2008-05-26 22:02 . 2008-05-26 22:02 354,560 --a------ C:\WINDOWS\system32\TuneUpDefragService.exe
2008-05-26 22:02 . 2008-04-04 14:51 28,416 --a------ C:\WINDOWS\system32\uxtuneup.dll
2008-05-26 22:01 . 2008-05-26 22:01 <DIR> d-------- C:\Documents and Settings\Azam\Application Data\TuneUp Software
2008-05-26 22:00 . 2008-05-26 22:01 <DIR> d-------- C:\Program Files\TuneUp Utilities 2008
2008-05-26 22:00 . 2008-05-26 22:00 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\TuneUp Software
2008-05-26 21:51 . 2008-05-26 21:51 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-26 11:53 . 2008-05-26 11:53 14 --a------ C:\WINDOWS\popcinfo.dat
2008-05-26 11:33 . 2008-05-26 11:33 111,544 --a------ C:\WINDOWS\system32\nnnoMCRK.dll
2008-05-25 22:43 . 2008-05-25 22:44 <DIR> d-------- C:\490f3b84eff4163aa2f9
2008-05-25 12:00 . 2008-05-25 12:27 117,548 --a------ C:\WINDOWS\hpoins11.dat
2008-05-25 11:37 . 2008-05-25 11:37 <DIR> d-------- C:\WINDOWS\system\IOSUBSYS
2008-05-25 11:35 . 2008-05-25 11:35 <DIR> d-------- C:\Program Files\Uniblue
2008-05-25 10:52 . 2008-05-25 10:52 <DIR> d-------- C:\Program Files\Acesoft
2008-05-25 10:52 . 2007-01-23 00:43 277,504 --a------ C:\WINDOWS\system32\oestore.dll
2008-05-25 10:52 . 2004-03-09 00:00 224,016 --a------ C:\WINDOWS\system32\TabCtl32.ocx
2008-05-25 10:39 . 2008-05-25 10:39 <DIR> d-------- C:\Documents and Settings\Azam\Application Data\Uniblue
2008-05-25 10:34 . 2006-08-01 15:02 49,152 --a------ C:\WINDOWS\system32\ChCfg.exe
2008-05-25 10:31 . 2008-05-25 10:31 <DIR> d-------- C:\Program Files\Realtek AC97
2008-05-25 10:31 . 2006-12-08 15:20 10,528,768 --a------ C:\WINDOWS\system32\RTLCPL.exe
2008-05-25 10:30 . 2006-10-18 02:53 147,456 --a------ C:\WINDOWS\system32\RtlCPAPI.dll
2008-05-25 10:27 . 2008-05-25 11:52 88,224 --a------ C:\WINDOWS\system32\nvapps.nvb
2008-05-25 10:26 . 2006-10-22 15:06 208,896 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2008-05-25 10:25 . 2008-05-25 10:25 <DIR> d-------- C:\NVIDIA
2008-05-25 09:45 . 2008-05-25 09:46 <DIR> d-------- C:\HJT
2008-05-25 09:14 . 2008-05-25 09:14 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2008-05-25 09:13 . 2008-05-25 09:13 <DIR> d-------- C:\WINDOWS\Sun
2008-05-25 09:13 . 2008-05-25 09:13 <DIR> d-------- C:\Documents and Settings\Azam\Application Data\SystemRequirementsLab
2008-05-25 08:53 . 2008-05-25 08:53 <DIR> d-------- C:\Program Files\XPC Tools
2008-05-24 01:13 . 2008-05-25 11:58 <DIR> d-------- C:\Program Files\XP Repair Pro 2007
2008-05-24 01:07 . 2008-05-24 01:07 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Ashampoo
2008-05-24 01:06 . 2008-05-24 01:06 <DIR> d-------- C:\Program Files\Ashampoo
2008-05-23 23:57 . 2008-05-23 23:57 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-05-23 23:54 . 2008-05-23 23:54 <DIR> d-------- C:\Program Files\Real
2008-05-23 23:54 . 2008-05-23 23:56 <DIR> d-------- C:\Program Files\Common Files\Real
2008-05-23 00:59 . 2008-05-23 00:59 <DIR> d-------- C:\Documents and Settings\Azam\Application Data\DivX
2008-05-23 00:55 . 2008-05-23 00:56 <DIR> d-------- C:\Program Files\DivX
2008-05-22 23:52 . 2008-05-22 23:53 374,272 --a------ C:\WINDOWS\system32\jkkLDTkl.dll
2008-05-21 22:42 . 2008-05-21 22:42 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2008-05-21 22:42 . 2008-01-10 13:15 755,027 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-05-21 22:42 . 2007-09-04 17:56 164,352 --a------ C:\WINDOWS\system32\unrar.dll
2008-05-21 20:00 . 2008-05-26 11:55 <DIR> d-------- C:\Documents and Settings\Azam\Application Data\U3
2008-05-21 19:20 . 2008-05-21 19:20 <DIR> d-------- C:\Documents and Settings\Azam\Application Data\AdobeUM
2008-05-21 18:01 . 2008-05-21 18:16 <DIR> d-------- C:\Documents and Settings\Azam\Application Data\Image Zone Express
2008-05-21 16:43 . 2008-05-18 02:31 117,644 --------- C:\WINDOWS\hpoins11.dat.temp
2008-05-21 16:43 . 2006-05-05 18:10 11,634 --------- C:\WINDOWS\hpomdl11.dat.temp
2008-05-20 22:26 . 2004-08-04 20:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-05-20 22:18 . 2004-08-04 00:56 1,888,992 --a------ C:\WINDOWS\system32\ati3duag.dll
2008-05-20 21:24 . 2008-05-20 21:24 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-05-20 21:21 . 2004-07-17 11:40 19,528 --a------ C:\WINDOWS\000001_.tmp
2008-05-19 16:07 . 2008-05-19 16:07 <DIR> d-------- C:\Program Files\Alwil Software
2008-05-19 15:40 . 2008-05-19 15:40 45,568 --a------ C:\WINDOWS\system32\avgfwdx.dll
2008-05-19 15:40 . 2008-05-19 15:40 22,528 --a------ C:\WINDOWS\system32\drivers\avgfwdx.sys
2008-05-19 15:27 . 2008-05-19 15:27 687,592 --a------ C:\WINDOWS\system32\atmtd.dll._
2008-05-19 15:27 . 2008-05-19 15:27 687,592 --a------ C:\WINDOWS\system32\atmtd.dll
2008-05-19 15:25 . 2006-01-03 17:45 1,989 --a------ C:\WINDOWS\uninstall_nmon.vbs
2008-05-19 15:24 . 2008-05-19 15:24 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-05-19 15:22 . 2008-05-19 16:27 <DIR> d-------- C:\WINDOWS\system32\zDB
2008-05-19 15:22 . 2008-05-19 15:23 <DIR> d-------- C:\WINDOWS\system32\cs5
2008-05-19 15:21 . 2008-05-19 15:21 <DIR> d-------- C:\WINDOWS\system32\logXv18
2008-05-19 15:21 . 2008-05-19 15:22 <DIR> d-------- C:\Temp\dmpxp32
2008-05-19 15:21 . 2008-05-26 22:49 <DIR> d-------- C:\Temp
2008-05-19 15:21 . 2008-05-19 15:21 86,016 ---hs---- C:\Documents and Settings\Azam\lsass.exe
2008-05-19 06:28 . 2008-05-19 06:29 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-05-19 06:18 . 2008-05-26 21:30 <DIR> d-------- C:\Documents and Settings\Azam\Application Data\LimeWire
2008-05-19 06:13 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-19 06:10 . 2008-05-19 06:13 <DIR> d-------- C:\Program Files\Java
2008-05-19 06:06 . 2008-05-19 06:06 <DIR> d-------- C:\Program Files\Common Files\Java
2008-05-19 06:00 . 2008-05-19 06:00 <DIR> d-------- C:\Documents and Settings\Azam\Application Data\Yahoo!
2008-05-19 06:00 . 2008-05-19 06:00 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Yahoo! Companion
2008-05-19 05:48 . 2008-05-26 22:35 <DIR> d-------- C:\Program Files\LimeWire
2008-05-19 03:28 . 2008-05-19 03:28 <DIR> d-------- C:\Program Files\The Name Technology
2008-05-19 03:28 . 2003-08-05 15:21 268,800 --a------ C:\WINDOWS\system32\KamusDialog.dll
2008-05-19 03:28 . 2003-08-06 09:18 199,168 --a------ C:\WINDOWS\system32\dictchk.dll
2008-05-19 03:28 . 2003-01-27 10:59 174,592 --a------ C:\WINDOWS\system32\KamusAnw.dll
2008-05-19 03:28 . 1999-05-07 00:00 140,288 --a------ C:\WINDOWS\system32\ComDlg32.ocx
2008-05-19 03:28 . 2008-05-21 00:28 18 --a------ C:\WINDOWS\krwin.dat
2008-05-19 02:06 . 2008-05-19 02:06 <DIR> d-------- C:\Documents and Settings\Azam\Application Data\Abexo
2008-05-19 00:49 . 2008-05-19 01:00 <DIR> d-------- C:\Program Files\XoftSpySE
2008-05-19 00:08 . 2008-05-19 00:10 <DIR> d-------- C:\Documents and Settings\Azam\Application Data\Antispyware
2008-05-18 23:58 . 2008-05-19 02:19 <DIR> d-------- C:\Program Files\Ares Destiny
2008-05-18 03:19 . 2008-05-21 19:13 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-05-18 03:16 . 2008-05-19 02:06 <DIR> d-------- C:\Program Files\Abexo
2008-05-18 02:43 . 2008-05-18 02:43 1,160 --a------ C:\WINDOWS\mozver.dat
2008-05-18 02:32 . 2008-05-19 06:08 <DIR> d-------- C:\Documents and Settings\Azam\Application Data\AVGTOOLBAR
2008-05-18 02:30 . 2008-05-21 19:06 <DIR> d-------- C:\Documents and Settings\Azam\Application Data\HP
2008-05-18 02:30 . 2008-05-18 02:30 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\HP
2008-05-18 02:29 . 2008-05-24 17:22 <DIR> d-------- C:\Program Files\Common Files\HP
2008-05-18 02:28 . 2008-05-18 02:28 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-05-18 02:27 . 2006-04-10 14:03 48,128 --a------ C:\WINDOWS\system32\hpzll054.dll
2008-05-18 02:27 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-05-18 02:27 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-05-18 02:25 . 2006-03-03 21:03 282,680 --a------ C:\WINDOWS\system32\HPZidr12.dll
2008-05-18 02:25 . 2006-03-03 21:02 204,800 --a------ C:\WINDOWS\system32\HPZipr12.dll
2008-05-18 02:25 . 2006-03-03 21:02 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll
2008-05-18 02:25 . 2006-03-03 21:03 69,632 --a------ C:\WINDOWS\system32\HPZipm12.exe
2008-05-18 02:25 . 2006-03-03 21:03 65,536 --a------ C:\WINDOWS\system32\HPZinw12.exe
2008-05-18 02:25 . 2006-03-03 21:02 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll
2008-05-18 02:24 . 2008-05-18 02:27 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Yahoo!
2008-05-18 02:24 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-05-18 02:24 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-05-18 02:22 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-05-18 02:22 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-05-18 02:21 . 2008-05-25 12:13 <DIR> d-------- C:\Program Files\HP
2008-05-18 02:21 . 2008-05-18 02:29 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-05-18 02:20 . 2008-05-18 02:22 211,976 --a------ C:\WINDOWS\hpdj3500.his
2008-05-18 02:20 . 2008-05-18 02:22 10,509 --a------ C:\WINDOWS\hpdj3500.ini
2008-05-18 02:18 . 2008-05-18 02:22 <DIR> d-------- C:\Program Files\Yahoo!
2008-05-18 02:18 . 2008-05-18 02:18 <DIR> d-------- C:\Program Files\CCleaner
2008-05-18 02:06 . 2008-05-18 02:06 0 --a------ C:\WINDOWS\nsreg.dat
2008-05-18 00:59 . 2008-05-18 00:59 21,640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-05-18 00:59 . 2008-05-18 00:59 37 --a------ C:\WINDOWS\vbaddin.ini
2008-05-18 00:59 . 2008-05-18 00:59 36 --a------ C:\WINDOWS\vb.ini
2008-05-18 00:58 . 2008-05-18 00:58 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-05-18 00:57 . 2004-08-03 23:01 196,864 --a------ C:\WINDOWS\system32\drivers\rdpdr.sys
2008-05-18 00:57 . 2004-08-04 01:01 40,840 --a------ C:\WINDOWS\system32\drivers\termdd.sys
2008-05-13 09:53 . 2008-05-13 09:53 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-05-13 09:53 . 2008-05-13 09:53 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2008-05-13 09:53 . 2008-05-13 09:53 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2008-05-13 09:51 . 2008-05-13 09:51 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2008-05-13 09:51 . 2008-05-13 09:51 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2008-05-13 09:49 . 2008-05-13 09:49 630,784 --a------ C:\WINDOWS\system32\divxdec.ax
2008-05-13 09:49 . 2008-05-13 09:49 352,401 --a------ C:\WINDOWS\system32\DivXMedia.ax
2008-05-13 09:49 . 2008-05-13 09:49 161,096 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-05-13 09:49 . 2008-05-13 09:49 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2008-05-01 16:59 . 2006-04-12 18:02 659,456 --a------ C:\WINDOWS\system32\hpowiax2.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-26 14:44 --------- d-----w C:\Documents and Settings\Azam\Application Data\DMCache
2008-05-18 19:27 146 ----a-w C:\Program Files\INSTALL.LOG
2008-05-18 15:41 --------- d-----w C:\Documents and Settings\Azam\Application Data\IDM
2008-05-17 18:39 --------- d-----w C:\Program Files\Internet Download Manager
2008-05-17 17:53 --------- d-----w C:\Program Files\MSXML 6.0
2008-05-17 17:52 --------- d-----w C:\Program Files\MSXML 4.0
2008-05-17 17:47 --------- d-----w C:\Program Files\Microsoft.NET
2008-05-17 17:47 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-05-17 17:36 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-17 17:36 --------- d-----w C:\Program Files\Silicon Integrated Systems
2008-05-17 17:35 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-17 17:34 --------- d-----w C:\Program Files\Realtek Sound Manager
2008-05-17 17:34 --------- d-----w C:\Program Files\AvRack
2008-05-17 17:28 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\nView_Profiles
2008-05-17 17:04 --------- d-----w C:\Program Files\microsoft frontpage
2008-05-13 01:53 9,464 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-05-13 01:53 9,336 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-05-13 01:53 43,528 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys
2008-05-13 01:53 129,784 ----a-w C:\WINDOWS\system32\pxafs.dll
2008-05-13 01:53 120,056 ----a-w C:\WINDOWS\system32\pxcpyi64.exe
2008-05-13 01:53 118,520 ----a-w C:\WINDOWS\system32\pxinsi64.exe
2008-03-26 08:09 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-25 02:20 219,936 ----a-w C:\WINDOWS\system32\msltus40.dll
2008-03-19 09:40 1,845,888 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:03 827,392 ----a-w C:\WINDOWS\system32\wininet.dll
.

------- Sigcheck -------

2004-08-04 00:56 577024 c72661f8552ace7c5c85e16a3cf505c4 C:\WINDOWS\ServicePackFiles\i386\user32.dll
2007-05-24 16:51 578048 7aa4f6c00405dfc4b70ed4214e7d687b C:\WINDOWS\system32\user32.dll
2007-05-24 16:51 578048 7aa4f6c00405dfc4b70ed4214e7d687b C:\WINDOWS\system32\dllcache\user32.dll

2007-05-24 16:51 823296 b8f4db39ca7353752f245379d285c80e C:\WINDOWS\ie7updates\KB947864-IE7\wininet.dll
2004-08-04 00:56 656384 c0823fc5469663ba63e7db88f9919d70 C:\WINDOWS\ServicePackFiles\i386\wininet.dll
2008-03-01 21:06 826368 ad21461aef8244edec2ef18e55e1dcf3 C:\WINDOWS\SoftwareDistribution\Download\ceba12074e2ee6f2478e27a2b926a276\SP2GDR\wininet.dll
2008-03-01 21:03 827392 6316c2f0c61271c8abdff7429174879e C:\WINDOWS\SoftwareDistribution\Download\ceba12074e2ee6f2478e27a2b926a276\SP2QFE\wininet.dll
2008-03-01 21:03 827392 6316c2f0c61271c8abdff7429174879e C:\WINDOWS\system32\wininet.dll
2008-03-01 21:03 827392 6316c2f0c61271c8abdff7429174879e C:\WINDOWS\system32\dllcache\wininet.dll

2007-05-24 16:50 360704 e6b15bcc470953e600ef7aded3cab142 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2004-08-03 23:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\ServicePackFiles\i386\tcpip.sys
2007-10-31 01:20 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\SoftwareDistribution\Download\146ae5e7b51a37f45e0e5cf03d0d5e3c\SP2GDR\tcpip.sys
2007-10-31 00:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\SoftwareDistribution\Download\146ae5e7b51a37f45e0e5cf03d0d5e3c\SP2QFE\tcpip.sys
2007-10-31 00:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-31 00:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\system32\drivers\tcpip.sys

2004-08-03 22:59 2056832 947fb1d86d14afcffdb54bf837ec25d0 C:\WINDOWS\ServicePackFiles\i386\ntkrnlpa.exe
2007-05-24 16:58 2017280 2dfb215e291e3d9b1cf9a6739b3bf16c C:\WINDOWS\system32\ntkrnlpa.exe

2004-08-03 23:20 2180992 ce218bc7088681faa06633e218596ca7 C:\WINDOWS\ServicePackFiles\i386\ntoskrnl.exe
2007-05-24 16:50 2137600 e6679c3023b17d8b78946bc5df53fa20 C:\WINDOWS\system32\ntoskrnl.exe

2007-06-13 19:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:\WINDOWS\explorer.exe
2007-05-24 16:49 1033216 42d32722b805d7df42d30487a0bcbd78 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
2004-08-04 00:56 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\ServicePackFiles\i386\explorer.exe
2007-06-13 18:23 1033216 97bd6515465659ff8f3b7be375b2ea87 C:\WINDOWS\SoftwareDistribution\Download\44d74c37f0595a363bcec5e9229d8564\SP2GDR\explorer.exe
2007-06-13 19:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:\WINDOWS\SoftwareDistribution\Download\44d74c37f0595a363bcec5e9229d8564\SP2QFE\explorer.exe
2007-06-13 19:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:\WINDOWS\system32\dllcache\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IDMan"="C:\Program Files\Internet Download Manager\IDMan.exe" [2007-12-21 07:08 931760]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [2008-05-05 12:22 1923352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DefragTaskBar"="C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe" [2007-02-12 12:57 168120]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 20:00 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="regsvr32 /s /n /i:u shell32" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Antiwpa]
antiwpa.dll 2006-07-23 06:49 5376 C:\WINDOWS\system32\antiwpa.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe
"Uniblue RegistryBooster 2"=C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
"Tracks Eraser Pro"=C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe min
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
"HPDJ Taskbar Utility"=C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
"Kamus 3000"=C:\Program Files\The Name Technology\Kamus 3000\Kamus3000.exe
"LSA Shellu"=C:\Documents and Settings\Azam\lsass.exe
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
"NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
"nwiz"=nwiz.exe /install
"SoundMan"=SOUNDMAN.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Internet Download Manager\\IDMan.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 07:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 07:16]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 20:00]
S3 Avgfwdx;Avgfwdx;C:\WINDOWS\system32\DRIVERS\avgfwdx.sys [2008-05-19 15:40]
S3 Avgfwfd;AVG network filter service;C:\WINDOWS\system32\DRIVERS\avgfwdx.sys [2008-05-19 15:40]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-05-26 22:02]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\Auto\command - H:\Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5b15f2c2-2a35-11dd-8b4e-000d879b1443}]
\Shell\Auto\command - G:\Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8932dc0b-2a0f-11dd-8b4d-000d879b1443}]
\Shell\Auto\command - I:\Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e4a5948a-2435-11dd-8b26-000d879b1443}]
\Shell\Auto\command - G:\Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e4a5948b-2435-11dd-8b26-000d879b1443}]
\Shell\Auto\command - H:\Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-05-26 14:55:01 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2008\OneClickStarter.exe
"2008-05-26 14:55:04 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-05-18 16:49:54 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-26 22:55:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\aDefragService.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragActivityMonitor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
.
**************************************************************************
.
Completion time: 2008-05-26 23:00:04 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-26 14:59:58

Pre-Run: 33,226,113,024 bytes free
Post-Run: 33,317,134,336 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

340 --- E O F --- 2008-05-26 13:55:08

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~

MBAM


Logs in MBAM.
Malwarebytes' Anti-Malware 1.12
Database version: 788

Scan type: Quick Scan
Objects scanned: 38250
Time elapsed: 4 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\antiwpa.dll (Malware.Tool) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\antiwpa (Malware.Tool) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\XPRepairPro2007 (Rogue.XPRepairPro2007) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\atmtd.dll (Adware.TargetSaver) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\atmtd.dll._ (Adware.TargetSaver) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nnnoMCRK.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\uninstall_nmon.vbs (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\antiwpa.dll (Malware.Tool) -> Delete on reboot.
C:\WINDOWS\system32\jkkLDTkl.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Azam\lsass.exe (Trojan.Agent) -> Quarantined and deleted successfully.

kaspersky scan online submit u later coz this scan take time bout 1 or 2 hours...

Edited by Norazam, 26 May 2008 - 12:06 PM.

  • 0

#4
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Lets see the other two logs when you have them, then I will get back to you with the next part of your fix.

Do not use any flash drives or other removable media that has been used on this computer with any other computer. This includes camera cards, mobile phones, flash drives or anything else that has been connected to the computer.

Signs are that they could also be infected. I will show you how to clean them once I have seen the other logs :)

Regards,
RatHat
  • 0

#5
Norazam

Norazam

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts

Lets see the other two logs when you have them, then I will get back to you with the next part of your fix.

Do not use any flash drives or other removable media that has been used on this computer with any other computer. This includes camera cards, mobile phones, flash drives or anything else that has been connected to the computer.

Signs are that they could also be infected. I will show you how to clean them once I have seen the other logs :)

Regards,
RatHat


This is last report sent to u for ur action RatHat ....Thank`s a lot coz give co-operative to me

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, May 27, 2008 9:10:28 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 27/05/2008
Kaspersky Anti-Virus database records: 801425
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 102833
Number of viruses found: 6
Number of infected objects: 8
Number of suspicious objects: 0
Duration of the scan process: 01:46:02

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Azam\Application Data\Mozilla\Firefox\Profiles\xecqfgf4.default\cert8.db Object is locked skipped
C:\Documents and Settings\Azam\Application Data\Mozilla\Firefox\Profiles\xecqfgf4.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Azam\Application Data\Mozilla\Firefox\Profiles\xecqfgf4.default\history.dat Object is locked skipped
C:\Documents and Settings\Azam\Application Data\Mozilla\Firefox\Profiles\xecqfgf4.default\key3.db Object is locked skipped
C:\Documents and Settings\Azam\Application Data\Mozilla\Firefox\Profiles\xecqfgf4.default\parent.lock Object is locked skipped
C:\Documents and Settings\Azam\Application Data\Mozilla\Firefox\Profiles\xecqfgf4.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Azam\Application Data\Mozilla\Firefox\Profiles\xecqfgf4.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Azam\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Azam\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Azam\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Azam\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Azam\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Azam\Local Settings\History\History.IE5\MSHist012008052720080528\index.dat Object is locked skipped
C:\Documents and Settings\Azam\Local Settings\Temp\WER01f4.dir00\appcompat.txt Object is locked skipped
C:\Documents and Settings\Azam\Local Settings\Temp\WERb313.dir00\appcompat.txt Object is locked skipped
C:\Documents and Settings\Azam\Local Settings\Temp\WERea9c.dir00\appcompat.txt Object is locked skipped
C:\Documents and Settings\Azam\Local Settings\Temp\~DF8454.tmp Object is locked skipped
C:\Documents and Settings\Azam\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Azam\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Azam\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Azam\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\selfdef.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\log\log_main.txt Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{7AA877DC-9DA1-487E-8B87-C39148F71B9C}\RP11\A0002484.rbf Infected: not-a-virus:FraudTool.Win32.AntiSpywareBot.cm skipped
C:\System Volume Information\_restore{7AA877DC-9DA1-487E-8B87-C39148F71B9C}\RP11\A0002485.rbf Infected: not-a-virus:FraudTool.Win32.AntiSpywareBot.cn skipped
C:\System Volume Information\_restore{7AA877DC-9DA1-487E-8B87-C39148F71B9C}\RP15\A0002823.dll Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{7AA877DC-9DA1-487E-8B87-C39148F71B9C}\RP33\A0014242.exe Object is locked skipped
C:\System Volume Information\_restore{7AA877DC-9DA1-487E-8B87-C39148F71B9C}\RP33\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_498.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{7AA877DC-9DA1-487E-8B87-C39148F71B9C}\RP33\change.log Object is locked skipped
D:\System Volume Information\_restore{7BD1CD56-0EF1-48DF-9CA9-93847F601F61}\RP33\A0010170.exe/data.rar/xpkey.exe Infected: not-a-virus:PSWTool.Win32.RAS.g skipped
D:\System Volume Information\_restore{7BD1CD56-0EF1-48DF-9CA9-93847F601F61}\RP33\A0010170.exe/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
D:\System Volume Information\_restore{7BD1CD56-0EF1-48DF-9CA9-93847F601F61}\RP33\A0010170.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
D:\System Volume Information\_restore{7BD1CD56-0EF1-48DF-9CA9-93847F601F61}\RP33\A0010170.exe RarSFX: infected - 3 skipped
E:\Games\GELABAH.EXE Infected: not-virus:BadJoke.Win32.Austral skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.
  • 0

#6
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Did you run MBAM? If so could I see that log too please. Also let me know how your computer is behaving now.

Regards,
RatHat
  • 0

#7
Norazam

Norazam

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts

Did you run MBAM? If so could I see that log too please. Also let me know how your computer is behaving now.

Regards,
RatHat



My pc it`s ok maybe certain2 spyware still live in my pc (can`t remove)
(sory just broken type..)

MBAM


Logs in MBAM.
Malwarebytes' Anti-Malware 1.12
Database version: 788

Scan type: Quick Scan
Objects scanned: 38250
Time elapsed: 4 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\antiwpa.dll (Malware.Tool) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\antiwpa (Malware.Tool) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\XPRepairPro2007 (Rogue.XPRepairPro2007) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\atmtd.dll (Adware.TargetSaver) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\atmtd.dll._ (Adware.TargetSaver) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nnnoMCRK.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\uninstall_nmon.vbs (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\antiwpa.dll (Malware.Tool) -> Delete on reboot.
C:\WINDOWS\system32\jkkLDTkl.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Azam\lsass.exe (Trojan.Agent) -> Quarantined and deleted successfully.



this is latest scan mbam

Malwarebytes' Anti-Malware 1.12
Database version: 789

Scan type: Quick Scan
Objects scanned: 38982
Time elapsed: 5 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\antiwpa.dll (Malware.Tool) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\antiwpa (Malware.Tool) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\antiwpa.dll (Malware.Tool) -> No action taken.

Edited by Norazam, 27 May 2008 - 07:48 AM.

  • 0

#8
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Please run the MGA Diagnostic Tool and post back the report it produces:
  • Download MGADiag to your desktop.
  • Double-click on MGADiag.exe to launch the program
  • Click "Continue"
  • Ensure that the "Windows" tab is selected (it should be by default).
  • Click the "Copy" button to copy the MGA Diagnostic Report to the Windows clipboard.
  • Paste the MGA Diagnostic Report back here in your next reply.
Regards,
RatHat
  • 0

#9
Norazam

Norazam

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts

Please run the MGA Diagnostic Tool and post back the report it produces:

  • Download MGADiag to your desktop.
  • Double-click on MGADiag.exe to launch the program
  • Click "Continue"
  • Ensure that the "Windows" tab is selected (it should be by default).
  • Click the "Copy" button to copy the MGA Diagnostic Report to the Windows clipboard.
  • Paste the MGA Diagnostic Report back here in your next reply.
Regards,
RatHat


this are result

Diagnostic Report (1.7.0095.0):
-----------------------------------------
WGA Data-->
Validation Status: Not Activated
Validation Code: 1
Online Validation Code: N/A
Cached Validation Code: N/A
Windows Product Key: *****-*****-T6DFB-Y934T-YD4YT
Windows Product Key Hash: 3g4CZGFEDgbKmn/oB4pa2FZsssU=
Windows Product ID: 55274-OEM-2211906-00102
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 5.1.2600.2.00010100.2.0.pro
CSVLK Server: N/A
CSVLK PID: N/A
ID: {BBCDB7BE-A70E-410D-87F4-6177CFDAACB6}(1)
Is Admin: Yes
TestCab: 0x0
WGA Version: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-171-1_025D1FF3-179-2_025D1FF3-199-3
Resolution Status: N/A

WgaER Data-->
ThreatID(s): N/A
Version: N/A

WGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: Yes
Version: 1.7.36.0
WgaTray.exe Signed By: N/A, hr = 0x80004005
WgaLogon.dll Signed By: N/A, hr = 0x80004005

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
WGATray.exe Signed By: N/A, hr = 0x80004005
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 100 Genuine
Microsoft Office Professional Edition 2003 - 100 Genuine
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-171-1_025D1FF3-179-2_025D1FF3-199-3

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Win32)
Default Browser: C:\PROGRA~1\MOZILL~1\FIREFOX.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->
File Mismatch: C:\WINDOWS\system32\ntoskrnl.exe[5.1.2600.3093]
File Mismatch: C:\WINDOWS\system32\kernel32.dll[5.1.2600.3119]
File Mismatch: C:\WINDOWS\system32\setupapi.dll[5.1.2600.2938]

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{BBCDB7BE-A70E-410D-87F4-6177CFDAACB6}</UGUID><Version>1.7.0095.0</Version><OS>5.1.2600.2.00010100.2.0.pro</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-YD4YT</PKey><PID>55274-OEM-2211906-00102</PID><PIDType>2</PIDType><SID>S-1-5-21-1004336348-1757981266-682003330</SID><SYSTEM><Manufacturer>AWARD_</Manufacturer><Model>AWRDACPI</Model></SYSTEM><BIOS><Manufacturer>Phoenix Technologies, LTD</Manufacturer><Version>6.00 PG</Version><SMBIOSVersion major="2" minor="2"/><Date>20031110000000.000000+000</Date></BIOS><HWID>D2563B570184BC43</HWID><UserLCID>0809</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Malay Peninsula Standard Time(GMT+08:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><BRT/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{90110409-6000-11D3-8CFE-0150048383C9}"><LegitResult>100</LegitResult><Name>Microsoft Office Professional Edition 2003</Name><Ver>11</Ver><Val>17DD4CCB8D13D00</Val><Hash>cHNx8L9GygdoBwMKDrM5HZ60lNQ=</Hash><Pid>73931-640-5009671-57426</Pid><PidType>14</PidType></Product></Products><Applications><App Id="15" Version="11" Result="100"/><App Id="16" Version="11" Result="100"/><App Id="18" Version="11" Result="100"/><App Id="19" Version="11" Result="100"/><App Id="1A" Version="11" Result="100"/><App Id="1B" Version="11" Result="100"/><App Id="44" Version="11" Result="100"/></Applications></Office></Software></GenuineResults>
  • 0

#10
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Malware may have damaged the activation of your copy of Windows XP, so I need you to revalidate it.

Please go HERE (Microsoft website) using Internet Explorer (not Firefox or any other browser as they won't work)
  • Click on Windows Validation Assistant
  • Click on the Validate Now button.
  • Be patient while the ActiveX loads, do not click on any links.
  • Read the instructions on this page while it's loading. You will be prompted to install - click YES.
  • Enter your product key then click continue
  • When it says "Validation Complete" please click Continue to return to your previous activity
  • Copy what it says and paste it here.

  • 0

#11
Norazam

Norazam

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts

Malware may have damaged the activation of your copy of Windows XP, so I need you to revalidate it.

Please go HERE (Microsoft website) using Internet Explorer (not Firefox or any other browser as they won't work)

  • Click on Windows Validation Assistant
  • Click on the Validate Now button.
  • Be patient while the ActiveX loads, do not click on any links.
  • Read the instructions on this page while it's loading. You will be prompted to install - click YES.
  • Enter your product key then click continue
  • When it says "Validation Complete" please click Continue to return to your previous activity
  • Copy what it says and paste it here.



sorry too late reply to u ....my pc pervious maybe not install original win xp so no have activation key @ serial number ...
I`ve buy new xp ori to get the serial number for activated my win xp...thank`s .....
  • 0

#12
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
I'm not sure what you are saying here.

Your PC does not have a valid version of Windows right? So you do not have an activation key, is this right?

Now have you bought an original Windows XP installation, or are you asking if you have to?

Regards,
RatHat
  • 0

#13
Norazam

Norazam

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts

I'm not sure what you are saying here.

Your PC does not have a valid version of Windows right? So you do not have an activation key, is this right?

Now have you bought an original Windows XP installation, or are you asking if you have to?

Regards,
RatHat


I`mean before this I`ve no yet internet so maybe genuie cannot dected weather ori or pirated software...bout 2 week register streamyx
so solution i must to buy ori win xp to solve my prob....
  • 0

#14
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Yes you will need to buy an original Windows CD to solve this problem.

Please download OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Double-click OTMoveIt2.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\antiwpa.dll


Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Open Notepad, and copy everything in the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy).
  • Save the Notepad file to your Desktop as OTM.txt.
  • Close OTMoveIt
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please double-click OTMoveIt2.exe to run it.
Click the Clean up button
Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
Click Yes to the reboot.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Other than the cleanup and removal of that one file, your log is clean.

I would advise installing a genuine copy of windows as soon as you can, as this will give you access to security updates that will be needed to help keep your system clean.

Regards,
RatHat
  • 0

#15
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP