Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Another 'Fake Windows Security Center Pop-Up' infection [RESOL


  • This topic is locked This topic is locked

#1
kienz

kienz

    Member

  • Member
  • PipPip
  • 12 posts
Hey, I read the "Fake Windows Security Center Pop-Ups, Fake page and balloon pop-ups...won't go away" topic and tried to clear the same problem that my laptop shared, but after running ATF and saving the OTScanIt and saving the report in Notepad, I realize I can't really fix my laptop the same way since the files to be deleted were user-specific as mentioned in the directions. So, I'd like to get some help here by attaching my OTScanIt report here. I'll wait patiently till then =) Thanks!

Attached Files


  • 0

Advertisements


#2
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Hello kienz, my name is fenzodahl512 and welcome to Geekstogo.. Please do the following..


Please download Deckard's System Scanner (DSS) from HERE or HERE and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • Please let your firewall allow the scanning/downloading process.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
If you are using Vista, you need to right-click at dss.exe icon and choose Run as Administrator


Regards
fenzodahl512
  • 0

#3
kienz

kienz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Hey, thanks for the reply, appreciate it man. I notice my Firefox is performing really slowly, which has forced me to turn to IE (which is slightly faster, but gives more pop-ups). Anyway, done what was asked and here they are (I hope pasting it here would be ok, since you didn't ask for it to be attached).

Main.txt
Deckard's System Scanner v20071014.68
Run by Computer on 2008-06-04 15:52:37
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Computer.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:53:12 PM, on 6/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Softwin\BitDefender8\bdmcon.exe
C:\Program Files\Softwin\BitDefender8\bdswitch.exe
C:\Program Files\Softwin\BitDefender8\bdnagent.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Softwin\BitDefender8\vsserv.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Documents and Settings\Computer\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Computer.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...amp;ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.microsoft...p...&ar=msnhome
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2AA0726C-95B7-4216-AA43-B5BDD524892F} - C:\WINDOWS\system32\awtUoooO.dll
O2 - BHO: (no name) - {5850F834-3336-409A-BB0E-2A008994E875} - C:\WINDOWS\system32\rqRHxxxV.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [BDMCon] C:\Program Files\Softwin\BitDefender8\\bdmcon.exe
O4 - HKLM\..\Run: [BDSwitchAgent] C:\Program Files\Softwin\BitDefender8\\bdswitch.exe
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender8\bdnagent.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccPrxy.exe] ccPrxy.exe
O4 - HKLM\..\Run: [ecb03e0c] rundll32.exe "C:\WINDOWS\system32\rerbrdom.dll",b
O4 - HKLM\..\Run: [BMef830d90] Rundll32.exe "C:\WINDOWS\system32\swoukkyn.dll",s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zon...er.cab56986.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll
O20 - Winlogon Notify: awtUoooO - C:\WINDOWS\SYSTEM32\awtUoooO.dll
O20 - Winlogon Notify: __c0099E89 - C:\WINDOWS\SYSTEM32\__c0099E89.dat
O20 - Winlogon Notify: __c00F459C - C:\WINDOWS\SYSTEM32\__c00F459C.dat
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender8\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 8865 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080524-172413-712 O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
backup-20080524-172413-933 F3 - REG:win.ini: load=Flash.10.exe
backup-20080529-072940-528 O4 - HKCU\..\Run: [Windows MSN] C:\Program Files\Common Files\Microsoft Shared\DAO\MSN.msn
backup-20080529-072940-611 F2 - REG:system.ini: Shell=Explorer.exe "C:\WINDOWS\system32\JambanMu.com"

-- File Associations -----------------------------------------------------------

.com - comfile - DefaultIcon - %SystemRoot%\System32\shell32.dll,0
.vbs - txtfile - DefaultIcon - %SystemRoot%\system32\shell32.dll,-152
.vbs - txtfile - shell\open\command - %SystemRoot%\system32\NOTEPAD.EXE %1
.vbs - txtfile - shell\edit\command - unable to read value


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 TestUSB - c:\windows\system32\drivers\testusb.sys

S2 FILESpy - c:\program files\softwin\bitdefender8\filespy.sys (file missing)
S2 REGSpy - c:\program files\softwin\bitdefender8\regspy.sys (file missing)
S3 catchme - c:\docume~1\computer\locals~1\temp\catchme.sys (file missing)
S3 UIUSys (Conexant Setup API) - c:\windows\system32\drivers\uiusys.sys (file missing)
S3 ZTEusbmdm6k (ZTE Proprietary USB Driver) - c:\windows\system32\drivers\zteusbmdm6k.sys (file missing)
S3 ZTEusbnmea (ZTE NMEA Port) - c:\windows\system32\drivers\zteusbnmea.sys (file missing)
S3 ZTEusbser6k (ZTE Diagnostic Port) - c:\windows\system32\drivers\zteusbser6k.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Intel® PRO/100 VE Network Connection
Device ID: PCI\VEN_8086&DEV_1092&SUBSYS_30B2103C&REV_02\4&6B16D5B&0&40F0
Manufacturer: Intel
Name: Intel® PRO/100 VE Network Connection
PNP Device ID: PCI\VEN_8086&DEV_1092&SUBSYS_30B2103C&REV_02\4&6B16D5B&0&40F0
Service: E100B


-- Scheduled Tasks -------------------------------------------------------------

2008-05-29 07:03:01 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-05-04 and 2008-06-04 -----------------------------

2008-06-04 02:19:15 0 d-------- C:\Documents and Settings\Computer\Application Data\gtk-2.0
2008-06-04 02:18:03 0 d-------- C:\Documents and Settings\Computer\deluge
2008-06-04 02:15:39 0 d-------- C:\Program Files\Deluge
2008-06-04 00:14:00 115264 --a------ C:\WINDOWS\system32\rerbrdom.dll
2008-06-04 00:11:32 2624 --a------ C:\WINDOWS\system32\dfbmfxyq.exe
2008-06-04 00:11:07 126016 --a------ C:\WINDOWS\system32\swoukkyn.dll
2008-06-01 23:11:23 0 d-------- C:\Documents and Settings\Computer\Application Data\Uniblue
2008-06-01 18:54:40 2624 --a------ C:\WINDOWS\system32\ifsnkfbi.exe
2008-06-01 18:54:29 126528 --a------ C:\WINDOWS\system32\iyluxdis.dll
2008-05-31 17:04:32 2624 --a------ C:\WINDOWS\system32\ufcrxvdi.exe
2008-05-31 17:04:26 127040 --a------ C:\WINDOWS\system32\bjreibmp.dll
2008-05-31 17:01:41 127040 --a------ C:\WINDOWS\system32\qakaetjk.dll
2008-05-29 22:24:30 91700 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-05-29 22:24:30 85860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-05-29 22:23:21 11552 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-05-29 22:23:21 352288 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-29 22:23:19 0 d-------- C:\Program Files\Kaspersky Lab
2008-05-29 22:23:18 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-29 17:24:46 57344 --a------ C:\WINDOWS\system32\awtUoooO.dll
2008-05-29 17:14:38 6272 --a------ C:\WINDOWS\system32\drivers\TestUSB.sys
2008-05-29 07:30:17 0 d--h----- C:\WINDOWS\system32\GroupPolicy
2008-05-24 17:19:47 0 d-------- C:\Program Files\Trend Micro
2008-05-24 17:04:42 2624 --a------ C:\WINDOWS\system32\thkgirif.exe
2008-05-24 16:59:08 126528 --a------ C:\WINDOWS\system32\uvfnrrio.dll
2008-05-23 13:08:09 0 d-------- C:\Documents and Settings\Computer\Application Data\U3
2008-05-21 04:51:46 2624 --a------ C:\WINDOWS\system32\tbemwoyi.exe
2008-05-21 04:51:36 127040 --a------ C:\WINDOWS\system32\eokfsprk.dll
2008-05-19 20:57:20 2112 --a------ C:\WINDOWS\system32\bvlwtbev.exe
2008-05-19 20:57:10 124992 --a------ C:\WINDOWS\system32\rcqjxaxp.dll
2008-05-19 18:15:17 32320 --a------ C:\WINDOWS\system32\rtejuhpg.dll
2008-05-19 18:12:19 32320 --a------ C:\WINDOWS\system32\voralkfu.dll
2008-05-19 18:12:17 32320 --a------ C:\WINDOWS\system32\kowrjxcm.dll
2008-05-19 18:09:19 32320 --a------ C:\WINDOWS\system32\dodegruw.dll
2008-05-19 18:09:19 32320 --a------ C:\WINDOWS\system32\__c00E3EA4.dat
2008-05-19 18:09:17 32320 --a------ C:\WINDOWS\system32\xekpcjda.dll
2008-05-19 18:06:19 32320 --a------ C:\WINDOWS\system32\__c00F9C09.dat
2008-05-19 18:06:18 32320 --a------ C:\WINDOWS\system32\cqouoknk.dll
2008-05-19 18:06:17 32320 --a------ C:\WINDOWS\system32\vgwxwjdl.dll
2008-05-19 18:03:18 32320 --a------ C:\WINDOWS\system32\ffdcwlep.dll
2008-05-19 18:03:17 32320 --a------ C:\WINDOWS\system32\iqpqanoo.dll
2008-05-19 18:00:20 32320 --a------ C:\WINDOWS\system32\__c00387A5.dat
2008-05-19 18:00:19 32320 --a------ C:\WINDOWS\system32\gahipski.dll
2008-05-19 18:00:17 32320 --a------ C:\WINDOWS\system32\yukyjvib.dll
2008-05-19 17:54:17 2112 --a------ C:\WINDOWS\system32\qlvpkpaq.exe
2008-05-19 17:51:20 124992 --a------ C:\WINDOWS\system32\wnycleiw.dll
2008-05-18 17:58:29 32320 --a------ C:\WINDOWS\system32\__c0099E89.dat
2008-05-18 17:58:27 32320 --a------ C:\WINDOWS\system32\segowqtu.dll
2008-05-18 17:55:40 32320 --a------ C:\WINDOWS\system32\uqkgldeh.dll
2008-05-18 17:55:22 32320 --a------ C:\WINDOWS\system32\jqhfeull.dll
2008-05-18 17:55:15 117312 --a------ C:\WINDOWS\system32\mbihhkhe.dll
2008-05-18 17:52:16 2112 --a------ C:\WINDOWS\system32\ixqtstob.exe
2008-05-18 17:49:16 124992 --a------ C:\WINDOWS\system32\piuddetp.dll
2008-05-15 14:21:08 32320 --a------ C:\WINDOWS\system32\__c00F459C.dat
2008-05-15 14:21:07 32320 --a------ C:\WINDOWS\system32\quhxirhd.dll
2008-05-15 14:18:09 32320 --a------ C:\WINDOWS\system32\bhmjsamo.dll
2008-05-15 14:18:08 32320 --a------ C:\WINDOWS\system32\__c00300A4.dat
2008-05-15 14:18:07 32320 --a------ C:\WINDOWS\system32\rulqwfhk.dll
2008-05-15 14:16:36 2112 --a------ C:\WINDOWS\system32\liwiwhwh.exe
2008-05-15 14:16:31 32320 --a------ C:\WINDOWS\system32\__c0045D10.dat
2008-05-15 14:16:06 32320 --a------ C:\WINDOWS\system32\lbngeoqf.dll
2008-05-15 14:12:17 126528 --a------ C:\WINDOWS\system32\qepbalxb.dll
2008-05-14 11:44:19 57344 --a------ C:\WINDOWS\system32\jkkHBRJc.dll
2008-05-14 02:07:22 57344 --a------ C:\WINDOWS\system32\qoMEVNeE.dll
2008-05-14 01:44:54 57344 --a------ C:\WINDOWS\system32\xxyVMdcA.dll
2008-05-14 01:44:49 57344 --a------ C:\WINDOWS\system32\efcCrOHa.dll
2008-05-14 01:43:26 57344 --a------ C:\WINDOWS\system32\ddcAsssP.dll
2008-05-14 01:41:30 57344 --a------ C:\WINDOWS\system32\jkkJawxw.dll
2008-05-14 01:35:30 57344 --a------ C:\WINDOWS\system32\tuvSkHwU.dll
2008-05-14 01:35:06 386744 --ahs---- C:\WINDOWS\system32\VxxxHRqr.ini2
2008-05-14 00:45:49 68096 --a------ C:\WINDOWS\zip.exe
2008-05-14 00:45:49 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-14 00:45:49 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-14 00:45:49 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-14 00:45:49 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-14 00:45:49 98816 --a------ C:\WINDOWS\sed.exe
2008-05-14 00:45:49 80412 --a------ C:\WINDOWS\grep.exe
2008-05-14 00:45:49 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-14 00:37:56 371200 --a------ C:\WINDOWS\system32\rqRHxxxV.dll
2008-05-14 00:33:54 57344 --a------ C:\WINDOWS\system32\hgGyabYR.dll
2008-05-14 00:29:50 57344 --a------ C:\WINDOWS\system32\khfCtrSk.dll
2008-05-14 00:27:38 57344 --a------ C:\WINDOWS\system32\nnnkHwxV.dll
2008-05-14 00:26:24 57344 --a------ C:\WINDOWS\system32\ljJASjGA.dll


-- Find3M Report ---------------------------------------------------------------

2008-06-01 23:31:11 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-01 18:21:55 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-01 18:19:52 0 d-------- C:\Program Files\e-Games
2008-06-01 18:14:49 0 d-------- C:\Program Files\BitComet
2008-05-21 14:53:42 0 d-------- C:\Program Files\Skype
2008-04-30 14:57:16 0 d-------- C:\Program Files\MSECache
2008-04-20 13:06:58 0 d-------- C:\Program Files\Guitar Pro 5


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2AA0726C-95B7-4216-AA43-B5BDD524892F}]
05/29/2008 05:24 PM 57344 --a------ C:\WINDOWS\system32\awtUoooO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5850F834-3336-409A-BB0E-2A008994E875}]
05/14/2008 12:39 AM 371200 --a------ C:\WINDOWS\system32\rqRHxxxV.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [03/23/2006 11:38 AM]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [03/23/2006 11:17 AM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [03/23/2006 11:13 AM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [03/23/2006 11:17 AM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 11:50 AM]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [10/31/2003 07:42 PM]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [02/14/2006 10:49 AM]
"BDMCon"="C:\Program Files\Softwin\BitDefender8\\bdmcon.exe" [09/12/2007 08:52 PM]
"BDSwitchAgent"="C:\Program Files\Softwin\BitDefender8\\bdswitch.exe" [09/12/2007 08:52 PM]
"BDNewsAgent"="C:\Program Files\Softwin\BitDefender8\bdnagent.exe" [09/12/2007 08:52 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [07/08/2006 07:15 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [10/14/2007 12:28 AM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [06/29/2007 06:24 AM]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [10/25/2007 04:33 PM]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [10/25/2007 04:37 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"ccPrxy.exe"="ccPrxy.exe" []
"ecb03e0c"="C:\WINDOWS\system32\rerbrdom.dll" [06/04/2008 12:14 AM]
"BMef830d90"="C:\WINDOWS\system32\swoukkyn.dll" [06/04/2008 12:11 AM]
"BMef830d90"="C:\WINDOWS\system32\swoukkyn.dll" [06/04/2008 12:11 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/14/2004 12:24 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [02/28/2006 08:00 PM]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFind"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{2AA0726C-95B7-4216-AA43-B5BDD524892F}"= C:\WINDOWS\system32\awtUoooO.dll [05/29/2008 05:24 PM 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtUoooO]
awtUoooO.dll 05/29/2008 05:24 PM 57344 C:\WINDOWS\system32\awtUoooO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c0099E89]
__c0099E89.dat 05/18/2008 05:58 PM 32320 C:\WINDOWS\system32\__c0099E89.dat

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00F459C]
__c00F459C.dat 05/15/2008 02:21 PM 32320 C:\WINDOWS\system32\__c00F459C.dat

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"= sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\rqRHxxxV

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Flash.10.Setup.exe
Explore\command- F:\Flash.10.Setup.exe
Open\command- F:\Flash.10.Setup.exe
Scan for Viruses\command- F:\Scanner.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{00ef13d4-2645-11dd-a545-001b774db7cd}]
Auto\command- G:\infrom.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL infrom.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{00ef13d6-2645-11dd-a545-001b774db7cd}]
Auto\command- F:\infrom.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL infrom.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{32b60020-2886-11dd-a550-0016d3a08bc1}]
AutoRun\command- F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{32b60021-2886-11dd-a550-0016d3a08bc1}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Flash.10.Setup.exe
Explore\command- G:\Flash.10.Setup.exe
Open\command- G:\Flash.10.Setup.exe
Scan for Viruses\command- G:\Scanner.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{60888782-0dcd-11dd-a4f9-001a6b7c908f}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Flash.10.Setup.exe
Explore\command- Flash.10.Setup.exe
Open\command- Flash.10.Setup.exe
Scan for Viruses\command- Scanner.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8c545994-25b8-11dd-a543-001a6b7c908f}]
AutoRun\command- F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8c545995-25b8-11dd-a543-001a6b7c908f}]
Auto\command- G:\infrom.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL infrom.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{93d89626-8f39-11dc-a3f0-0016d3a08bc1}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Flash.10.Setup.exe
Explore\command- F:\Flash.10.Setup.exe
Open\command- F:\Flash.10.Setup.exe
Scan for Viruses\command- F:\Scanner.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a2b61e6b-a31a-11dc-a425-001a6b7c908f}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Flash.10.Setup.exe
Explore\command- F:\Flash.10.Setup.exe
Open\command- F:\Flash.10.Setup.exe
Scan for Viruses\command- F:\Scanner.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ae709848-70b3-11dc-a381-001a6b7c908f}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL QQDoctor.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bde75171-651e-11dc-a35f-0016d3a08bc1}]
Auto\command- F:\infrom.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL infrom.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ed9c9c9a-b6d1-11dc-a449-0016d3a08bc1}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Flash.10.Setup.exe
Explore\command- F:\Flash.10.Setup.exe
Open\command- F:\Flash.10.Setup.exe
Scan for Viruses\command- F:\Scanner.exe




-- End of Deckard's System Scanner: finished at 2008-06-04 15:54:19 ------------



extra.txt

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Core™ Duo CPU T2350 @ 1.86GHz
CPU 1: Intel® Core™ Duo CPU T2350 @ 1.86GHz
Percentage of Memory in Use: 41%
Physical Memory (total/avail): 1014.04 MiB / 589.23 MiB
Pagefile Memory (total/avail): 2440.93 MiB / 2075.3 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1938.15 MiB

C: is Fixed (NTFS) - 53.71 GiB total, 17.33 GiB free.
D: is CDROM (No Media)
E: is Fixed (NTFS) - 20.81 GiB total, 9.73 GiB free.

\\.\PHYSICALDRIVE0 - FUJITSU MHW2080BH PL - 74.53 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 53.71 GiB - C:
\PARTITION1 - Installable File System - 20.81 GiB - E:



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: BitDefender 8 Standard v7.2 (Softwin)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\BitComet\\BitComet.exe"="C:\\Program Files\\BitComet\\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\Counter-Strike 1.6\\hl.exe"="C:\\Program Files\\Counter-Strike 1.6\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\Deluge\\deluge.exe"="C:\\Program Files\\Deluge\\deluge.exe:*:Enabled:deluge"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Computer\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=COMPAQ
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Computer
LOGONSERVER=\\COMPAQ
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\QuickTime\QTSystem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 14 Stepping 12, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0e0c
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Computer\LOCALS~1\Temp
TMP=C:\DOCUME~1\Computer\LOCALS~1\Temp
USERDOMAIN=COMPAQ
USERNAME=Computer
USERPROFILE=C:\Documents and Settings\Computer
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI


-- User Profiles ---------------------------------------------------------------

Computer (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> C:\WINDOWS\UNNMP.exe /UNINSTALL
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2E47302B-8081-46D3-9FEA-BEB2E5F5C3EC}\setup.exe" -l0x9 anything
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware 2007 --> MsiExec.exe /X{46AC899A-9ECB-43DC-85DE-272E0D116A1E}
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
AoA Audio Extractor 1.0 --> "C:\Program Files\AoA Audio Extractor\unins000.exe"
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
BitDefender 8 Standard --> MsiExec.exe /I{4E3C690C-3266-4DF2-8D29-8A4870EEA807}
Compatibility Pack for the 2007 Office system --> MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Conexant HD Audio --> C:\Program Files\CONEXANT\CNXT_HDAUDIO\HXFSETUP.EXE -U -Iwis30B5a.INF
Counter-Strike 1.6 --> C:\Program Files\Counter-Strike 1.6\Uninstal.exe
Deluge --> C:\Program Files\Deluge\deluge-uninst.exe
Guitar Pro 5.0 --> "C:\Program Files\Guitar Pro 5\unins000.exe"
HDAUDIO Soft Data Fax Modem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_SprtHD5m\UIU32m.exe -U -ISprtHD5m.inf
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HP Integrated Module with Bluetooth wireless technology --> MsiExec.exe /X{3F4EC965-28EF-45C3-B063-04B25D4E9679}
HP Quick Launch Buttons 6.00 G2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{34D2AB40-150D-475D-AE32-BD23FB5EE355}\Setup.exe" -l0x9 -removeonly uninst
HP Wireless Assistant 2.00 E1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4302B2DD-D958-40E3-BAF3-B07FFE1978CE}\Setup.exe" -l0x9 hpquninst
Intel® Graphics Media Accelerator Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_27A6 PCI\VEN_8086&DEV_27A2
Intel® PRO Network Connections Drivers --> Prounstl.exe
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
K-Lite Codec Pack 2.78 Full BETA2 --> "C:\Program Files\K-Lite Codec Pack\unins000.exe"
Logitech QuickCam --> MsiExec.exe /X{945AC98B-3DC8-45BE-BAE0-22CEEE37A103}
Logitech QuickCam Driver Package --> "C:\Program Files\Common Files\LogiShrd\LogiDriverStore\lvdrivers\11.50.1145\LgDrvInst.exe" -remove -instdir"C:\Program Files\Common Files\LogiShrd\LogiDriverStore\lvdrivers\" -enumdelay=2000 -enabledifx -forcedelete -usbhubsfirst -forceremove -cumulativeremove -promptuninstall -arpregkey"lvdrivers_11.50" /clone_wait /hide_progress
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSN --> C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
Nero Suite --> C:\Program Files\Common Files\Ahead\Uninstall\setup.exe /uninstall
NetWaiting --> C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe -runfromtemp -l0x0009 -removeonly
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
QuickTime --> MsiExec.exe /I{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Skype™ 3.6 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type15732 / Warning
Event Submitted/Written: 06/04/2008 03:37:44 PM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{945AC98B-3DC8-45BE-BAE0-22CEEE37A103}', feature 'QuickCam' failed during request for component '{62BA7C13-20BB-41F7-A6A4-482632CE53D4}'

Event Record #/Type15731 / Warning
Event Submitted/Written: 06/04/2008 03:37:44 PM
Event ID/Source: 1004 / MsiInstaller
Event Description:
Detection of product '{945AC98B-3DC8-45BE-BAE0-22CEEE37A103}', feature 'QuickCam', component '{B52C7B4D-F46F-438C-ADF2-05A138C57757}' failed. The resource 'HKEY_CURRENT_USER\Software\Logitech\InstallerKeys\QCDesktopShortcutKey' does not exist.

Event Record #/Type15729 / Warning
Event Submitted/Written: 06/04/2008 03:37:32 PM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{945AC98B-3DC8-45BE-BAE0-22CEEE37A103}', feature 'QuickCam' failed during request for component '{62BA7C13-20BB-41F7-A6A4-482632CE53D4}'

Event Record #/Type15728 / Warning
Event Submitted/Written: 06/04/2008 03:37:32 PM
Event ID/Source: 1004 / MsiInstaller
Event Description:
Detection of product '{945AC98B-3DC8-45BE-BAE0-22CEEE37A103}', feature 'QuickCam', component '{B52C7B4D-F46F-438C-ADF2-05A138C57757}' failed. The resource 'HKEY_CURRENT_USER\Software\Logitech\InstallerKeys\QCDesktopShortcutKey' does not exist.

Event Record #/Type15727 / Warning
Event Submitted/Written: 06/04/2008 03:37:27 PM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{945AC98B-3DC8-45BE-BAE0-22CEEE37A103}', feature 'QuickCam' failed during request for component '{3BBB8098-03C8-48DC-AA83-9B2159E12E0D}'



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type22827 / Error
Event Submitted/Written: 06/04/2008 03:37:48 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The REGSpy service failed to start due to the following error:
%%2

Event Record #/Type22826 / Error
Event Submitted/Written: 06/04/2008 03:37:48 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The FILESpy service failed to start due to the following error:
%%2

Event Record #/Type22812 / Error
Event Submitted/Written: 06/04/2008 03:37:31 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The REGSpy service failed to start due to the following error:
%%2

Event Record #/Type22811 / Error
Event Submitted/Written: 06/04/2008 03:37:31 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The FILESpy service failed to start due to the following error:
%%2

Event Record #/Type22806 / Error
Event Submitted/Written: 06/04/2008 00:03:00 AM
Event ID/Source: 1002 / Dhcp
Event Description:
The IP address lease 192.168.2.125 for the Network Card with network address 0016D3A08BC1 has been
denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).



-- End of Deckard's System Scanner: finished at 2008-06-04 15:54:19 ------------


Thanks!
  • 0

#4
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Hello kienz, thanks for the reply.. btw, apa khabar :)


Please do the following..

Please visit below webpage for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. DO NOT select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix (located in C:\combofix.txt) when you've accomplished that, along with a new HijackThis log.
  • 0

#5
kienz

kienz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Haha, khabar baik kawan, khabar baik. My firefox is foxing away like it used to again, back to the speed I was used to, thanks man! Here's the combofix logs btw.

ComboFix 08-06-03.1 - Computer 2008-06-05 1:26:04.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.596 [GMT 8:00]
Running from: C:\Documents and Settings\Computer\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\__c00300A4.dat
C:\WINDOWS\system32\__c00387A5.dat
C:\WINDOWS\system32\__c0045D10.dat
C:\WINDOWS\system32\__c0099E89.dat
C:\WINDOWS\system32\__c00E3EA4.dat
C:\WINDOWS\system32\__c00F459C.dat
C:\WINDOWS\system32\__c00F9C09.dat
C:\WINDOWS\system32\aygvqbda.ini
C:\WINDOWS\system32\ehkhhibm.ini
C:\WINDOWS\system32\geuensrm.ini
C:\WINDOWS\system32\iekudutp.ini
C:\WINDOWS\system32\ifsnkfbi.exe
C:\WINDOWS\system32\iqpqanoo.dll
C:\WINDOWS\system32\ixqtstob.exe
C:\WINDOWS\system32\iyluxdis.dll
C:\WINDOWS\system32\jkkHBRJc.dll
C:\WINDOWS\system32\jkkJawxw.dll
C:\WINDOWS\system32\jqhfeull.dll
C:\WINDOWS\system32\khfCtrSk.dll
C:\WINDOWS\system32\kowrjxcm.dll
C:\WINDOWS\system32\lbngeoqf.dll
C:\WINDOWS\system32\liwiwhwh.exe
C:\WINDOWS\system32\ljJASjGA.dll
C:\WINDOWS\system32\mbihhkhe.dll
C:\WINDOWS\system32\modrbrer.ini
C:\WINDOWS\system32\nnnkHwxV.dll
C:\WINDOWS\system32\ocxvnrmj.ini
C:\WINDOWS\system32\piuddetp.dll
C:\WINDOWS\system32\qakaetjk.dll
C:\WINDOWS\system32\qepbalxb.dll
C:\WINDOWS\system32\qlvpkpaq.exe
C:\WINDOWS\system32\qoMEVNeE.dll
C:\WINDOWS\system32\quhxirhd.dll
C:\WINDOWS\system32\rcqjxaxp.dll
C:\WINDOWS\system32\rerbrdom.dll
C:\WINDOWS\system32\rkiyekud.ini
C:\WINDOWS\system32\rqRHxxxV.dll
C:\WINDOWS\system32\rtejuhpg.dll
C:\WINDOWS\system32\rulqwfhk.dll
C:\WINDOWS\system32\segowqtu.dll
C:\WINDOWS\system32\swoukkyn.dll
C:\WINDOWS\system32\tbemwoyi.exe
C:\WINDOWS\system32\thkgirif.exe
C:\WINDOWS\system32\tuvSkHwU.dll
C:\WINDOWS\system32\ufcrxvdi.exe
C:\WINDOWS\system32\uqkgldeh.dll
C:\WINDOWS\system32\uvfnrrio.dll
C:\WINDOWS\system32\vgwxwjdl.dll
C:\WINDOWS\system32\voralkfu.dll
C:\WINDOWS\system32\vtivnifc.ini
C:\WINDOWS\system32\VxxxHRqr.ini
C:\WINDOWS\system32\VxxxHRqr.ini2
C:\WINDOWS\system32\wnycleiw.dll
C:\WINDOWS\system32\xekpcjda.dll
C:\WINDOWS\system32\xxyVMdcA.dll
C:\WINDOWS\system32\yukyjvib.dll
C:\WINDOWS\system32\yxqnlbvf.ini
.
---- Previous Run -------
.
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\mcrh.tmp

.
((((((((((((((((((((((((( Files Created from 2008-05-04 to 2008-06-04 )))))))))))))))))))))))))))))))
.

2008-06-05 01:22 . 2008-06-05 01:22 0 --a------ C:\WINDOWS\BMef830d90.xml
2008-06-04 15:52 . 2008-06-04 15:52 <DIR> d-------- C:\Deckard
2008-06-04 02:19 . 2008-06-04 02:19 <DIR> d-------- C:\Documents and Settings\Computer\Application Data\gtk-2.0
2008-06-04 02:18 . 2008-06-04 02:19 <DIR> d-------- C:\Documents and Settings\Computer\deluge
2008-06-04 02:15 . 2008-06-04 02:16 <DIR> d-------- C:\Program Files\Deluge
2008-06-01 23:11 . 2008-06-01 23:11 <DIR> d-------- C:\Documents and Settings\Computer\Application Data\Uniblue
2008-05-31 16:45 . 2008-05-31 16:45 2,724,513 --ahs---- C:\WINDOWS\system32\srudbdll.tmp
2008-05-29 22:24 . 2008-05-29 22:24 91,700 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-05-29 22:24 . 2008-05-29 22:24 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-05-29 22:23 . 2008-05-29 22:23 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-05-29 22:23 . 2008-05-31 16:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-29 22:23 . 2008-05-31 16:56 352,288 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-29 22:23 . 2008-05-31 16:56 11,552 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-05-29 22:23 . 2008-05-31 16:56 6,152 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-05-29 22:23 . 2008-05-31 16:56 3,176 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-05-29 17:14 . 2008-06-05 01:22 6,272 --a------ C:\WINDOWS\system32\drivers\TestUSB.sys
2008-05-29 07:30 . 2008-05-29 07:30 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-05-24 17:19 . 2008-05-24 17:19 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-23 13:08 . 2008-05-23 13:10 <DIR> d-------- C:\Documents and Settings\Computer\Application Data\U3
2008-05-21 14:38 . 2008-05-21 14:38 57,344 --a------ C:\WINDOWS\system32\ROAAE3.tmp
2008-05-20 17:27 . 2008-05-20 17:37 923,848 --a------ C:\WINDOWS\system32\driver32\Info.txt
2008-05-19 17:57 . 2008-05-19 19:57 354 --ahs---- C:\WINDOWS\system32\iuosdwja.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-01 15:31 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-01 10:21 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-01 10:19 --------- d-----w C:\Program Files\e-Games
2008-06-01 10:14 --------- d-----w C:\Program Files\BitComet
2008-05-21 06:53 --------- d-----w C:\Program Files\Skype
2008-04-30 06:57 --------- d-----w C:\Program Files\MSECache
2008-04-20 05:06 --------- d-----w C:\Program Files\Guitar Pro 5
2008-04-06 04:59 360,064 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-03-04 13:48 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-09-27 17:35 14 ----a-w C:\Documents and Settings\Computer\getfile.dat
2007-09-06 22:03 0 --sha-w C:\WINDOWS\ms.config`.exe
2007-09-06 22:03 0 --sha-w C:\WINDOWS\rm.exe
2007-09-06 22:03 25,088 --sha-w C:\WINDOWS\sy.exe
2007-09-06 22:03 3,767,595 --sha-w C:\WINDOWS\WinAVI_Video_Converter.exe
.

------- Sigcheck -------

2006-04-20 20:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-31 00:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2006-02-28 20:00 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2007-10-28 18:39 359808 ea754d7c4824cc93ec0758aac70e4b07 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2008-04-06 12:59 360064 34a663e7f74ae8b2c992c2513343477e C:\WINDOWS\system32\dllcache\tcpip.sys
2008-04-06 12:59 360064 34a663e7f74ae8b2c992c2513343477e C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( [email protected]_ 1.13.16.93 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-13 17:09:38 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-04 17:35:36 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-02-26 22:24:47 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-05-12 18:55:56 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
- 2008-02-27 16:41:44 5,595,136 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-05-13 17:19:46 6,336,512 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
- 2008-02-27 16:41:44 208,896 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-05-13 17:19:47 229,376 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-05-29 09:59:49 274,432 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
+ 2008-02-08 10:35:42 23,604 ----a-w C:\WINDOWS\system32\drivers\klopp.dat
- 2008-01-23 14:29:37 41,238 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-05-21 03:33:36 41,238 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-01-23 14:29:37 315,076 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-05-21 03:33:36 315,076 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-05-31 08:56:00 560,292 ----a-w C:\WINDOWS\system32\Restore\rstrlog.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2AA0726C-95B7-4216-AA43-B5BDD524892F}]
C:\WINDOWS\system32\awtUoooO.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 00:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 20:00 15360]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-23 11:38 131072]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-03-23 11:17 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-03-23 11:13 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-23 11:17 118784]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 19:42 32768]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-14 10:49 454656]
"BDMCon"="C:\Program Files\Softwin\BitDefender8\\bdmcon.exe" [2007-09-12 20:52 421888]
"BDSwitchAgent"="C:\Program Files\Softwin\BitDefender8\\bdswitch.exe" [2007-09-12 20:52 33280]
"BDNewsAgent"="C:\Program Files\Softwin\BitDefender8\bdnagent.exe" [2007-09-12 20:52 8192]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2006-07-08 07:15 600896]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-10-14 00:28 185896]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24 286720]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 16:33 563984]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 16:37 2178832]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"ccPrxy.exe"="ccPrxy.exe" []

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{2AA0726C-95B7-4216-AA43-B5BDD524892F}"= C:\WINDOWS\system32\awtUoooO.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtUoooO]
awtUoooO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c0099E89]
__c0099E89.dat

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00F459C]
__c00F459C.dat

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\rqRHxxxV

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Counter-Strike 1.6\\hl.exe"=
"C:\\Program Files\\Deluge\\deluge.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"18477:TCP"= 18477:TCP:BitComet 18477 TCP
"18477:UDP"= 18477:UDP:BitComet 18477 UDP

S2 FILESpy;FILESpy;C:\Program Files\Softwin\BitDefender8\filespy.sys []
S3 TestUSB;TestUSB;C:\WINDOWS\system32\drivers\TestUSB.sys [2008-06-05 01:22]
S3 ZTEusbmdm6k;ZTE Proprietary USB Driver;C:\WINDOWS\system32\DRIVERS\ZTEusbmdm6k.sys []
S3 ZTEusbnmea;ZTE NMEA Port;C:\WINDOWS\system32\DRIVERS\ZTEusbnmea.sys []
S3 ZTEusbser6k;ZTE Diagnostic Port;C:\WINDOWS\system32\DRIVERS\ZTEusbser6k.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Flash.10.Setup.exe
\Shell\Explore\command - F:\Flash.10.Setup.exe
\Shell\Open\command - F:\Flash.10.Setup.exe
\Shell\Scan for Viruses\command - F:\Scanner.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{32b60020-2886-11dd-a550-0016d3a08bc1}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{32b60021-2886-11dd-a550-0016d3a08bc1}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Flash.10.Setup.exe
\Shell\Explore\command - G:\Flash.10.Setup.exe
\Shell\Open\command - G:\Flash.10.Setup.exe
\Shell\Scan for Viruses\command - G:\Scanner.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{60888782-0dcd-11dd-a4f9-001a6b7c908f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Flash.10.Setup.exe
\Shell\Explore\command - Flash.10.Setup.exe
\Shell\Open\command - Flash.10.Setup.exe
\Shell\Scan for Viruses\command - Scanner.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8c545994-25b8-11dd-a543-001a6b7c908f}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{93d89626-8f39-11dc-a3f0-0016d3a08bc1}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Flash.10.Setup.exe
\Shell\Explore\command - F:\Flash.10.Setup.exe
\Shell\Open\command - F:\Flash.10.Setup.exe
\Shell\Scan for Viruses\command - F:\Scanner.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a2b61e6b-a31a-11dc-a425-001a6b7c908f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Flash.10.Setup.exe
\Shell\Explore\command - F:\Flash.10.Setup.exe
\Shell\Open\command - F:\Flash.10.Setup.exe
\Shell\Scan for Viruses\command - F:\Scanner.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ae709848-70b3-11dc-a381-001a6b7c908f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL QQDoctor.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ed9c9c9a-b6d1-11dc-a449-0016d3a08bc1}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Flash.10.Setup.exe
\Shell\Explore\command - F:\Flash.10.Setup.exe
\Shell\Open\command - F:\Flash.10.Setup.exe
\Shell\Scan for Viruses\command - F:\Scanner.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-05-28 23:03:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-05 01:35:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-05 1:39:15
ComboFix-quarantined-files.txt 2008-06-04 17:39:12
ComboFix2.txt 2008-05-13 17:13:57

Pre-Run: 18,548,690,944 bytes free
Post-Run: 18,501,500,928 bytes free

254 --- E O F --- 2008-05-01 19:01:07


And here's the new Hijackthis logs you asked for

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:47:50 AM, on 6/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Softwin\BitDefender8\bdmcon.exe
C:\Program Files\Softwin\BitDefender8\bdswitch.exe
C:\Program Files\Softwin\BitDefender8\bdnagent.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender8\vsserv.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...amp;ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.microsoft...p...&ar=msnhome
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2AA0726C-95B7-4216-AA43-B5BDD524892F} - C:\WINDOWS\system32\awtUoooO.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [BDMCon] C:\Program Files\Softwin\BitDefender8\\bdmcon.exe
O4 - HKLM\..\Run: [BDSwitchAgent] C:\Program Files\Softwin\BitDefender8\\bdswitch.exe
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender8\bdnagent.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccPrxy.exe] ccPrxy.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zon...er.cab56986.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll
O20 - Winlogon Notify: awtUoooO - awtUoooO.dll (file missing)
O20 - Winlogon Notify: __c0099E89 - __c0099E89.dat (file missing)
O20 - Winlogon Notify: __c00F459C - __c00F459C.dat (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender8\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 8503 bytes

oh yeah, terima kasih!
  • 0

#6
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts

Looking at your system now, one or more of the identified infections is a backdoor Trojan. If this computer is ever used for on-line banking, I suggest you do the following IMMEDIATELY:

  • Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
  • From a clean computer, change ALL your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.
Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information. Please refrain from using this computer for online-banking/financial purpose until we give it all clear




Sama-sama.. Now lets do the following..

1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Driver::
TestUSB

File::
C:\WINDOWS\BMef830d90.xml
C:\WINDOWS\system32\iuosdwja.ini
C:\WINDOWS\system32\drivers\TestUSB.sys 
C:\WINDOWS\system32\awtUoooO.dll
C:\WINDOWS\system32\driver32\Info.txt
C:\WINDOWS\ms.config`.exe
C:\WINDOWS\rm.exe
C:\WINDOWS\sy.exe
C:\WINDOWS\system32\awtUoooO.dll
C:\WINDOWS\system32\rqRHxxxV.dll
F:\Flash.10.Setup.exe
F:\Scanner.exe
F:\LaunchU3.exe
G:\Flash.10.Setup.exe
G:\Scanner.exe

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2AA0726C-95B7-4216-AA43-B5BDD524892F}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccPrxy.exe"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{2AA0726C-95B7-4216-AA43-B5BDD524892F}"=-
[-HKEY_CLASSES_ROOT\CLSID\{2AA0726C-95B7-4216-AA43-B5BDD524892F}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtUoooO]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c0099E89]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00F459C]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{32b60020-2886-11dd-a550-0016d3a08bc1}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{32b60021-2886-11dd-a550-0016d3a08bc1}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{60888782-0dcd-11dd-a4f9-001a6b7c908f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8c545994-25b8-11dd-a543-001a6b7c908f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{93d89626-8f39-11dc-a3f0-0016d3a08bc1}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a2b61e6b-a31a-11dc-a425-001a6b7c908f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ae709848-70b3-11dc-a381-001a6b7c908f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ed9c9c9a-b6d1-11dc-a449-0016d3a08bc1}]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.



NEXT


Please show hidden files and folders. Please visit HERE if you don't know how.

Jotti File Submission:
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page:

    • C:\WINDOWS\WinAVI_Video_Converter.exe
      C:\WINDOWS\system32\ROAAE3.tmp
      C:\WINDOWS\system32\srudbdll.tmp
  • Click on the submit button. One file at a time
  • Please post the results in your next reply.
If Jotti server is too busy, please submit the file to VirusTotal instead.



Please post the following logs in your next reply..

1. ComboFix
2. Jotti/VirusTotal result
3. A fresh HijackThis log (after Jotti step)


Regards
fenzodahl512
  • 0

#7
kienz

kienz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Alright kawan, did what you told man, here's the stuff :)

1. Combofix

ComboFix 08-06-03.1 - Computer 2008-06-05 12:01:37.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.718 [GMT 8:00]
Running from: C:\Documents and Settings\Computer\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Computer\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\BMef830d90.xml
C:\WINDOWS\ms.config`.exe
C:\WINDOWS\rm.exe
C:\WINDOWS\sy.exe
C:\WINDOWS\system32\awtUoooO.dll
C:\WINDOWS\system32\driver32\Info.txt
C:\WINDOWS\system32\drivers\TestUSB.sys
C:\WINDOWS\system32\iuosdwja.ini
C:\WINDOWS\system32\rqRHxxxV.dll
F:\Flash.10.Setup.exe
F:\LaunchU3.exe
F:\Scanner.exe
G:\Flash.10.Setup.exe
G:\Scanner.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BMef830d90.xml
C:\WINDOWS\ms.config`.exe
C:\WINDOWS\rm.exe
C:\WINDOWS\sy.exe
C:\WINDOWS\system32\driver32\Info.txt
C:\WINDOWS\system32\drivers\TestUSB.sys
C:\WINDOWS\system32\iuosdwja.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TESTUSB
-------\Service_TestUSB


((((((((((((((((((((((((( Files Created from 2008-05-05 to 2008-06-05 )))))))))))))))))))))))))))))))
.

2008-06-05 04:03 . 2008-06-05 04:03 <DIR> d-------- C:\Program Files\Winamp
2008-06-05 04:03 . 2008-06-05 04:09 <DIR> d-------- C:\Documents and Settings\Computer\Application Data\Winamp
2008-06-05 02:35 . 2008-06-05 02:35 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-04 15:52 . 2008-06-04 15:52 <DIR> d-------- C:\Deckard
2008-06-04 02:19 . 2008-06-04 02:19 <DIR> d-------- C:\Documents and Settings\Computer\Application Data\gtk-2.0
2008-06-04 02:18 . 2008-06-04 02:19 <DIR> d-------- C:\Documents and Settings\Computer\deluge
2008-06-04 02:15 . 2008-06-04 02:16 <DIR> d-------- C:\Program Files\Deluge
2008-06-01 23:11 . 2008-06-01 23:11 <DIR> d-------- C:\Documents and Settings\Computer\Application Data\Uniblue
2008-05-31 16:45 . 2008-05-31 16:45 2,724,513 --ahs---- C:\WINDOWS\system32\srudbdll.tmp
2008-05-29 22:24 . 2008-05-29 22:24 91,700 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-05-29 22:24 . 2008-05-29 22:24 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-05-29 22:23 . 2008-05-29 22:23 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-05-29 22:23 . 2008-05-31 16:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-29 22:23 . 2008-05-31 16:56 352,288 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-29 22:23 . 2008-05-31 16:56 11,552 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-05-29 22:23 . 2008-05-31 16:56 6,152 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-05-29 22:23 . 2008-05-31 16:56 3,176 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-05-29 07:30 . 2008-05-29 07:30 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-05-24 17:19 . 2008-05-24 17:19 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-23 13:08 . 2008-05-23 13:10 <DIR> d-------- C:\Documents and Settings\Computer\Application Data\U3
2008-05-21 14:38 . 2008-05-21 14:38 57,344 --a------ C:\WINDOWS\system32\ROAAE3.tmp
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-04 18:35 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-01 10:21 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-01 10:19 --------- d-----w C:\Program Files\e-Games
2008-06-01 10:14 --------- d-----w C:\Program Files\BitComet
2008-05-21 06:53 --------- d-----w C:\Program Files\Skype
2008-04-30 06:57 --------- d-----w C:\Program Files\MSECache
2008-04-29 03:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 03:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 03:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-20 05:06 --------- d-----w C:\Program Files\Guitar Pro 5
2008-04-06 04:59 360,064 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-03-04 13:48 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-09-27 17:35 14 ----a-w C:\Documents and Settings\Computer\getfile.dat
2007-09-06 22:03 3,767,595 --sha-w C:\WINDOWS\WinAVI_Video_Converter.exe
.

------- Sigcheck -------

2006-04-20 20:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-31 00:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2006-02-28 20:00 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2007-10-28 18:39 359808 ea754d7c4824cc93ec0758aac70e4b07 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2008-04-06 12:59 360064 34a663e7f74ae8b2c992c2513343477e C:\WINDOWS\system32\dllcache\tcpip.sys
2008-04-06 12:59 360064 34a663e7f74ae8b2c992c2513343477e C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( [email protected]_ 1.13.16.93 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-13 17:09:38 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-05 04:04:33 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-02-26 22:24:47 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-05-12 18:55:56 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
- 2008-02-27 16:41:44 5,595,136 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-05-13 17:19:46 6,336,512 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
- 2008-02-27 16:41:44 208,896 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-05-13 17:19:47 229,376 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-05-29 09:59:49 274,432 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
+ 2007-03-07 23:51:00 9,336 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys
+ 2007-03-07 23:51:00 9,464 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys
+ 2008-02-08 10:35:42 23,604 ----a-w C:\WINDOWS\system32\drivers\klopp.dat
+ 2007-03-07 23:51:00 43,528 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys
- 2008-01-23 14:29:37 41,238 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-05-21 03:33:36 41,238 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-01-23 14:29:37 315,076 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-05-21 03:33:36 315,076 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-03-07 23:51:00 547,576 ------w C:\WINDOWS\system32\px.dll
+ 2007-03-07 23:51:00 129,784 ------w C:\WINDOWS\system32\pxafs.dll
+ 2007-03-07 23:51:00 64,760 ------w C:\WINDOWS\system32\pxcpya64.exe
+ 2007-03-07 23:51:00 510,712 ------w C:\WINDOWS\system32\pxdrv.dll
+ 2007-03-07 23:51:00 72,440 ------w C:\WINDOWS\system32\pxhpinst.exe
+ 2007-03-07 23:51:00 64,760 ------w C:\WINDOWS\system32\pxinsa64.exe
+ 2007-03-07 23:51:00 187,128 ------w C:\WINDOWS\system32\pxmas.dll
+ 2007-03-07 23:51:00 1,628,920 ------w C:\WINDOWS\system32\pxsfs.dll
+ 2007-03-07 23:51:00 379,640 ------w C:\WINDOWS\system32\pxwave.dll
+ 2008-05-31 08:56:00 560,292 ----a-w C:\WINDOWS\system32\Restore\rstrlog.dat
+ 2007-03-07 23:51:00 39,672 ------w C:\WINDOWS\system32\vxblock.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 00:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 20:00 15360]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-23 11:38 131072]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-03-23 11:17 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-03-23 11:13 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-23 11:17 118784]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 19:42 32768]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-14 10:49 454656]
"BDMCon"="C:\Program Files\Softwin\BitDefender8\\bdmcon.exe" [2007-09-12 20:52 421888]
"BDSwitchAgent"="C:\Program Files\Softwin\BitDefender8\\bdswitch.exe" [2007-09-12 20:52 33280]
"BDNewsAgent"="C:\Program Files\Softwin\BitDefender8\bdnagent.exe" [2007-09-12 20:52 8192]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2006-07-08 07:15 600896]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-10-14 00:28 185896]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24 286720]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 16:33 563984]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 16:37 2178832]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-04-02 02:49 36352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Counter-Strike 1.6\\hl.exe"=
"C:\\Program Files\\Deluge\\deluge.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"18477:TCP"= 18477:TCP:BitComet 18477 TCP
"18477:UDP"= 18477:UDP:BitComet 18477 UDP

S2 FILESpy;FILESpy;C:\Program Files\Softwin\BitDefender8\filespy.sys []
S3 ZTEusbmdm6k;ZTE Proprietary USB Driver;C:\WINDOWS\system32\DRIVERS\ZTEusbmdm6k.sys []
S3 ZTEusbnmea;ZTE NMEA Port;C:\WINDOWS\system32\DRIVERS\ZTEusbnmea.sys []
S3 ZTEusbser6k;ZTE Diagnostic Port;C:\WINDOWS\system32\DRIVERS\ZTEusbser6k.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-05-28 23:03:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-05 12:04:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Softwin\BitDefender8\bdmcon.exe
C:\Program Files\Softwin\BitDefender8\bdswitch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
C:\Program Files\Softwin\BitDefender8\vsserv.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
.
**************************************************************************
.
Completion time: 2008-06-05 12:08:21 - machine was rebooted [Computer]
ComboFix-quarantined-files.txt 2008-06-05 04:08:18
ComboFix2.txt 2008-06-04 17:39:16
ComboFix3.txt 2008-05-13 17:13:57

Pre-Run: 18,275,409,920 bytes free
Post-Run: 18,292,469,760 bytes free

203 --- E O F --- 2008-05-01 19:01:07

2. Jotti scan results

All scans found nothing

File : WinAVI_Video_Converter.exe
Status : OK
MD5 : 184a2c996f4c068126be46f82c5b1c11

File : ROAAE3.tmp
Status : OK
MD5 : daf54d093462bf40fd28134fd00c30d2

File : srudbdll.tmp
Status : OK
MD5 : 5a7ae1cedbb4c457546522c61f3ac738

3. Hijackthis (after Jotti)


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:42:03 PM, on 6/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Softwin\BitDefender8\bdmcon.exe
C:\Program Files\Softwin\BitDefender8\bdswitch.exe
C:\Program Files\Softwin\BitDefender8\bdnagent.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Softwin\BitDefender8\vsserv.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...amp;ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.microsoft...p...&ar=msnhome
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [BDMCon] C:\Program Files\Softwin\BitDefender8\\bdmcon.exe
O4 - HKLM\..\Run: [BDSwitchAgent] C:\Program Files\Softwin\BitDefender8\\bdswitch.exe
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender8\bdnagent.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zon...er.cab56986.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender8\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 8266 bytes

Alright, there ya go buddy, thanks again and have a nice day :)
  • 0

#8
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Ah.. this is great.. Where do you live? I'm in Penang Island but my hometown is in Shah Alam :)


Now, lets do this..


Please download Malwarebytes' Anti-Malware from HERE or HERE

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


Please include a fresh Deckard System Scanner log (after MalwareBytes' step) in your next reply..


Regards
fenzodahl512
  • 0

#9
kienz

kienz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
I've lived in PJ all my life man, getting boring here :) hehe, things're going great here too, and here's the mbam logs

Malwarebytes' Anti-Malware 1.14
Database version: 826

2:57:33 PM 6/5/2008
mbam-log-6-5-2008 (14-57-33).txt

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 83085
Time elapsed: 17 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Computer.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:58:26 PM, on 6/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Softwin\BitDefender8\bdmcon.exe
C:\Program Files\Softwin\BitDefender8\bdswitch.exe
C:\Program Files\Softwin\BitDefender8\bdnagent.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender8\vsserv.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32Info.exe
C:\Documents and Settings\Computer\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Computer.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...amp;ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.microsoft...p...&ar=msnhome
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [BDMCon] C:\Program Files\Softwin\BitDefender8\\bdmcon.exe
O4 - HKLM\..\Run: [BDSwitchAgent] C:\Program Files\Softwin\BitDefender8\\bdswitch.exe
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender8\bdnagent.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zon...er.cab56986.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender8\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 8330 bytes

-- Files created between 2008-05-05 and 2008-06-05 -----------------------------

2008-06-05 14:37:37 0 d-------- C:\Documents and Settings\Computer\Application Data\Malwarebytes
2008-06-05 14:37:35 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-05 14:37:35 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-05 04:03:02 0 d-------- C:\Program Files\Winamp
2008-06-05 04:03:02 0 d-------- C:\Documents and Settings\Computer\Application Data\Winamp
2008-06-05 02:35:24 0 d-------- C:\Program Files\Lavasoft
2008-06-04 20:52:55 0 d-------- C:\cmdcons
2008-06-04 02:19:15 0 d-------- C:\Documents and Settings\Computer\Application Data\gtk-2.0
2008-06-04 02:18:03 0 d-------- C:\Documents and Settings\Computer\deluge
2008-06-04 02:15:39 0 d-------- C:\Program Files\Deluge
2008-06-01 23:11:23 0 d-------- C:\Documents and Settings\Computer\Application Data\Uniblue
2008-05-29 22:24:30 91700 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-05-29 22:24:30 85860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-05-29 22:23:21 11552 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-05-29 22:23:21 352288 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-29 22:23:19 0 d-------- C:\Program Files\Kaspersky Lab
2008-05-29 22:23:18 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-29 07:30:17 0 d--h----- C:\WINDOWS\system32\GroupPolicy
2008-05-24 17:19:47 0 d-------- C:\Program Files\Trend Micro
2008-05-23 13:08:09 0 d-------- C:\Documents and Settings\Computer\Application Data\U3
2008-05-14 00:45:49 68096 --a------ C:\WINDOWS\zip.exe
2008-05-14 00:45:49 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-14 00:45:49 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-14 00:45:49 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-14 00:45:49 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-14 00:45:49 98816 --a------ C:\WINDOWS\sed.exe
2008-05-14 00:45:49 80412 --a------ C:\WINDOWS\grep.exe
2008-05-14 00:45:49 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >


-- Find3M Report ---------------------------------------------------------------

2008-06-05 02:35:18 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-01 18:21:55 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-01 18:19:52 0 d-------- C:\Program Files\e-Games
2008-06-01 18:14:49 0 d-------- C:\Program Files\BitComet
2008-05-21 14:53:42 0 d-------- C:\Program Files\Skype
2008-04-30 14:57:16 0 d-------- C:\Program Files\MSECache
2008-04-20 13:06:58 0 d-------- C:\Program Files\Guitar Pro 5


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [03/23/2006 11:38 AM]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [03/23/2006 11:17 AM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [03/23/2006 11:13 AM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [03/23/2006 11:17 AM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 11:50 AM]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [10/31/2003 07:42 PM]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [02/14/2006 10:49 AM]
"BDMCon"="C:\Program Files\Softwin\BitDefender8\\bdmcon.exe" [09/12/2007 08:52 PM]
"BDSwitchAgent"="C:\Program Files\Softwin\BitDefender8\\bdswitch.exe" [09/12/2007 08:52 PM]
"BDNewsAgent"="C:\Program Files\Softwin\BitDefender8\bdnagent.exe" [09/12/2007 08:52 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [07/08/2006 07:15 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [10/14/2007 12:28 AM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [06/29/2007 06:24 AM]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [10/25/2007 04:33 PM]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [10/25/2007 04:37 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [04/02/2008 02:49 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/14/2004 12:24 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [02/28/2006 08:00 PM]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"= sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"




-- End of Deckard's System Scanner: finished at 2008-06-05 14:58:49 ------------


Man, makes me wonder how you go through the logs so quickly. By the way, should I keep mbam in my com or should I stick to the conventional ad-aware? Can't seem to get Ad-aware to properly update lately though, don't know why.
  • 0

#10
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
MBAM FTW!!


by the way.. It seems your mbam log has been cut-off.. could you please start the MBAM once again
  • click on the Logs tab
  • choose the latest log (should be just one rite?)
  • Post its content here


Tell me about your computer..
  • 0

Advertisements


#11
kienz

kienz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Oops, wonder what went wrong back there. Anyway, here goes.


Malwarebytes' Anti-Malware 1.14
Database version: 826

2:57:33 PM 6/5/2008
mbam-log-6-5-2008 (14-57-33).txt

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 83085
Time elapsed: 17 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ShipTr (Trojan.ShipUp) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\QooBox\Quarantine\C\WINDOWS\system32\rerbrdom.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5AC94607-3E82-4AC2-BCCD-347F5C04B2D7}\RP141\A0030967.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5AC94607-3E82-4AC2-BCCD-347F5C04B2D7}\RP143\A0031319.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5AC94607-3E82-4AC2-BCCD-347F5C04B2D7}\RP143\A0031350.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5AC94607-3E82-4AC2-BCCD-347F5C04B2D7}\RP145\A0031509.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5AC94607-3E82-4AC2-BCCD-347F5C04B2D7}\RP147\A0031681.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5AC94607-3E82-4AC2-BCCD-347F5C04B2D7}\RP149\A0032830.dll (Trojan.Vundo) -> Quarantined and deleted successfully.


Thinks I got it right this time :)

My com? Hmmm, running on XP Service Pack 2, Intel® Core ™ Duo CPU T2350 @ 1.86GHz, 1GB RAM. Pretty much alright to run most things I need to run, a work PC I'd say. Oh yeah, I got infected and cleared Jambanmu before I got to this forum, and I notice my XP is registered to JambanMuV2 still, with a stupid "Die!Die!Die!" written there as well. :) Any idea where I can change that? Tis ugly
  • 0

#12
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Yeah.. I've heard about JambanMu virus.. but never across it in Real-life..

Can you give me the screenie please?
  • 0

#13
kienz

kienz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Screenshot attached. Removing that thing was the first time I used Combofix actually.

Attached Thumbnails

  • jambanmu.JPG

  • 0

#14
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Ok.. TLets do this.. and then tell me the result...

The steps that I am about to suggest involve modifying the registry. Modfying the registry can be dangerous so we will make a backup of the registry first.
Modification of the registry can be EXTREMELY dangerous if you do not know exactly what you are doing so follow the steps that are listed below EXACTLY. if you cannot perform some of these steps or if you have ANY questions please ask BEFORE proceeding.

Backing Up Your Registry
  • Go Here and download ERUNT
    (ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
  • Install ERUNT by following the prompts
    (use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
  • Start ERUNT
    (either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
  • Choose a location for the backup
    (the default location is C:\WINDOWS\ERDNT which is acceptable).
  • Make sure that at least the first two check boxes are ticked
  • Press OK
  • Press YES to create the folder.

For detailed instruction on how to back-up registry via ERUNT, please visit HERE




NEXT


Please copy and paste the following into a Notepad

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion]
"RegisteredOrganization"="user"
"RegisteredOwner"="user"

Save it in desktop as Fix.reg and in Save as type: choose All Files

A new registry file will then created on your desktop. It should look like this: Posted Image

Just double-click the file and choose Yes at prompt.

If you do not sure how to make a registry file, please visit HERE for the tutorial.
  • 0

#15
kienz

kienz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Nyenyenyenyeh, ngiekz, done =D Thanks! :)

Attached Thumbnails

  • yeah___.JPG

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP