Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Win32/Adware.Virtumonde [RESOLVED]


  • This topic is locked This topic is locked

#1
ewynmeow

ewynmeow

    New Member

  • Member
  • Pip
  • 5 posts
Hi all ,

I recently got hit with Virtumonde trojan. Ran thorough checks with NOD32, got an infection on C:\Windows\system32\opnlixuk.dll and tried to delete it it via NOD32 but failed. Deleted it manually and rebooted, did another quick scan with Malwarebytes' Anti-Malware.

I did not use VundoFix as i am running on an Asian version of Windows.

Am posting this thread to check if threat is cleaned up (hopefully :) ). Below are HJT & Malwarebytes' Anti-Malware logs. Is my system clean now? What are the next step(s) i should take?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:29:43 PM, on 6/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Share\Share.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: ATLAS Toolbar - {3C6301ED-0F78-4AF2-8150-D9C052361A8E} - C:\Program Files\ATLAS V13\ATLIECP.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: ATLAS Toolbar - {3C6301ED-0F78-4AF2-8150-D9C052361A8E} - C:\Program Files\ATLAS V13\ATLIECP.DLL
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &Translate with ATLAS - C:\Program Files\ATLAS V13\Atlscript.html
O8 - Extra context menu item: ATLAS Translation &Editor - C:\Program Files\ATLAS V13\AtlscriptEdit.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ATLAS Translation - {B7707A72-4355-11D4-82BD-00000EBBEF8D} - C:\Program Files\ATLAS V13\Atlscript.html
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O20 - Winlogon Notify: opnlIxUK - opnlIxUK.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DynDNS Updater Service (DynDNS_Updater_Service) - Unknown owner - C:\Program Files\DynDNS Updater\DynDNS.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Program Files\OpenVPN\bin\openvpnserv.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 6012 bytes

Malwarebytes' Anti-Malware 1.17
Database version: 846

6:31:29 PM 6/11/2008
mbam-log-6-11-2008 (18-31-29).txt

Scan type: Quick Scan
Objects scanned: 45171
Time elapsed: 2 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Thanks in advance for the help.
  • 0

Advertisements


#2
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.



Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#3
ewynmeow

ewynmeow

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Hi Rorschach112, these are the logs :

Deckard's System Scanner v20071014.68
Run by Weighler on 2008-06-12 01:40:14
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Weighler.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:40:15 AM, on 6/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\conime.exe
C:\Documents and Settings\Weighler\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Weighler.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: ATLAS Toolbar - {3C6301ED-0F78-4AF2-8150-D9C052361A8E} - C:\Program Files\ATLAS V13\ATLIECP.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: ATLAS Toolbar - {3C6301ED-0F78-4AF2-8150-D9C052361A8E} - C:\Program Files\ATLAS V13\ATLIECP.DLL
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &Translate with ATLAS - C:\Program Files\ATLAS V13\Atlscript.html
O8 - Extra context menu item: ATLAS Translation &Editor - C:\Program Files\ATLAS V13\AtlscriptEdit.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ATLAS Translation - {B7707A72-4355-11D4-82BD-00000EBBEF8D} - C:\Program Files\ATLAS V13\Atlscript.html
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O20 - Winlogon Notify: opnlIxUK - opnlIxUK.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DynDNS Updater Service (DynDNS_Updater_Service) - Unknown owner - C:\Program Files\DynDNS Updater\DynDNS.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Program Files\OpenVPN\bin\openvpnserv.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 5681 bytes

-- Files created between 2008-05-12 and 2008-06-12 -----------------------------

2008-06-11 18:18:25 0 d-------- C:\Documents and Settings\Weighler\Application Data\Malwarebytes
2008-06-11 18:18:23 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-11 18:18:22 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-11 18:17:35 0 d-------- C:\Program Files\Common Files\Download Manager
2008-06-11 17:55:48 0 d-------- C:\Program Files\Trend Micro
2008-06-05 04:17:33 11010048 --a------ C:\Documents and Settings\Weighler\ntuser.dat
2008-05-28 21:47:51 0 d-------- C:\Documents and Settings\Weighler\Application Data\Hamachi
2008-05-26 21:57:24 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2008-05-22 19:55:47 0 d-------- C:\Program Files\uTorrent
2008-05-18 15:16:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-05-18 15:16:18 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-14 18:15:43 0 d-------- C:\Program Files\CoreCodec


-- Find3M Report ---------------------------------------------------------------

2008-06-12 01:32:16 0 d-------- C:\Documents and Settings\Weighler\Application Data\foobar2000
2008-06-12 00:45:46 0 d-------- C:\Documents and Settings\Weighler\Application Data\uTorrent
2008-06-11 20:03:30 0 d-------- C:\Program Files\FlashGet
2008-06-11 18:17:35 0 d-------- C:\Program Files\Common Files
2008-06-11 16:56:36 1368 --a------ C:\WINDOWS\mozver.dat
2008-06-11 10:34:31 0 d-------- C:\Program Files\CDisplay
2008-06-10 21:58:59 0 d-------- C:\Program Files\MMU Notes
2008-06-06 18:55:12 0 d-------- C:\Program Files\TuneUp Utilities 2007
2008-06-02 06:24:32 0 d-------- C:\Program Files\foobar2000
2008-05-31 02:12:56 0 d-------- C:\Program Files\Monkey's Audio
2008-05-29 09:49:02 0 d-------- C:\Program Files\Last.fm
2008-05-29 08:48:54 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-28 00:28:27 0 d-------- C:\Documents and Settings\Weighler\Application Data\FileZilla
2008-05-23 20:12:18 0 d-------- C:\Program Files\MKVtoolnix
2008-05-18 15:08:59 0 d-------- C:\Documents and Settings\Weighler\Application Data\AdobeUM
2008-03-19 19:29:30 63608 --ah----- C:\WINDOWS\system32\mlfcache.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [08/04/2004 08:00 PM]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [08/04/2004 08:00 PM]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [08/04/2004 08:00 PM]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [11/10/2006 12:35 PM]
"RTHDCPL"="RTHDCPL.EXE" [01/30/2007 06:54 PM C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [05/16/2006 06:04 PM C:\WINDOWS\SkyTel.exe]
"Alcmtr"="ALCMTR.EXE" [05/03/2005 06:43 PM C:\WINDOWS\Alcmtr.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [01/12/2006 03:40 PM]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [01/01/2007 12:04 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"FinePrint Dispatcher v5"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" [10/27/2006 03:48 PM]
"system32OSNN Agent"="C:\WINDOWS\system32OSNN.exe" [11/06/2007 07:02 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 11:34 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 08:00 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [4/23/2008 3:38:16 AM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{3CA60057-9277-49C0-8D64-280DBAD9C3E1}"= C:\WINDOWS\system32\opnlIxUK.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnlIxUK]
opnlIxUK.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ABIT uGuruIII"=C:\Program Files\U-ABIT\abitEQ\ABITEQ.exe
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp




-- End of Deckard's System Scanner: finished at 2008-06-12 01:40:33 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® Dual CPU E2140 @ 1.60GHz
CPU 1: Intel® Pentium® Dual CPU E2140 @ 1.60GHz
Percentage of Memory in Use: 23%
Physical Memory (total/avail): 2046.42 MiB / 1555.31 MiB
Pagefile Memory (total/avail): 3429.07 MiB / 3088.17 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1920.76 MiB

C: is Fixed (NTFS) - 74.52 GiB total, 41.64 GiB free.
D: is CDROM (No Media)
E: is Fixed (NTFS) - 97.65 GiB total, 39.05 GiB free.
F: is Fixed (NTFS) - 97.65 GiB total, 6.5 GiB free.
G: is Fixed (NTFS) - 84.14 GiB total, 4.04 GiB free.
H: is CDROM (No Media)
I: is CDROM (No Media)
J: is Fixed (NTFS) - 465.76 GiB total, 381.27 GiB free.

\\.\PHYSICALDRIVE0 - SAMSUNG SP0842N - 74.53 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 74.52 GiB - C:

\\.\PHYSICALDRIVE2 - ST3300620AS - 279.46 GiB - 3 partitions
\PARTITION0 - Extended w/Extended Int 13 - 97.65 GiB - F:
\PARTITION1 (bootable) - Installable File System - 97.65 GiB - E:
\PARTITION2 - Installable File System - 84.14 GiB - G:

\\.\PHYSICALDRIVE1 - WDC WD5000AACS-00ZUB0 - 465.76 GiB - 1 partition
\PARTITION0 - Installable File System - 465.76 GiB - J:



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: ESET NOD32 antivirus system 2.70 v2.70 (ESET, spol. s r.o.)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"D:\\SetupWizard.exe"="D:\\SetupWizard.exe:*:Enabled:SetupWizard"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\FlashGet\\flashget.exe"="C:\\Program Files\\FlashGet\\flashget.exe:*:Enabled:Flashget"
"C:\\Program Files\\Last.fm\\LastFM.exe"="C:\\Program Files\\Last.fm\\LastFM.exe:*:Enabled:Last.fm"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"D:\\SetupWizard.exe"="D:\\SetupWizard.exe:*:Enabled:SetupWizard"
"C:\\Documents and Settings\\Weighler\\My Documents\\APPLICATIONS\\hfs.exe"="C:\\Documents and Settings\\Weighler\\My Documents\\APPLICATIONS\\hfs.exe:*:Enabled:hfs"
"C:\\sysreset\\mirc.exe"="C:\\sysreset\\mirc.exe:*:Enabled:mIRC"
"C:\\WINDOWS\\system32\\PnkBstrA.exe"="C:\\WINDOWS\\system32\\PnkBstrA.exe:*:Enabled:PnkBstrA"
"C:\\Share\\Share.exe"="C:\\Share\\Share.exe:*:Enabled:Share"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\TightVNC\\WinVNC.exe"="C:\\Program Files\\TightVNC\\WinVNC.exe:*:Enabled:TightVNC Win32 Server"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:μTorrent"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Weighler\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=VAL
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Weighler
LOGONSERVER=\\VAL
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\MKVtoolnix;C:\Program Files\OpenVPN\bin
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 13, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f0d
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Weighler\LOCALS~1\Temp
TMP=C:\DOCUME~1\Weighler\LOCALS~1\Temp
USERDOMAIN=VAL
USERNAME=Weighler
USERPROFILE=C:\Documents and Settings\Weighler
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI


-- User Profiles ---------------------------------------------------------------

Weighler (admin)
Administrator (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

7-Zip 4.42 --> "C:\Program Files\7-Zip\Uninstall.exe"
abitEQ V1.1.0.9 --> C:\Program Files\InstallShield Installation Information\{A3DB6885-DDFA-442A-A2C2-EC1842CA4953}\setup.exe -runfromtemp -l0x0009 -removeonly
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.1.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A71000000002}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Parental Control & Encoder --> MsiExec.exe /I{36CDA33B-909B-4719-97D1-C4B99309BDC7}
ATI Problem Report Wizard --> MsiExec.exe /X{5DA6F06A-B389-407B-BF8C-1548767914D8}
ATLAS Translation Double Pack V13.0 Trial Version --> MsiExec.exe /I{433C2951-F34C-460A-A6DA-C0ACA0A90B97}
AVIVO --> MsiExec.exe /X{5399ACAF-7B15-43D5-9233-4E797B184FD2}
Canon iP1600 --> C:\WINDOWS\system32\CNMCP75.exe "-PRINTERNAMECanon iP1600" "-HELPERDLLC:\Documents and Settings\All Users\Application Data\CanonBJ\IJPrinter\CNMWINDOWS\Canon iP1600 Installer\Inst2\cnmis.dll" "-RCDLLcnmi0409.dll"
CDisplay 1.8 --> "C:\Program Files\CDisplay\unins000.exe"
Combined Community Codec Pack 2007-02-22 --> "C:\Program Files\Combined Community Codec Pack\unins000.exe"
CoreAVC Professional Edition (remove only) --> "C:\Program Files\CoreCodec\CoreAVC Professional Edition\CoreAVC Professional Edition-uninstall.exe"
dBpoweramp FLAC Codec --> "C:\WINDOWS\system32\SpoonUninstall.exe" <uninstall>C:\WINDOWS\system32\SpoonUninstall-dBpoweramp FLAC Codec.dat
dBpoweramp Music Converter --> "C:\WINDOWS\system32\SpoonUninstall.exe" <uninstall>C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Music Converter.dat
Dev-C++ 4 --> C:\WINDOWS\uninst.exe -fC:\Dev-C++\DeIsL1.isu -cC:\Dev-C++\_ISREG32.DLL
Exact Audio Copy 0.95b4 --> C:\Program Files\Exact Audio Copy\uninst.exe
FinePrint --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpinst5.exe /uninstall
FlashGet 1.8.2.1001 --> C:\Program Files\FlashGet\uninst.exe
High Definition Audio Driver Package - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
IrfanView (remove only) --> C:\Program Files\IrfanView\iv_uninstall.exe
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Last.fm 1.5.1.29527 --> "C:\Program Files\Last.fm\unins000.exe"
Lock Folder XP 3.6 --> "C:\Program Files\Everstrike Software\Lock Folder XP 3.6\Uninstall.exe" "C:\Program Files\Common Files\Everstrike Software\Lock Folder XP 3.6\install.log"
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Marvell Miniport Driver --> MsiExec.exe /X{C950420B-4182-49EA-850A-A6A2ABF06C6B}
Messenger Plus! Live --> "C:\Program Files\Messenger Plus! Live\Uninstall.exe"
Microsoft AppLocale --> MsiExec.exe /I{394BE3D9-7F57-4638-A8D1-1D88671913B7}
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Windows Application Compatibility Database --> C:\WINDOWS\system32\sdbinst.exe -u "C:\WINDOWS\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb"
mIRC --> "C:\sysreset\mirc.exe" -uninstall
MKVtoolnix 2.1.0 --> C:\Program Files\MKVtoolnix\uninst.exe
Monkey's Audio --> "C:\Program Files\Monkey's Audio\unins000.exe"
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Nero 6 Ultra Edition --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
No-IP.com DUC (remove only) --> "C:\Program Files\No-IP\DUC20.exe" -uninstall
NOD32 antivirus system --> C:\Program Files\Eset\Setup\setup.exe /UNINSTALL
NOD32 FiX --> "C:\Program Files\Eset\unins000.exe"
OpenVPN 2.1_rc4 --> C:\Program Files\OpenVPN\Uninstall.exe
PSpice Student 9.1 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\OrCAD_Demo\DeIsL1.isu"
QuickTime --> MsiExec.exe /I{5B09BD67-4C99-46A1-8161-B7208CE18121}
Real Alternative 1.7.5 Lite --> "C:\Program Files\Real Alternative\unins000.exe"
Tau Producer (remove only) --> "C:\Program Files\True Audio\Tau Producer\WinTTA-uninstall.exe"
TightVNC 1.3.9 --> "C:\Program Files\TightVNC\unins000.exe"
TuneUp Utilities 2007 --> MsiExec.exe /I{C8BB4912-12D9-42AE-B571-E580D8CD1B5B}
USB Remote NDIS Network Device --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{4C309A0F-B84F-4766-ADF5-DF07EF303D4B}
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinZip 11.1 --> MsiExec.exe /X{CD95F661-A5C4-44F5-A6AA-ECDD91C240B5}
Xvid 1.1.3 final uninstall --> "C:\VirtualDub-MPEG2\Xvid\unins000.exe"
μTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL


-- Application Event Log -------------------------------------------------------

Event Record #/Type1208 / Error
Event Submitted/Written: 06/12/2008 01:33:56 AM
Event ID/Source: 3 / crypt32
Event Description:
Failed auto update retrieval of third-party root list cab from: <http://www.download....uthrootstl.cab> with error: This operation returned because the timeout period expired.

Event Record #/Type1206 / Error
Event Submitted/Written: 06/11/2008 10:10:40 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application NicoPlayer.exe, version 0.0.0.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type1201 / Error
Event Submitted/Written: 06/11/2008 06:15:55 PM
Event ID/Source: 0 / pctsSvc.exe
Event Description:
The service process could not connect to the service controller

Event Record #/Type1195 / Error
Event Submitted/Written: 06/11/2008 05:25:40 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application explorer.exe, version 6.0.2900.3156, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type1183 / Error
Event Submitted/Written: 06/11/2008 09:09:22 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application mplayerc.exe, version 6.4.9.0, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x00011f6c.
Processing media-specific event for [mplayerc.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type14941 / Error
Event Submitted/Written: 06/11/2008 08:40:07 PM
Event ID/Source: 1 / sr
Event Description:
The System Restore filter encountered the unexpected error '0xC0000008' while processing the file 'unp015.avc' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.

Event Record #/Type14926 / Error
Event Submitted/Written: 06/11/2008 08:07:44 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The DynDNS Updater Service service failed to start due to the following error:
%%2

Event Record #/Type14895 / Error
Event Submitted/Written: 06/11/2008 06:13:29 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The DynDNS Updater Service service failed to start due to the following error:
%%2

Event Record #/Type14889 / Warning
Event Submitted/Written: 06/11/2008 05:56:12 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 00508DB2DD1A. The following
error occurred:
%%121.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type14873 / Error
Event Submitted/Written: 06/11/2008 05:52:27 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The DynDNS Updater Service service failed to start due to the following error:
%%2



-- End of Deckard's System Scanner: finished at 2008-06-12 01:34:29 ------------

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, June 12, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, June 11, 2008 21:27:06
Records in database: 853614
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan statistics:
Files scanned: 64938
Threat name: 10
Infected objects: 38
Suspicious objects: 0
Duration of the scan: 06:47:46


File name / Threat name / Threats count
C:\WINDOWS\System32\msfont.dll/C:\WINDOWS\System32\msfont.dll Infected: Trojan.Win32.Zapchast.kl 1
C:\WINDOWS\system32OSNN.007/C:\WINDOWS\system32OSNN.007 Infected: not-a-virus:Monitor.Win32.Ardamax.271 12
RTHDCPL.exe\system32OSNN.007/RTHDCPL.exe\system32OSNN.007 Infected: not-a-virus:Monitor.Win32.Ardamax.271 1
MOM.exe\system32OSNN.007/MOM.exe\system32OSNN.007 Infected: not-a-virus:Monitor.Win32.Ardamax.271 1
nod32kui.exe\system32OSNN.007/nod32kui.exe\system32OSNN.007 Infected: not-a-virus:Monitor.Win32.Ardamax.271 1
fpdisp5a.exe\system32OSNN.007/fpdisp5a.exe\system32OSNN.007 Infected: not-a-virus:Monitor.Win32.Ardamax.271 1
C:\WINDOWS\system32OSNN.exe/C:\WINDOWS\system32OSNN.exe Infected: Trojan-Spy.Win32.Ardamax.e 1
ctfmon.exe\system32OSNN.007/ctfmon.exe\system32OSNN.007 Infected: not-a-virus:Monitor.Win32.Ardamax.271 1
conime.exe\system32OSNN.007/conime.exe\system32OSNN.007 Infected: not-a-virus:Monitor.Win32.Ardamax.271 1
C:\sysreset\mirc.exe/C:\sysreset\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 1
mirc.exe\system32OSNN.007/mirc.exe\system32OSNN.007 Infected: not-a-virus:Monitor.Win32.Ardamax.271 1
Share.exe\Share.exe/Share.exe\Share.exe Infected: not-a-virus:Client-P2P.Win32.Share.a 1
C:\Share\Share.exe/C:\Share\Share.exe Infected: not-a-virus:Client-P2P.Win32.Share.a 1
Share.exe\system32OSNN.007/Share.exe\system32OSNN.007 Infected: not-a-virus:Monitor.Win32.Ardamax.271 1
firefox.exe\system32OSNN.007/firefox.exe\system32OSNN.007 Infected: not-a-virus:Monitor.Win32.Ardamax.271 1
C:\Documents and Settings\Weighler\My Documents\APPLICATIONS\hfs.exe Infected: not-a-virus:Server-FTP.Win32.SFH.a 1
C:\Documents and Settings\Weighler\My Documents\APPLICATIONS\Nero-6.6.1.15a.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm 1
C:\Documents and Settings\Weighler\My Documents\APPLICATIONS\Share10_a82.zip Infected: not-a-virus:Client-P2P.Win32.Share.a 1
C:\Documents and Settings\Weighler\My Documents\APPLICATIONS\Share2.zip Infected: not-a-virus:Client-P2P.Win32.Share.a 1
C:\Documents and Settings\Weighler\My Documents\APPLICATIONS\Spyware Doctor 4.0.0.2618.rar Infected: not-a-virus:Monitor.Win32.KeyLogger.dq 1
C:\Documents and Settings\Weighler\My Documents\APPLICATIONS\tightvnc-1.3.9-setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1370 1
C:\Share\Share.exe Infected: not-a-virus:Client-P2P.Win32.Share.a 1
C:\sysreset\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 1
C:\WINDOWS\system32\msfont.dll Infected: Trojan.Win32.Zapchast.kl 1
C:\WINDOWS\system32OSNN.007 Infected: not-a-virus:Monitor.Win32.Ardamax.271 1
C:\WINDOWS\system32OSNN.exe Infected: Trojan-Spy.Win32.Ardamax.e 1
E:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.62 1

The selected area was scanned.
  • 0

#4
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O20 - Winlogon Notify: opnlIxUK - opnlIxUK.dll (file missing)


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.




Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{3CA60057-9277-49C0-8D64-280DBAD9C3E1}
    HKEY_CLASSES_ROOT\CLSID\{3CA60057-9277-49C0-8D64-280DBAD9C3E1}
    C:\WINDOWS\System32\msfont.dll
    C:\WINDOWS\system32OSNN.007
    C:\WINDOWS\system32OSNN.exe
    C:\Documents and Settings\Weighler\My Documents\APPLICATIONS\Nero-6.6.1.15a.exe
    C:\Documents and Settings\Weighler\My Documents\APPLICATIONS\Share10_a82.zip
    C:\Documents and Settings\Weighler\My Documents\APPLICATIONS\Spyware Doctor 4.0.0.2618.rar
    purity 
    [start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



Open Notepad and Copy (Control+C) and Paste (Control+V) the following code into the Notepad window.


@echo off
dir "C:\Documents and Settings\Weighler\My Documents\APPLICATIONS">C:\peek.txt
start C:\peek.txt
del peek.bat


Click on 'File' then 'Save As'
In the Save in drop down box select Desktop
In the File name box type in peek.bat
In the Save as type drop down box select All Files
Close Notepad.

Now, find peek.bat on your Desktop and Double click it
A window will open and close, do not be concerned this is normal.


Post the resulting notepad file that appears


Also post a new DSS log
  • 0

#5
ewynmeow

ewynmeow

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Requested logs :

Explorer killed successfully
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{3CA60057-9277-49C0-8D64-280DBAD9C3E1} >
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{3CA60057-9277-49C0-8D64-280DBAD9C3E1} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3CA60057-9277-49C0-8D64-280DBAD9C3E1}\ deleted successfully.
< HKEY_CLASSES_ROOT\CLSID\{3CA60057-9277-49C0-8D64-280DBAD9C3E1} >
Registry key HKEY_CLASSES_ROOT\CLSID\{3CA60057-9277-49C0-8D64-280DBAD9C3E1}\\ not found.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\msfont.dll
C:\WINDOWS\System32\msfont.dll NOT unregistered.
C:\WINDOWS\System32\msfont.dll moved successfully.
C:\WINDOWS\system32OSNN.007 moved successfully.
C:\WINDOWS\system32OSNN.exe moved successfully.
C:\Documents and Settings\Weighler\My Documents\APPLICATIONS\Nero-6.6.1.15a.exe moved successfully.
C:\Documents and Settings\Weighler\My Documents\APPLICATIONS\Share10_a82.zip moved successfully.
C:\Documents and Settings\Weighler\My Documents\APPLICATIONS\Spyware Doctor 4.0.0.2618.rar moved successfully.
< purity >
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 06122008_233646


Volume in drive C has no label.
Volume Serial Number is 8CB4-5F00

Directory of C:\Documents and Settings\Weighler\My Documents\APPLICATIONS

06/12/2008 11:36 PM <DIR> .
06/12/2008 11:36 PM <DIR> ..
07/07/2007 09:48 PM 836,783 7zip.exe
08/13/2007 10:07 PM 20,020 agth.rar
11/30/2006 05:55 PM 6,479,576 Alcohol_120_v1.9.5.3823_Retail.rar
06/17/2007 07:13 AM 988,928 AM300 Firmware 1.19.00(T01) + UserGuide.zip
12/27/2006 05:17 PM 1,391,104 apploc.msi
02/01/2008 10:23 PM 291,751 ASIO4ALL_2_8_English.exe
10/06/2006 05:06 PM 140,595,444 ATLASV13ETrial.exe
01/20/2007 06:28 AM 11,633 ATLCHECK.zip
02/23/2007 10:34 AM 19,170,000 avg75free_441a944.exe
07/07/2007 09:48 PM 1,158,444 CDisplay.zip
07/03/2007 02:21 PM 7,462,674 Combined-Community-Codec-Pack-2007-02-22.exe
04/08/2007 02:11 PM 331,605 CoreAVC.H264.Video.Decoder.v1.3.0.0-EDGE.rar
08/31/2007 09:48 AM 1,221,577 cuesplitter_setup.exe
03/01/2007 03:21 PM 4,059,457 dBpowerAmp.rar
09/09/2007 01:35 AM 9,326,468 devcpp-4.9.9.2_setup.exe
02/05/2008 10:24 PM 1,212,431 dyndns-setup-win.zip
02/27/2007 02:29 AM 1,859,349 eac-0.95b4-cdrdao.exe
07/08/2007 11:31 AM 4,179,293 everesthome220.exe
05/28/2007 01:26 PM 39,957 EvID4226Patch223d-en.zip
06/09/2007 06:37 AM 43,266 FHC DICTIONARY to be added in ATLAS.zip
07/07/2007 06:54 PM 6,010,424 Firefox Setup 2.0.0.4.exe
03/22/2007 10:07 PM 3,446,360 flashget182en.exe
02/26/2007 12:21 PM 1,687,107 foobar2000_0.9.4.2.exe
08/21/2007 08:58 PM 323,403 foo_comserver2-0.7-setup.exe
09/13/2007 02:11 PM 93,175 foo_cuesheet_creator_0.4.6.zip
03/05/2007 01:29 PM 49,101 foo_dsp_delta.zip
02/01/2008 10:21 PM 88,802 foo_out_asio.zip
02/01/2008 10:21 PM 78,483 foo_out_ks.zip
08/30/2007 04:30 PM 1,920,928 fp571.exe
12/27/2006 05:15 PM 1,475,376 GenuineCheck.exe
07/31/2007 12:43 PM 563,200 hfs.exe
02/02/2007 10:02 AM 313,344 hjsplit.exe
08/30/2006 05:36 PM 40,792,958 HL.zip
04/17/2007 07:42 AM 75,086 IDM 5.09 crack.zip
04/06/2007 02:02 PM 2,311,608 idman509.exe
09/15/2007 08:51 AM 18,040,176 Install_Messenger_nous.exe
05/28/2008 04:41 PM <DIR> jwpce
09/27/2007 07:06 AM 470,007 lame-3.97.rar
07/01/2007 09:38 AM 4,102,635 LastFM_Win_1.3.0.62.exe
04/17/2007 01:33 AM 4,379,288 NJStar Japanese.rar
07/07/2007 09:26 PM 12,445,740 NOD32 Antivirus System 2.70.32 for All Windows.rar
01/19/2007 06:35 AM 1,657,954 paw-release-0.27.zip
07/23/2007 07:17 AM 12,858,896 RealPlayer10-5GOLD.exe
06/11/2008 05:18 PM 18,473,000 sdsetup.exe
09/17/2006 10:41 AM 1,231,283 Setup.exe
11/29/2007 04:52 AM 761,750 Share2.zip
05/11/2007 05:09 AM 9,757,184 StepMania-3.9.exe
07/26/2007 09:24 PM 294,799 sysreset255update.exe
11/26/2007 09:46 AM 163,226 Terayon v1.2.1.zip
02/05/2008 10:14 PM 1,598,819 tightvnc-1.3.9-setup.exe
12/28/2006 09:54 AM 9,145,685 Tuneup Utilities 2007.rar
05/22/2008 05:43 AM 249,435 uTorrent.rar
05/15/2007 03:07 PM 18,346,191 WDM_A400.exe
12/27/2006 05:14 PM 878,896 WGAPluginInstall.exe
09/27/2007 06:21 AM 256,709 wintta-setup.exe
07/07/2007 07:26 PM 9,393,768 winzip111.exe
07/07/2007 07:18 PM 1,207,026 wrar370.exe
07/06/2007 08:00 PM 1,270 xp_directory_reg.zip
57 File(s) 385,622,852 bytes
3 Dir(s) 43,578,986,496 bytes free

Deckard's System Scanner v20071014.68
Run by Weighler on 2008-06-12 23:38:44
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Weighler.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:38:46 PM, on 6/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\WINDOWS\system32OSNN.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Weighler\Desktop\Nitro+\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Weighler.exe

O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: ATLAS Toolbar - {3C6301ED-0F78-4AF2-8150-D9C052361A8E} - C:\Program Files\ATLAS V13\ATLIECP.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: ATLAS Toolbar - {3C6301ED-0F78-4AF2-8150-D9C052361A8E} - C:\Program Files\ATLAS V13\ATLIECP.DLL
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
O4 - HKLM\..\Run: [system32OSNN Agent] C:\WINDOWS\system32OSNN.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &Translate with ATLAS - C:\Program Files\ATLAS V13\Atlscript.html
O8 - Extra context menu item: ATLAS Translation &Editor - C:\Program Files\ATLAS V13\AtlscriptEdit.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ATLAS Translation - {B7707A72-4355-11D4-82BD-00000EBBEF8D} - C:\Program Files\ATLAS V13\Atlscript.html
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DynDNS Updater Service (DynDNS_Updater_Service) - Unknown owner - C:\Program Files\DynDNS Updater\DynDNS.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Program Files\OpenVPN\bin\openvpnserv.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 5611 bytes

-- Files created between 2008-05-12 and 2008-06-12 -----------------------------

2008-06-11 18:18:25 0 d-------- C:\Documents and Settings\Weighler\Application Data\Malwarebytes
2008-06-11 18:18:23 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-11 18:18:22 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-11 18:17:35 0 d-------- C:\Program Files\Common Files\Download Manager
2008-06-11 17:55:48 0 d-------- C:\Program Files\Trend Micro
2008-06-05 04:17:33 11010048 --a------ C:\Documents and Settings\Weighler\ntuser.dat
2008-05-28 21:47:51 0 d-------- C:\Documents and Settings\Weighler\Application Data\Hamachi
2008-05-26 21:57:24 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2008-05-22 19:55:47 0 d-------- C:\Program Files\uTorrent
2008-05-18 15:16:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-05-18 15:16:18 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-14 18:15:43 0 d-------- C:\Program Files\CoreCodec


-- Find3M Report ---------------------------------------------------------------

2008-06-12 23:34:06 0 d-------- C:\Documents and Settings\Weighler\Application Data\foobar2000
2008-06-12 23:11:55 0 d-------- C:\Documents and Settings\Weighler\Application Data\uTorrent
2008-06-12 21:41:01 0 d-------- C:\Program Files\FlashGet
2008-06-11 18:17:35 0 d-------- C:\Program Files\Common Files
2008-06-11 16:56:36 1368 --a------ C:\WINDOWS\mozver.dat
2008-06-11 10:34:31 0 d-------- C:\Program Files\CDisplay
2008-06-10 21:58:59 0 d-------- C:\Program Files\MMU Notes
2008-06-06 18:55:12 0 d-------- C:\Program Files\TuneUp Utilities 2007
2008-06-02 06:24:32 0 d-------- C:\Program Files\foobar2000
2008-05-31 02:12:56 0 d-------- C:\Program Files\Monkey's Audio
2008-05-29 09:49:02 0 d-------- C:\Program Files\Last.fm
2008-05-29 08:48:54 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-28 00:28:27 0 d-------- C:\Documents and Settings\Weighler\Application Data\FileZilla
2008-05-23 20:12:18 0 d-------- C:\Program Files\MKVtoolnix
2008-05-18 15:08:59 0 d-------- C:\Documents and Settings\Weighler\Application Data\AdobeUM
2008-03-19 19:29:30 63608 --ah----- C:\WINDOWS\system32\mlfcache.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [08/04/2004 08:00 PM]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [08/04/2004 08:00 PM]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [08/04/2004 08:00 PM]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [11/10/2006 12:35 PM]
"RTHDCPL"="RTHDCPL.EXE" [01/30/2007 06:54 PM C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [05/16/2006 06:04 PM C:\WINDOWS\SkyTel.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [01/12/2006 03:40 PM]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [01/01/2007 12:04 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"FinePrint Dispatcher v5"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" [10/27/2006 03:48 PM]
"system32OSNN Agent"="C:\WINDOWS\system32OSNN.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 11:34 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 08:00 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [4/23/2008 3:38:16 AM]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ABIT uGuruIII"=C:\Program Files\U-ABIT\abitEQ\ABITEQ.exe
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp




-- End of Deckard's System Scanner: finished at 2008-06-12 23:39:08 ------------
  • 0

#6
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]
    C:\Documents and Settings\Weighler\My Documents\APPLICATIONS\Alcohol_120_v1.9.5.3823_Retail.rar
    C:\Documents and Settings\Weighler\My Documents\APPLICATIONS\NOD32 Antivirus System 2.70.32 for All Windows.rar
    purity 
    [start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.



Also tell me how your PC is running
  • 0

#7
ewynmeow

ewynmeow

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Explorer killed successfully
C:\Documents and Settings\Weighler\My Documents\APPLICATIONS\Alcohol_120_v1.9.5.3823_Retail.rar moved successfully.
C:\Documents and Settings\Weighler\My Documents\APPLICATIONS\NOD32 Antivirus System 2.70.32 for All Windows.rar moved successfully.
< purity >
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 06132008_073347


Malwarebytes' Anti-Malware 1.17
Database version: 846

7:56:15 AM 6/13/2008
mbam-log-6-13-2008 (07-56-15).txt

Scan type: Quick Scan
Objects scanned: 45728
Time elapsed: 5 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

PC is running fine ( as before ). No slow downs or anything.
  • 0

#8
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Your logs are clean

Your using an old version of Adobe Acrobat Reader, this can leave your pc open to vulnerabilities, you can update it here :
http://www.adobe.com.../readstep2.html



You now need to update your Java and remove your older versions.

Please follow these steps to remove older version Java components.

* Click Start > Control Panel.
* Click Add/Remove Programs.
* Check any item with Java Runtime Environment (JRE) in the name.
* Click the Remove or Change/Remove button.

Download the latest version of Java Runtime Environment (JRE), and install it to your computer from
here



  • Make sure you have an Internet Connection.
  • Double-click OTMoveIt2.exe to run it.
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OtMoveit2 to rech the Internet, please allow the application to do so.
  • Click Yes to beging the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.



Now we need to create a new System Restore point.

Click Start Menu > Run > type (or copy and paste)

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next. Name it and click Create, when the confirmation screen shows the restore point has been created click Close.

Next goto Start Menu > Run > type

cleanmgr

Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.

To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.




Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:

SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program or there will be a conflict.

Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.
  • 0

#9
ewynmeow

ewynmeow

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
- Updated Adobe Acrobat Reader
- Updated JRE
- ran OTMoveIt2 CleanUp!
- Created new system restore point

Have been using Mozilla Firefox since the beginning and i constantly update my Windows. Thank you again Rorschach112 for the assistance and safety tips. :)
  • 0

#10
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP