Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Spyware/Virus Removal Help [RESOLVED]


  • This topic is locked This topic is locked

#1
KSieber

KSieber

    New Member

  • Member
  • Pip
  • 3 posts
Dear GeeksToGo Team,

For a couple of days now my computer has been acting up a bit so I decided to scan my computer with HijackThis, DSS and Kaspersky Anti-Virus. I believe that I have been able to remove most of the threats using a combination of HijackThis and Kaspersky which both claim that my computer is clean now. I have however noticed some weird .dll files in the DSS Log so some expert advice could be helpfull blush.gif.

DSS Log: Main.txt

Deckard's System Scanner v20071014.68
Run by God on 2008-07-12 18:40:19
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as God.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:41:00 PM, on 7/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky\avp.exe
C:\Program Files\Tools\Black\NP\DUC20.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Kaspersky\avp.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\D-Link\AirPlus.exe
C:\Documents and Settings\God\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\God.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky\ievkbd.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky\avp.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools\daemon.exe" -autorun
O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ?
O4 - Global Startup: D-Link REG Utility.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky\SCIEPlgn.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1215699820898
O17 - HKLM\System\CCS\Services\Tcpip\..\{FA8FBE62-9F25-4344-B637-AE6965B2625F}: NameServer = 192.168.1.1
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\mzvkbd.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky\avp.exe
O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Program Files\Tools\Black\NP\DUC20.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 3905 bytes

-- Files created between 2008-06-12 and 2008-07-12 -----------------------------

2008-07-12 18:13:35 0 d-------- C:\Documents and Settings\God\Application Data\Malwarebytes
2008-07-12 18:13:31 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-12 18:13:30 0 d-------- C:\Program Files\Anti-Malware
2008-07-12 15:11:04 0 dr-h----- C:\Documents and Settings\God\Recent
2008-07-12 15:09:04 0 d-------- C:\WINDOWS\system32\appmgmt
2008-07-11 23:09:10 0 d-------- C:\Program Files\DAEMON Tools
2008-07-11 23:04:43 717296 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-07-11 23:04:38 0 d-------- C:\Documents and Settings\God\Application Data\DAEMON Tools
2008-07-11 22:46:00 0 d--h----- C:\Program Files\Zero G Registry
2008-07-11 22:46:00 0 d-------- C:\Program Files\Football Manager 2008
2008-07-11 22:45:24 0 d--h----- C:\Documents and Settings\God\InstallAnywhere
2008-07-11 22:43:15 0 d-------- C:\Documents and Settings\God\Application Data\Sports Interactive
2008-07-11 12:42:47 0 d-------- C:\Program Files\MSBuild
2008-07-11 12:42:40 0 d-------- C:\WINDOWS\system32\XPSViewer
2008-07-11 12:42:34 0 d-------- C:\Program Files\Reference Assemblies
2008-07-11 12:31:27 0 d-------- C:\Program Files\VLC
2008-07-10 23:19:31 0 d--h----- C:\WINDOWS\PIF
2008-07-10 23:09:11 0 d-------- C:\Program Files\Ad-Aware
2008-07-10 23:09:11 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-10 23:08:32 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-10 23:05:57 0 d-------- C:\Program Files\CCleaner
2008-07-10 22:16:09 0 d-------- C:\Documents and Settings\God\Application Data\Desktopicon
2008-07-10 21:29:42 1587 --ahs---- C:\WINDOWS\system32\nonmlUtv.ini2
2008-07-10 21:22:06 96966 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-07-10 21:22:06 88774 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-07-10 21:21:19 131104 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-07-10 21:21:19 591392 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-07-10 21:21:09 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-10 21:19:33 0 d-------- C:\Program Files\Kaspersky
2008-07-10 21:15:51 0 d-------- C:\WINDOWS\Sun
2008-07-10 21:15:51 0 d-------- C:\Documents and Settings\God\Application Data\Sun
2008-07-10 21:07:58 0 d-------- C:\Documents and Settings\God\Application Data\Macromedia
2008-07-10 21:07:57 0 d-------- C:\Documents and Settings\God\Application Data\Adobe
2008-07-10 20:58:40 0 d-------- C:\Documents and Settings\God\Contacts
2008-07-10 20:28:19 30208 --a------ C:\WINDOWS\system32\wdmioctl.dll <Not Verified; Analog Devices Inc.; Analog Devices Inc. wdmioctl>
2008-07-10 20:28:19 1285632 --a------ C:\WINDOWS\system32\SMMedia.dll <Not Verified; Analog Devices; SoundMAX Integrated Digital Audio>
2008-07-10 20:28:18 0 d-------- C:\WINDOWS\VirtualEar
2008-07-10 20:28:18 45056 --a------ C:\WINDOWS\system32\SynthCore11Resources.dll <Not Verified; Analog Devices, Inc.; Analog Devices, Inc. SynthCore11Resources>
2008-07-10 20:28:18 40820 --a------ C:\WINDOWS\system32\Syncor11.dll <Not Verified; SoundMAX; Staccato Systems SynthCore R2.0 Synthesizer>
2008-07-10 20:28:18 49152 --a------ C:\WINDOWS\system32\S11thk32.dll <Not Verified; SoundMAX; Staccato Systems SynthCore R2.0 Synthesizer>
2008-07-10 20:28:18 765952 --a------ C:\WINDOWS\system\crlds3d.dll <Not Verified; Sensaura Ltd; Sensaura 3DPA>
2008-07-10 20:28:18 978944 --a------ C:\WINDOWS\SynthCoreA.Dll <Not Verified; Analog Devices, Inc.; SoundMAX Wavetable>
2008-07-10 20:28:18 380928 --a------ C:\WINDOWS\SynCor.exe <Not Verified; Analog Devices, Inc.; SynthCore>
2008-07-10 20:28:17 44 --a------ C:\WINDOWS\system32\msssc.dll
2008-07-10 20:28:17 49152 --a------ C:\WINDOWS\system32\DSndUp.exe <Not Verified; Analog Devices Inc.; adi DSndUp>
2008-07-10 20:28:17 45056 --a------ C:\WINDOWS\system32\CleanUp.exe <Not Verified; adi; adi CleanUp>
2008-07-10 20:28:17 0 d-------- C:\Program Files\Analog Devices
2008-07-10 20:26:18 0 d------c- C:\WINDOWS\system32\DRVSTORE
2008-07-10 20:22:12 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-07-10 20:21:45 0 d-------- C:\Program Files\Windows Live
2008-07-10 20:21:36 0 d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-07-10 20:12:56 0 --a------ C:\WINDOWS\ativpsrm.bin
2008-07-10 20:07:38 0 d-------- C:\WINDOWS\system32\ReinstallBackups
2008-07-10 20:02:51 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-07-10 17:20:50 0 d--hs---- C:\WINDOWS\Installer
2008-07-10 17:20:50 0 d-------- C:\Program Files\Common Files\ODBC
2008-07-10 17:20:47 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-07-10 17:20:46 0 dr------- C:\Program Files
2008-07-10 17:20:46 0 d-------- C:\Program Files\Common Files
2008-07-10 17:20:27 0 d--h----- C:\Documents and Settings\Default User\Templates
2008-07-10 17:20:27 0 dr------- C:\Documents and Settings\Default User\Start Menu
2008-07-10 17:20:27 0 dr-h----- C:\Documents and Settings\Default User\SendTo
2008-07-10 17:20:27 0 d--h----- C:\Documents and Settings\Default User\Recent
2008-07-10 17:20:27 0 d--h----- C:\Documents and Settings\Default User\PrintHood
2008-07-10 17:20:27 0 d--h----- C:\Documents and Settings\Default User\NetHood
2008-07-10 17:20:27 0 d-------- C:\Documents and Settings\Default User\My Documents
2008-07-10 17:20:27 0 dr-h----- C:\Documents and Settings\Default User\Local Settings
2008-07-10 17:20:27 0 d-------- C:\Documents and Settings\Default User\Favorites
2008-07-10 17:20:27 0 d-------- C:\Documents and Settings\Default User\Desktop
2008-07-10 17:20:27 0 d---s---- C:\Documents and Settings\Default User\Cookies
2008-07-10 17:20:27 0 d--h----- C:\Documents and Settings\All Users\Templates
2008-07-10 17:20:27 0 dr------- C:\Documents and Settings\All Users\Start Menu
2008-07-10 17:20:27 0 d-------- C:\Documents and Settings\All Users\Favorites
2008-07-10 17:20:27 0 dr------- C:\Documents and Settings\All Users\Documents
2008-07-10 17:20:27 0 d-------- C:\Documents and Settings\All Users\Desktop
2008-07-10 17:18:41 0 d-------- C:\WINDOWS\system32\CatRoot2
2008-07-10 17:18:41 0 d-------- C:\WINDOWS\system32\CatRoot
2008-07-10 17:18:36 0 dr-h----- C:\Documents and Settings\Default User\Application Data
2008-07-10 17:18:36 0 d---s---- C:\Documents and Settings\Default User\Application Data\Microsoft
2008-07-10 17:18:35 0 dr-h----- C:\Documents and Settings\All Users\Application Data
2008-07-10 17:18:35 0 d---s---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-07-10 17:18:17 0 d--hs---- C:\System Volume Information
2008-07-10 17:18:17 0 d-------- C:\Documents and Settings
2008-07-10 17:13:13 0 d-------- C:\WINDOWS
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\WinSxS
2008-07-10 17:13:13 0 dr------- C:\WINDOWS\Web
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\twain_32
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\system32
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\system32\wins
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\system32\wbem
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\system32\usmt
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\system32\spool
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\system32\ShellExt
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\system32\Setup
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\system32\scripting
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\system32\ras
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\system32\oobe
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\system32\npp
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\system32\mui
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\system32\inetsrv
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\system32\IME
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\system32\icsxml
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\system32\ias
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\system32\export
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\system32\en
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\system32\drivers
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\system32\drivers\etc
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\system32\drivers\disdn
2008-07-10 17:13:13 0 dr-hs--c- C:\WINDOWS\system32\dllcache
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\system32\dhcp
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\system32\config
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\system32\3com_dmi
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\system32\3076
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\system32\2052
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\system32\1054
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\system32\1042
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\system32\1041
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\system32\1037
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\system32\1033
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\system32\1031
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\system32\1028
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\system32\1025
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\system
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\security
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\Resources
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\repair
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\Provisioning
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\PeerNet
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\pchealth
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\Network Diagnostic
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\mui
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\msapps
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\msagent
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\Media
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\L2Schemas
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\java
2008-07-10 17:13:13 0 d--h----- C:\WINDOWS\inf
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\ime
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\Help
2008-07-10 17:13:13 0 dr--s---- C:\WINDOWS\Fonts
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\ehome
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\Driver Cache
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\Debug
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\Cursors
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\Connection Wizard
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\Config
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\AppPatch
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\addins
2008-07-10 17:00:19 0 d-------- C:\WINDOWS\system32\PreInstall
2008-07-10 17:00:17 0 d--h----- C:\WINDOWS\$hf_mig$
2008-07-10 16:58:22 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-07-10 16:23:36 0 d--hs---- C:\Documents and Settings\God\UserData
2008-07-10 16:23:07 676224 --a------ C:\WINDOWS\system32\OGACheckControl.dll
2008-07-10 16:19:11 0 d-------- C:\Documents and Settings\God\Application Data\WinRAR
2008-07-10 16:16:34 0 d-------- C:\Program Files\Tools
2008-07-10 16:08:18 0 d-------- C:\Program Files\uTorrent
2008-07-10 16:08:08 0 d-------- C:\Documents and Settings\God\Application Data\uTorrent
2008-07-10 16:05:43 0 d-------- C:\Program Files\Java
2008-07-10 16:05:02 0 d-------- C:\Program Files\Common Files\Java
2008-07-10 16:04:34 0 d-------- C:\WINDOWS\system32\Adobe
2008-07-10 15:55:29 0 --a------ C:\WINDOWS\nsreg.dat
2008-07-10 15:55:27 0 d-------- C:\Documents and Settings\God\Application Data\Mozilla
2008-07-10 15:55:18 0 d-------- C:\Program Files\Firefox
2008-07-10 15:47:35 147456 -ra------ C:\WINDOWS\system32\ssleay32.dll
2008-07-10 15:47:35 651264 -ra------ C:\WINDOWS\system32\libeay32.dll
2008-07-10 15:47:35 11861 --a------ C:\WINDOWS\system32\drivers\mdc8021x.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 2.2>
2008-07-10 15:47:35 351776 --a------ C:\WINDOWS\system32\drivers\ar52119x.sys <Not Verified; D-Link; D-Link Wireless Network Adapter>
2008-07-10 15:47:35 351840 --a------ C:\WINDOWS\system32\drivers\ar5211.sys <Not Verified; D-Link; D-Link Wireless Network Adapter>
2008-07-10 15:47:35 114688 --a------ C:\WINDOWS\system32\athcfg10.dll <Not Verified; Atheros; Atheros Configuration API Dynamic Link Library>
2008-07-10 15:47:35 450560 -ra------ C:\WINDOWS\system32\AegisE5.dll <Not Verified; Meetinghouse Data Communications; AEGIS Client>
2008-07-10 15:47:35 327680 -ra------ C:\WINDOWS\system32\AegisE2.dll <Not Verified; Meetinghouse Data Communications; AEGIS Client>
2008-07-10 15:47:34 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-10 15:47:28 0 d-------- C:\Program Files\D-Link
2008-07-10 15:47:21 0 d-------- C:\Program Files\Common Files\InstallShield
2008-07-10 15:38:22 0 d-------- C:\Documents and Settings\God\Application Data\Identities
2008-07-10 15:38:08 0 d--h----- C:\Documents and Settings\God\Templates
2008-07-10 15:38:08 0 dr------- C:\Documents and Settings\God\Start Menu
2008-07-10 15:38:08 0 dr-h----- C:\Documents and Settings\God\SendTo
2008-07-10 15:38:08 0 d--h----- C:\Documents and Settings\God\PrintHood
2008-07-10 15:38:08 1310720 --ah----- C:\Documents and Settings\God\NTUSER.DAT
2008-07-10 15:38:08 0 d--h----- C:\Documents and Settings\God\NetHood
2008-07-10 15:38:08 0 dr------- C:\Documents and Settings\God\My Documents
2008-07-10 15:38:08 0 d--h----- C:\Documents and Settings\God\Local Settings
2008-07-10 15:38:08 0 dr------- C:\Documents and Settings\God\Favorites
2008-07-10 15:38:08 0 d-------- C:\Documents and Settings\God\Desktop
2008-07-10 15:38:08 0 d--hs---- C:\Documents and Settings\God\Cookies
2008-07-10 15:38:08 0 dr-h----- C:\Documents and Settings\God\Application Data
2008-07-10 15:35:57 0 d-------- C:\WINDOWS\SoftwareDistribution
2008-07-10 15:35:55 0 d---s---- C:\WINDOWS\system32\Microsoft
2008-07-10 15:35:55 0 d-------- C:\WINDOWS\Prefetch
2008-07-10 15:35:54 262144 --ah----- C:\Documents and Settings\LocalService\NTUSER.DAT
2008-07-10 15:35:54 0 d--h----- C:\Documents and Settings\LocalService\Local Settings
2008-07-10 15:35:54 0 d--hs---- C:\Documents and Settings\LocalService\Cookies
2008-07-10 15:35:54 0 d-------- C:\Documents and Settings\LocalService\Application Data
2008-07-10 15:35:54 0 d---s---- C:\Documents and Settings\LocalService\Application Data\Microsoft
2008-07-10 15:35:47 237568 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT
2008-07-10 15:35:47 0 d--h----- C:\Documents and Settings\NetworkService\Local Settings
2008-07-10 15:35:47 0 d--hs---- C:\Documents and Settings\NetworkService\Cookies
2008-07-10 15:35:47 0 d-------- C:\Documents and Settings\NetworkService\Application Data
2008-07-10 15:35:47 0 d---s---- C:\Documents and Settings\NetworkService\Application Data\Microsoft
2008-07-10 15:32:36 0 d-------- C:\WINDOWS\system32\xircom
2008-07-10 15:32:36 0 d-------- C:\Program Files\microsoft frontpage
2008-07-10 15:32:22 237568 ---h----- C:\Documents and Settings\Default User\NTUSER.DAT
2008-07-10 15:32:11 0 -rahs---- C:\MSDOS.SYS
2008-07-10 15:32:11 0 -rahs---- C:\IO.SYS
2008-07-10 15:32:11 0 --a------ C:\CONFIG.SYS
2008-07-10 15:32:11 0 --a------ C:\AUTOEXEC.BAT
2008-07-10 15:31:07 0 d--hs---- C:\Documents and Settings\All Users\DRM
2008-07-10 15:30:56 0 dr------- C:\WINDOWS\Offline Web Pages
2008-07-10 15:30:56 0 d---s---- C:\WINDOWS\Downloaded Program Files
2008-07-10 15:30:45 0 d--h----- C:\Program Files\WindowsUpdate
2008-07-10 15:30:26 0 d-------- C:\WINDOWS\system32\DirectX
2008-07-10 15:30:12 0 d---s---- C:\WINDOWS\Tasks
2008-07-10 15:30:11 0 d-------- C:\Program Files\Common Files\MSSoap
2008-07-10 15:30:09 0 d-------- C:\WINDOWS\srchasst
2008-07-10 15:30:08 0 d-------- C:\WINDOWS\system32\Macromed
2008-07-10 15:30:02 0 d-------- C:\Program Files\Movie Maker
2008-07-10 15:29:46 0 d-------- C:\WINDOWS\system32\Restore
2008-07-10 15:29:07 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-07-10 15:28:53 0 d-------- C:\WINDOWS\Registration
2008-07-10 15:28:46 0 d-------- C:\Program Files\Online Services
2008-07-10 15:28:39 0 d-------- C:\Program Files\Messenger
2008-07-10 15:28:37 0 d-------- C:\Program Files\MSN Gaming Zone
2008-07-10 15:28:08 0 d-------- C:\Program Files\Windows NT
2008-07-10 15:28:05 0 d-------- C:\WINDOWS\system32\MsDtc
2008-07-10 15:28:03 0 d-------- C:\WINDOWS\system32\Com


-- Find3M Report ---------------------------------------------------------------

2008-07-10 17:20:27 62 --ahs---- C:\Documents and Settings\God\Application Data\desktop.ini


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C}]
04/25/2008 06:22 PM 62728 --a------ C:\Program Files\Kaspersky\ievkbd.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]
"AVP"="C:\Program Files\Kaspersky\avp.exe" [04/25/2008 06:21 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 11:34 AM]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools\daemon.exe" [07/08/2008 06:22 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
D-Link AirPlus Xtreme G Configuration Utility.lnk - C:\Program Files\D-Link\AirPlus.exe [7/10/2008 3:47:35 PM]
D-Link REG Utility.lnk - C:\Program Files\D-Link\Reg.exe [7/10/2008 3:47:35 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\KASPER~1\mzvkbd.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\vtUlmnon

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6d57f7bc-4e92-11dd-b1fe-806d6172696f}]
AutoRun\command- G:\driver.EXE

*Newly Created Service* - APPMGMT



-- End of Deckard's System Scanner: finished at 2008-07-12 18:43:57 ------------


DSS Log: Extra.txt

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 3.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ XP 2600+
Percentage of Memory in Use: 46%
Physical Memory (total/avail): 511.53 MiB / 271.91 MiB
Pagefile Memory (total/avail): 1249.66 MiB / 1009.19 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1878.36 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 74.52 GiB total, 68.85 GiB free.
D: is Fixed (Unformatted) - 0 GiB total, 0 GiB free.
E: is Fixed (FAT32) - 44.45 GiB total, 29.74 GiB free.
F: is CDROM (No Media)
G: is CDROM (CDFS)
H: is CDROM (No Media)

\\.\PHYSICALDRIVE1 - WDC WD400BB-00DKA0 - 37.27 GiB - 1 partition
\PARTITION0 - Installable File System - 37.26 GiB - D:

\\.\PHYSICALDRIVE0 - WDC WD800JB-00JJC0 - 74.53 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 74.52 GiB - C:

\\.\PHYSICALDRIVE2 - SAMSUNG HM080IC USB Device - 74.53 GiB - 2 partitions
\PARTITION0 - Unknown - 44.46 GiB - E:
\PARTITION1 - Unknown - 30.07 GiB



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.


-- Environment Variables -------------------------------------------------------


ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\God\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=KSXP
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\God
LOGONSERVER=\\KSXP
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 1, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0801
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\God\LOCALS~1\Temp
TMP=C:\DOCUME~1\God\LOCALS~1\Temp
USERDOMAIN=KSXP
USERNAME=God
USERPROFILE=C:\Documents and Settings\God
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

God (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
Ad-Aware --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Shockwave Player 11 --> C:\WINDOWS\system32\adobe\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Adobe\SHOCKW~1\Install.log
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,[email protected] -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
D-Link AirPlus Xtreme G Adapter --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{52A5F706-2FCC-4C14-9E9A-345C2DCB25E9}\Setup.exe" -l0x9
Football Manager 2008 --> "C:\Program Files\Football Manager 2008\Uninstall_Football Manager 2008\Uninstall Football Manager 2008.exe"
HijackThis 2.0.2 --> "C:\Program Files\HijackThis\HijackThis.exe" /uninstall
Java™ 6 Update 7 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
Kaspersky Anti-Virus 2009 --> MsiExec.exe /I{6580C5A3-2336-4EC5-85F1-3448C5F6208A}
Kaspersky Anti-Virus 2009 --> MsiExec.exe /I{6580C5A3-2336-4EC5-85F1-3448C5F6208A}
Mozilla Firefox (3.0) --> C:\Program Files\Firefox\uninstall\helper.exe
No-IP.com DUC (remove only) --> "C:\Program Files\Tools\Black\NP\DUC20.exe" -uninstall
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\Setup.exe"
Tweak UI --> "C:\WINDOWS\system32\mshta.exe" "res://C:\WINDOWS\system32\TweakUI.exe/uninstall.hta"
Unlocker 1.8.7 --> C:\Program Files\Unlocker\uninst.exe
VideoLAN VLC media player 0.8.6h --> C:\Program Files\VLC\uninstall.exe
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
XML Paper Specification Shared Components Pack 1.0 -->


-- Application Event Log -------------------------------------------------------

Event Record #/Type134 / Warning
Event Submitted/Written: 07/11/2008 00:44:37 PM
Event ID/Source: 40 / WinMgmt
Event Description:
WMI ADAP was unable to create the object Win32_PerfRawData_ASPNET_2050727_ASPNETAppsv2050727 for Performance Library ASP.NET_2.0.50727 because error 0x80041001 was returned

Event Record #/Type133 / Warning
Event Submitted/Written: 07/11/2008 00:44:37 PM
Event ID/Source: 35 / WinMgmt
Event Description:
WMI ADAP was unable to load the ASP.NET_2.0.50727 performance library because it returned invalid data: 0x0

Event Record #/Type132 / Warning
Event Submitted/Written: 07/11/2008 00:44:37 PM
Event ID/Source: 40 / WinMgmt
Event Description:
WMI ADAP was unable to create the object Win32_PerfRawData_ASPNET_ASPNETApplications for Performance Library ASP.NET because error 0x80041001 was returned

Event Record #/Type131 / Warning
Event Submitted/Written: 07/11/2008 00:44:37 PM
Event ID/Source: 35 / WinMgmt
Event Description:
WMI ADAP was unable to load the ASP.NET performance library because it returned invalid data: 0x0

Event Record #/Type111 / Warning
Event Submitted/Written: 07/11/2008 00:43:02 PM
Event ID/Source: 0 / System.ServiceModel.Install 3.0.0.0
Event Description:
HTTP namespace reservations are not installed.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type529 / Error
Event Submitted/Written: 07/12/2008 03:08:36 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service wuauserv with arguments ""
in order to run the server:
{E60687F7-01A1-40AA-86AC-DB1CBF673334}

Event Record #/Type524 / Error
Event Submitted/Written: 07/12/2008 02:11:50 PM / 07/12/2008 02:12:13 PM
Event ID/Source: 12294 / ati2mtag
Event Description:
CRT invalid display type

Event Record #/Type496 / Error
Event Submitted/Written: 07/11/2008 11:07:53 PM / 07/11/2008 11:08:23 PM
Event ID/Source: 12294 / ati2mtag
Event Description:
CRT invalid display type

Event Record #/Type473 / Error
Event Submitted/Written: 07/11/2008 00:45:51 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service wuauserv with arguments ""
in order to run the server:
{E60687F7-01A1-40AA-86AC-DB1CBF673334}

Event Record #/Type472 / Error
Event Submitted/Written: 07/11/2008 00:45:43 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service wuauserv with arguments ""
in order to run the server:
{E60687F7-01A1-40AA-86AC-DB1CBF673334}



-- End of Deckard's System Scanner: finished at 2008-07-12 17:01:29 ------------

Thx in advance for any help.
KSieber

Edited by KSieber, 12 July 2008 - 11:34 AM.

  • 0

Advertisements


#2
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi there,

If you are going to start multiple threads in different forums it will just waste our time http://forums.whatth...elp_t93598.html
Please reply to that thread over there and say that you are being helped already - or if you wish wait for help there.

Any idea why this loops back to your Internet IP?

What you can do is fix this line with Hijack This:

O17 - HKLM\System\CCS\Services\Tcpip\..\{FA8FBE62-9F25-4344-B637-AE6965B2625F}: NameServer = 192.168.1.1

and if you lose internet connection do the following to restore it.

  • Open HiJackThis
  • Click on "View the list of Backups"
  • Place a check mark next to O17 - HKLM\System\CCS\Services\Tcpip\..\{FA8FBE62-9F25-4344-B637-AE6965B2625F}: NameServer = 192.168.1.1
  • Click Restore
  • Click Yes
  • Reboot your computer
Find and delete the following files:

C:\WINDOWS\system32\nonmlUtv.ini2
G:\driver.EXE

You may need to show hidden files, which you can do by following the instructions found here.

Now,

  • Go Here and download ERUNT
    (ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
  • Install ERUNT by following the prompts
    (use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
  • Start ERUNT
    (either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
  • Choose a location for the backup
    (the default location is C:\WINDOWS\ERDNT which is acceptable).
  • Make sure that at least the first two check boxes are ticked
  • Press OK
  • Press YES to create the folder.
Now please open Notepad by going to Start > Run and typing Notepad.exe in the window that pops up. Press enter and in the notepad window that appears Copy (Ctrl+C) and Paste (Ctrl+P) the following:

REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6D,73,76,31,5F,30,20,00,00

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6d57f7bc-4e92-11dd-b1fe-806d6172696f}]

Note: it is important to copy this with the spacing left as it is, also make sure "REGEDIT4" is the first thing in Notepad (No spaces ahead or anything).

In Notepad click on the "File" menu > Save As... Under "File name" type Fix.reg and Change "Save as type" to All Files
Posted Image
Now double click Fix.reg. A pop-up will appear asking you if you want to import this to your registry click yes.

Then,

Download Flash_Disinfector.exe by sUBs from >here< and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.[/list]
Re-run DSS and post main.txt

You said you ran Kaspersky - it found nothing?

Edited by Mike, 12 July 2008 - 03:16 PM.

  • 0

#3
KSieber

KSieber

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Hey Mike,

Thx for your help so far,

The TcpIp thing is part of my wireless driver and erasing it would cause my internet to stop working.

G:\driver.EXE is my CD drive and the file is a driving software so no worries there.

C:\WINDOWS\system32\nonmlUtv.ini2 This is weird because it also can be seen in the new DSS Log even though it is defiantly not found on my system, I checked the system32 folder (with hidden files and "show contents of system folders" both enabled) and could'nt find it as well as running a search for the file. Any Ideas... maybe a screw up in the DSS software?

I did run a full scan with Kaspersky and it did find things which I deleted or disinfected. Then I ran kaspersky again and it said the system was clean only after which I used DSS.exe.

I also ran Malwarebytes' Anti-Malware before DSS.exe, if this interests you :) here is the log of that (dont know if its of any value but it wont kill anyone if I post it)

Malwarebytes' Anti-Malware 1.20
Database version: 942
Windows 5.1.2600 Service Pack 3

6:34:37 PM 7/12/2008
mbam-log-7-12-2008 (18-34-37).txt

Scan type: Quick Scan
Objects scanned: 38357
Time elapsed: 3 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\qwqxotea.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM17466f50.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM17466f50.txt (Trojan.Vundo) -> Quarantined and deleted successfully.


Ok one more question before I leave you with the pleasure of my new DSS log. :)
If you dont mind could u plz explain what the entry I put into my registry was for, im eager to learn these things and didnt quite understand what its use was. :)

Deckard's System Scanner v20071014.68
Run by God on 2008-07-13 01:05:44
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as God.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:06:09 AM, on 7/13/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky\avp.exe
C:\Program Files\Tools\Black\NP\DUC20.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Kaspersky\avp.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\D-Link\AirPlus.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\God\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\God.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky\ievkbd.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky\avp.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools\daemon.exe" -autorun
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ?
O4 - Global Startup: D-Link REG Utility.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky\SCIEPlgn.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1215699820898
O17 - HKLM\System\CCS\Services\Tcpip\..\{FA8FBE62-9F25-4344-B637-AE6965B2625F}: NameServer = 192.168.1.1
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\mzvkbd.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky\avp.exe
O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Program Files\Tools\Black\NP\DUC20.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 4019 bytes

-- Files created between 2008-06-13 and 2008-07-13 -----------------------------

2008-07-13 01:04:48 0 drahs---- C:\autorun.inf
2008-07-12 18:13:35 0 d-------- C:\Documents and Settings\God\Application Data\Malwarebytes
2008-07-12 18:13:31 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-12 18:13:30 0 d-------- C:\Program Files\Anti-Malware
2008-07-12 15:11:04 0 dr-h----- C:\Documents and Settings\God\Recent
2008-07-12 15:09:04 0 d-------- C:\WINDOWS\system32\appmgmt
2008-07-11 23:09:10 0 d-------- C:\Program Files\DAEMON Tools
2008-07-11 23:04:43 717296 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-07-11 23:04:38 0 d-------- C:\Documents and Settings\God\Application Data\DAEMON Tools
2008-07-11 22:46:00 0 d--h----- C:\Program Files\Zero G Registry
2008-07-11 22:46:00 0 d-------- C:\Program Files\Football Manager 2008
2008-07-11 22:45:24 0 d--h----- C:\Documents and Settings\God\InstallAnywhere
2008-07-11 22:43:15 0 d-------- C:\Documents and Settings\God\Application Data\Sports Interactive
2008-07-11 12:42:47 0 d-------- C:\Program Files\MSBuild
2008-07-11 12:42:40 0 d-------- C:\WINDOWS\system32\XPSViewer
2008-07-11 12:42:34 0 d-------- C:\Program Files\Reference Assemblies
2008-07-11 12:31:27 0 d-------- C:\Program Files\VLC
2008-07-10 23:19:31 0 d--h----- C:\WINDOWS\PIF
2008-07-10 23:09:11 0 d-------- C:\Program Files\Ad-Aware
2008-07-10 23:09:11 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-10 23:08:32 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-10 23:05:57 0 d-------- C:\Program Files\CCleaner
2008-07-10 22:16:09 0 d-------- C:\Documents and Settings\God\Application Data\Desktopicon
2008-07-10 21:29:42 1587 --ahs---- C:\WINDOWS\system32\nonmlUtv.ini2
2008-07-10 21:22:06 96966 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-07-10 21:22:06 88774 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-07-10 21:21:19 131104 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-07-10 21:21:19 594976 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-07-10 21:21:09 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-10 21:19:33 0 d-------- C:\Program Files\Kaspersky
2008-07-10 21:15:51 0 d-------- C:\WINDOWS\Sun
2008-07-10 21:15:51 0 d-------- C:\Documents and Settings\God\Application Data\Sun
2008-07-10 21:07:58 0 d-------- C:\Documents and Settings\God\Application Data\Macromedia
2008-07-10 21:07:57 0 d-------- C:\Documents and Settings\God\Application Data\Adobe
2008-07-10 20:58:40 0 d-------- C:\Documents and Settings\God\Contacts
2008-07-10 20:28:19 30208 --a------ C:\WINDOWS\system32\wdmioctl.dll <Not Verified; Analog Devices Inc.; Analog Devices Inc. wdmioctl>
2008-07-10 20:28:19 1285632 --a------ C:\WINDOWS\system32\SMMedia.dll <Not Verified; Analog Devices; SoundMAX Integrated Digital Audio>
2008-07-10 20:28:18 0 d-------- C:\WINDOWS\VirtualEar
2008-07-10 20:28:18 45056 --a------ C:\WINDOWS\system32\SynthCore11Resources.dll <Not Verified; Analog Devices, Inc.; Analog Devices, Inc. SynthCore11Resources>
2008-07-10 20:28:18 40820 --a------ C:\WINDOWS\system32\Syncor11.dll <Not Verified; SoundMAX; Staccato Systems SynthCore R2.0 Synthesizer>
2008-07-10 20:28:18 49152 --a------ C:\WINDOWS\system32\S11thk32.dll <Not Verified; SoundMAX; Staccato Systems SynthCore R2.0 Synthesizer>
2008-07-10 20:28:18 765952 --a------ C:\WINDOWS\system\crlds3d.dll <Not Verified; Sensaura Ltd; Sensaura 3DPA>
2008-07-10 20:28:18 978944 --a------ C:\WINDOWS\SynthCoreA.Dll <Not Verified; Analog Devices, Inc.; SoundMAX Wavetable>
2008-07-10 20:28:18 380928 --a------ C:\WINDOWS\SynCor.exe <Not Verified; Analog Devices, Inc.; SynthCore>
2008-07-10 20:28:17 44 --a------ C:\WINDOWS\system32\msssc.dll
2008-07-10 20:28:17 49152 --a------ C:\WINDOWS\system32\DSndUp.exe <Not Verified; Analog Devices Inc.; adi DSndUp>
2008-07-10 20:28:17 45056 --a------ C:\WINDOWS\system32\CleanUp.exe <Not Verified; adi; adi CleanUp>
2008-07-10 20:28:17 0 d-------- C:\Program Files\Analog Devices
2008-07-10 20:26:18 0 d------c- C:\WINDOWS\system32\DRVSTORE
2008-07-10 20:22:12 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-07-10 20:21:45 0 d-------- C:\Program Files\Windows Live
2008-07-10 20:21:36 0 d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-07-10 20:12:56 0 --a------ C:\WINDOWS\ativpsrm.bin
2008-07-10 20:07:38 0 d-------- C:\WINDOWS\system32\ReinstallBackups
2008-07-10 20:02:51 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-07-10 17:20:50 0 d--hs---- C:\WINDOWS\Installer
2008-07-10 17:20:50 0 d-------- C:\Program Files\Common Files\ODBC
2008-07-10 17:20:47 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-07-10 17:20:46 0 dr------- C:\Program Files
2008-07-10 17:20:46 0 d-------- C:\Program Files\Common Files
2008-07-10 17:20:27 0 d--h----- C:\Documents and Settings\Default User\Templates
2008-07-10 17:20:27 0 dr------- C:\Documents and Settings\Default User\Start Menu
2008-07-10 17:20:27 0 dr-h----- C:\Documents and Settings\Default User\SendTo
2008-07-10 17:20:27 0 d--h----- C:\Documents and Settings\Default User\Recent
2008-07-10 17:20:27 0 d--h----- C:\Documents and Settings\Default User\PrintHood
2008-07-10 17:20:27 0 d--h----- C:\Documents and Settings\Default User\NetHood
2008-07-10 17:20:27 0 d-------- C:\Documents and Settings\Default User\My Documents
2008-07-10 17:20:27 0 dr-h----- C:\Documents and Settings\Default User\Local Settings
2008-07-10 17:20:27 0 d-------- C:\Documents and Settings\Default User\Favorites
2008-07-10 17:20:27 0 d-------- C:\Documents and Settings\Default User\Desktop
2008-07-10 17:20:27 0 d---s---- C:\Documents and Settings\Default User\Cookies
2008-07-10 17:20:27 0 d--h----- C:\Documents and Settings\All Users\Templates
2008-07-10 17:20:27 0 dr------- C:\Documents and Settings\All Users\Start Menu
2008-07-10 17:20:27 0 d-------- C:\Documents and Settings\All Users\Favorites
2008-07-10 17:20:27 0 dr------- C:\Documents and Settings\All Users\Documents
2008-07-10 17:20:27 0 d-------- C:\Documents and Settings\All Users\Desktop
2008-07-10 17:18:41 0 d-------- C:\WINDOWS\system32\CatRoot2
2008-07-10 17:18:41 0 d-------- C:\WINDOWS\system32\CatRoot
2008-07-10 17:18:36 0 dr-h----- C:\Documents and Settings\Default User\Application Data
2008-07-10 17:18:36 0 d---s---- C:\Documents and Settings\Default User\Application Data\Microsoft
2008-07-10 17:18:35 0 dr-h----- C:\Documents and Settings\All Users\Application Data
2008-07-10 17:18:35 0 d---s---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-07-10 17:18:17 0 d--hs---- C:\System Volume Information
2008-07-10 17:18:17 0 d-------- C:\Documents and Settings
2008-07-10 17:13:13 0 d-------- C:\WINDOWS
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\WinSxS
2008-07-10 17:13:13 0 dr------- C:\WINDOWS\Web
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\twain_32
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\system32
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\system32\wins
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\system32\wbem
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\system32\usmt
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\system32\spool
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\system32\ShellExt
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\system32\Setup
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\system32\scripting
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\system32\ras
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\system32\oobe
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\system32\npp
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\system32\mui
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\system32\inetsrv
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\system32\IME
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\system32\icsxml
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\system32\ias
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\system32\export
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\system32\en
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\system32\drivers
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\system32\drivers\etc
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\system32\drivers\disdn
2008-07-10 17:13:13 0 dr-hs--c- C:\WINDOWS\system32\dllcache
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\system32\dhcp
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\system32\config
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\system32\3com_dmi
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\system32\3076
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\system32\2052
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\system32\1054
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\system32\1042
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\system32\1041
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\system32\1037
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\system32\1033
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\system32\1031
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\system32\1028
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\system32\1025
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\system
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\security
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\Resources
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\repair
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\Provisioning
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\PeerNet
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\pchealth
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\Network Diagnostic
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\mui
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\msapps
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\msagent
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\Media
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\L2Schemas
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\java
2008-07-10 17:13:13 0 d--h----- C:\WINDOWS\inf
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\ime
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\Help
2008-07-10 17:13:13 0 dr--s---- C:\WINDOWS\Fonts
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\ehome
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\Driver Cache
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\Debug
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\Cursors
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\Connection Wizard
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\Config
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\AppPatch
2008-07-10 17:13:13 0 d-------- C:\WINDOWS\addins
2008-07-10 17:00:19 0 d-------- C:\WINDOWS\system32\PreInstall
2008-07-10 17:00:17 0 d--h----- C:\WINDOWS\$hf_mig$
2008-07-10 16:58:22 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-07-10 16:23:36 0 d--hs---- C:\Documents and Settings\God\UserData
2008-07-10 16:23:07 676224 --a------ C:\WINDOWS\system32\OGACheckControl.dll
2008-07-10 16:19:11 0 d-------- C:\Documents and Settings\God\Application Data\WinRAR
2008-07-10 16:16:34 0 d-------- C:\Program Files\Tools
2008-07-10 16:08:18 0 d-------- C:\Program Files\uTorrent
2008-07-10 16:08:08 0 d-------- C:\Documents and Settings\God\Application Data\uTorrent
2008-07-10 16:05:43 0 d-------- C:\Program Files\Java
2008-07-10 16:05:02 0 d-------- C:\Program Files\Common Files\Java
2008-07-10 16:04:34 0 d-------- C:\WINDOWS\system32\Adobe
2008-07-10 15:55:29 0 --a------ C:\WINDOWS\nsreg.dat
2008-07-10 15:55:27 0 d-------- C:\Documents and Settings\God\Application Data\Mozilla
2008-07-10 15:55:18 0 d-------- C:\Program Files\Firefox
2008-07-10 15:47:35 147456 -ra------ C:\WINDOWS\system32\ssleay32.dll
2008-07-10 15:47:35 651264 -ra------ C:\WINDOWS\system32\libeay32.dll
2008-07-10 15:47:35 11861 --a------ C:\WINDOWS\system32\drivers\mdc8021x.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 2.2>
2008-07-10 15:47:35 351776 --a------ C:\WINDOWS\system32\drivers\ar52119x.sys <Not Verified; D-Link; D-Link Wireless Network Adapter>
2008-07-10 15:47:35 351840 --a------ C:\WINDOWS\system32\drivers\ar5211.sys <Not Verified; D-Link; D-Link Wireless Network Adapter>
2008-07-10 15:47:35 114688 --a------ C:\WINDOWS\system32\athcfg10.dll <Not Verified; Atheros; Atheros Configuration API Dynamic Link Library>
2008-07-10 15:47:35 450560 -ra------ C:\WINDOWS\system32\AegisE5.dll <Not Verified; Meetinghouse Data Communications; AEGIS Client>
2008-07-10 15:47:35 327680 -ra------ C:\WINDOWS\system32\AegisE2.dll <Not Verified; Meetinghouse Data Communications; AEGIS Client>
2008-07-10 15:47:34 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-10 15:47:28 0 d-------- C:\Program Files\D-Link
2008-07-10 15:47:21 0 d-------- C:\Program Files\Common Files\InstallShield
2008-07-10 15:38:22 0 d-------- C:\Documents and Settings\God\Application Data\Identities
2008-07-10 15:38:08 0 d--h----- C:\Documents and Settings\God\Templates
2008-07-10 15:38:08 0 dr------- C:\Documents and Settings\God\Start Menu
2008-07-10 15:38:08 0 dr-h----- C:\Documents and Settings\God\SendTo
2008-07-10 15:38:08 0 d--h----- C:\Documents and Settings\God\PrintHood
2008-07-10 15:38:08 1310720 --ah----- C:\Documents and Settings\God\NTUSER.DAT
2008-07-10 15:38:08 0 d--h----- C:\Documents and Settings\God\NetHood
2008-07-10 15:38:08 0 dr------- C:\Documents and Settings\God\My Documents
2008-07-10 15:38:08 0 d--h----- C:\Documents and Settings\God\Local Settings
2008-07-10 15:38:08 0 dr------- C:\Documents and Settings\God\Favorites
2008-07-10 15:38:08 0 d-------- C:\Documents and Settings\God\Desktop
2008-07-10 15:38:08 0 d--hs---- C:\Documents and Settings\God\Cookies
2008-07-10 15:38:08 0 dr-h----- C:\Documents and Settings\God\Application Data
2008-07-10 15:35:57 0 d-------- C:\WINDOWS\SoftwareDistribution
2008-07-10 15:35:55 0 d---s---- C:\WINDOWS\system32\Microsoft
2008-07-10 15:35:55 0 d-------- C:\WINDOWS\Prefetch
2008-07-10 15:35:54 262144 --ah----- C:\Documents and Settings\LocalService\NTUSER.DAT
2008-07-10 15:35:54 0 d--h----- C:\Documents and Settings\LocalService\Local Settings
2008-07-10 15:35:54 0 d--hs---- C:\Documents and Settings\LocalService\Cookies
2008-07-10 15:35:54 0 d-------- C:\Documents and Settings\LocalService\Application Data
2008-07-10 15:35:54 0 d---s---- C:\Documents and Settings\LocalService\Application Data\Microsoft
2008-07-10 15:35:47 262144 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT
2008-07-10 15:35:47 0 d--h----- C:\Documents and Settings\NetworkService\Local Settings
2008-07-10 15:35:47 0 d--hs---- C:\Documents and Settings\NetworkService\Cookies
2008-07-10 15:35:47 0 d-------- C:\Documents and Settings\NetworkService\Application Data
2008-07-10 15:35:47 0 d---s---- C:\Documents and Settings\NetworkService\Application Data\Microsoft
2008-07-10 15:32:36 0 d-------- C:\WINDOWS\system32\xircom
2008-07-10 15:32:36 0 d-------- C:\Program Files\microsoft frontpage
2008-07-10 15:32:22 237568 ---h----- C:\Documents and Settings\Default User\NTUSER.DAT
2008-07-10 15:32:11 0 -rahs---- C:\MSDOS.SYS
2008-07-10 15:32:11 0 -rahs---- C:\IO.SYS
2008-07-10 15:32:11 0 --a------ C:\CONFIG.SYS
2008-07-10 15:32:11 0 --a------ C:\AUTOEXEC.BAT
2008-07-10 15:31:07 0 d--hs---- C:\Documents and Settings\All Users\DRM
2008-07-10 15:30:56 0 dr------- C:\WINDOWS\Offline Web Pages
2008-07-10 15:30:56 0 d---s---- C:\WINDOWS\Downloaded Program Files
2008-07-10 15:30:45 0 d--h----- C:\Program Files\WindowsUpdate
2008-07-10 15:30:26 0 d-------- C:\WINDOWS\system32\DirectX
2008-07-10 15:30:12 0 d---s---- C:\WINDOWS\Tasks
2008-07-10 15:30:11 0 d-------- C:\Program Files\Common Files\MSSoap
2008-07-10 15:30:09 0 d-------- C:\WINDOWS\srchasst
2008-07-10 15:30:08 0 d-------- C:\WINDOWS\system32\Macromed
2008-07-10 15:30:02 0 d-------- C:\Program Files\Movie Maker
2008-07-10 15:29:46 0 d-------- C:\WINDOWS\system32\Restore
2008-07-10 15:29:07 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-07-10 15:28:53 0 d-------- C:\WINDOWS\Registration
2008-07-10 15:28:46 0 d-------- C:\Program Files\Online Services
2008-07-10 15:28:39 0 d-------- C:\Program Files\Messenger
2008-07-10 15:28:37 0 d-------- C:\Program Files\MSN Gaming Zone
2008-07-10 15:28:08 0 d-------- C:\Program Files\Windows NT
2008-07-10 15:28:05 0 d-------- C:\WINDOWS\system32\MsDtc
2008-07-10 15:28:03 0 d-------- C:\WINDOWS\system32\Com


-- Find3M Report ---------------------------------------------------------------

2008-07-10 17:20:27 62 --ahs---- C:\Documents and Settings\God\Application Data\desktop.ini


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C}]
04/25/2008 06:22 PM 62728 --a------ C:\Program Files\Kaspersky\ievkbd.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]
"AVP"="C:\Program Files\Kaspersky\avp.exe" [04/25/2008 06:21 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 11:34 AM]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools\daemon.exe" [07/08/2008 06:22 PM]

C:\Documents and Settings\God\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [10/20/2005 12:04:08 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
D-Link AirPlus Xtreme G Configuration Utility.lnk - C:\Program Files\D-Link\AirPlus.exe [7/10/2008 3:47:35 PM]
D-Link REG Utility.lnk - C:\Program Files\D-Link\Reg.exe [7/10/2008 3:47:35 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\KASPER~1\mzvkbd.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc

*Newly Created Service* - APPMGMT



-- End of Deckard's System Scanner: finished at 2008-07-13 01:09:19 ------------


  • 0

#4
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi there,

Let's check about the file.

Open notepad by going to START > RUN and type notepad.exe in the box that appears. In the window that pops up please copy and paste the following

@ECHO off
Attrib -s -h -r "C:\windows\system32\nonmlUtv.ini2"
IF EXIST "C:\windows\system32\nonmlUtv.ini2" ECHO. File found>>looksee.txt
DEL /Q "C:\windows\system32\nonmlUtv.ini2"
start notepad looksee.txt
del fix.bat


In Notepad click on the "File" menu > Save As... Under "File name" type fix.bat and Change "Save as type" to All Files, save it to a place you will remember.

Posted Image

Double click on fix.bat, tell me what looksee.txt says.

Now for your question,

You can read what the LSA key is here.

Basically you had this entry here:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\vtUlmnon


the file appended to the value is one from Vundo, something it's been doing often lately and rather common.
We want to get rid of that file so that the value "Authentication Packages" is equal to msv1_0.
For that we need to edit the registry, the trick to this certain value though is that it is a Hex value. (google registry data types)
So ultimately this is what we need:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6D,73,76,31,5F,30,20,00,00

Be careful because this only works with a REGEDIT4 header, the new Windows Version 5.00 would have two more 00,00 at the end of that value.

If your really interested in learning, take a look at GeekU here at geekstogo (pinned topic in this forum).

Your log looks clean :)

Please download OTCleanIt.
  • Save it to your desktop.
  • Double Click on OTCleanIt.exe, a window will appear.
  • Please press the CleanUp! Button.
This will remove the tools we used during the process of cleaning your computer.

Right-click on "My Computer." The "System Properties" dialogue box will appear, showing a number of tabs. From here you can reset System Restore and configure Automatic Updates.

First, click the System Restore tab.
  • Check the box beside "Turn off System Restore"
  • Click "Apply"
  • At the prompt, click "Yes"
Wait while your system deletes existing Restore Points, this may take a few moments.
  • Uncheck the box beside "Turn off System Restore"
  • Click "Apply"
  • At the prompt, click "Yes"
Your system will now create a new Restore Point.

Now that your are clean, you'll want to stay that way.

Some important things that you should keep in mind in order to protect yourself:
  • Use common sense. This is the big one! Don't download programs from suspicious sites and be careful where you browse.
    Things you can do to aviod downloading bad programs:
    • Google the program. Read reviews and opinions from other people on the internet, if you dont see any reports of foul play - then there more than likely is none.
    • Stay away from Cracks! However luring the thought of free software can be it's not worth the hassle and potential danger of getting infected.
    • Download the program directly from the website of the developer - then you can be certain you haven't downloaded a bogus copy.
    • Read the EULA (End User License Agreement) - Find out exactly what you are downloading. A good tool to aid you in this would be EULAyzer.
  • Keep your protection programs up to date! No matter how good your Antivirus or Antispyware program is, without an updated set of definitions it will do you no good against the new infections. If you run a free program make sure to update them at least once a week.
  • Make sure that windows updates is enabled. Keeping your system up to date is a must - to turn on automatic updates take a look at this article by Microsoft.
I have listed two programs to boost your security while using no resources.
  • SpywareBlaster Take a look at the tutorial here.
  • ZonedOut Adds thousands of websites to your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Also consider using an alternative web broswer. Two big named ones, both far superior to Internet Explorer in terms of security and performance, would be Firefox and Opera.

Make a habit of scanning your computer for viruses every week or so and backing up important files regularly.

Please also read Expert Tony Klein's excellent article: How I got Infected in the First Place

Please post back and tell me if everything is OK, so that I may mark this thread as Resolved.
  • 0

#5
KSieber

KSieber

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Thanks for everything Mike,
Everything seems fine, ill defiantly look into that GeekU thread.
This issue is resolved!
KSieber
  • 0

#6
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
I'm glad everything is running well,

Take care and have a great day still :)

Mike
  • 0

#7
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP