Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Ad pop-ups -Coolwebsearch? [CLOSED]


  • This topic is locked This topic is locked

#1
Ween

Ween

    New Member

  • Member
  • Pip
  • 4 posts
I just got this virus or Malware last night and tryed removing it with AdAware and with MacAfee with no luck =/

Here is my Hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:00:41 PM, on 7/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\ncntqkdm.exe
C:\WINDOWS\System32\Rundll32.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\sony\usbsircs\usbsircs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {82336A8D-6CD0-4647-B791-75FCA8CF2B39} - C:\WINDOWS\system32\efcYqNFU.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\ncntqkdm.exe DWram02
O4 - HKLM\..\Run: [{6da92c0c-f841-7a04-3996-4fb2e7d2c16b}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\rfpkdfzbuqqlis.dll" DllStart
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\ncntqkdm.exe
O4 - Global Startup: Remocon Driver.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O20 - Winlogon Notify: efcYqNFU - C:\WINDOWS\SYSTEM32\efcYqNFU.dll
O20 - Winlogon Notify: wvUnKAqn - wvUnKAqn.dll (file missing)
O23 - Service: McAfee Application Installer Cleanup (0165081215898639) (0165081215898639mcinstcleanup) - McAfee, Inc. - C:\DOCUME~1\Robert\LOCALS~1\Temp\016508~1.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe

--
End of file - 4851 bytes
  • 0

Advertisements


#2
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Hi Ween

welcome to geekstogo :)


====STEP 1====
Please download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.



====STEP 2====
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.



====STEP 3====
Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
In your next reply could i see:
1. the vundo log
2. the malwarebytes log
3. the 2 DSS logs

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk

Edited by andrewuk, 12 July 2008 - 06:29 PM.

  • 0

#3
Ween

Ween

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Thank you for the quick response adrewuk!
Here's the logs you requested:

Vundofix found nothing and thus produced no log file.

Malwarebytes log:
Malwarebytes' Anti-Malware 1.20
Database version: 930
Windows 5.1.2600 Service Pack 2

9:41:15 PM 7/12/2008
mbam-log-7-12-2008 (21-41-15).txt

Scan type: Quick Scan
Objects scanned: 40429
Time elapsed: 2 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 21
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 75

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\awtusQJb.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\efcYqNFU.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c022560a-091d-4b05-b5af-b2e6d039c662} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{c022560a-091d-4b05-b5af-b2e6d039c662} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\AppID\{8d71eeb8-a1a7-4733-8fa2-1cac015c967d} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1e404d48-670a-4085-a6a0-d195793ddd33} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{9f593aac-ca4c-4a41-a7ff-a00812192d61} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{749ec66f-a838-4b38-b8e5-e65d905fff74} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1e404d48-670a-4085-a6a0-d195793ddd33} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\Sidebar.DLL (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MySidesearch (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Deewoo Network Manager (Adware.Radio) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{82336a8d-6cd0-4647-b791-75fca8cf2b39} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{82336a8d-6cd0-4647-b791-75fca8cf2b39} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\efcyqnfu (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\Extensions\{59a40ac9-e67d-4155-b31d-4b7330fcd2d6} (Adware.PurityScan) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bm4798d2e4 (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{82336a8d-6cd0-4647-b791-75fca8cf2b39} (Trojan.Vundo) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\awtusqjb -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\awtusqjb -> Delete on reboot.

Folders Infected:
C:\Documents and Settings\LocalService\Application Data\NetMon (Trojan.NetMon) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\awtusQJb.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\bJQsutwa.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bJQsutwa.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\oicdahyk.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kyhadcio.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\slntamrr.sys (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt (Trojan.NetMon) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt (Trojan.NetMon) -> Quarantined and deleted successfully.
C:\WINDOWS\explore.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\iexplorer.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\x.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\y.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\xxxvideo.hta (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\default.htm (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\svchost32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\loader.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\internet.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gside.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winpfz33.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\accesss.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\astctl32.ocx (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\avpcc.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\clrssn.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\cpan.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\ctfmon32.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\ctrlpan.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\directx32.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\dnsrelay.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\editpad.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\Explorer32.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\funniest.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\funny.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\gfmnaaa.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\helpcvs.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\iedll.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\inetinf.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\msconfd.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\msspi.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\mssys.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\msupdate.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\mswsc10.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\mswsc20.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\mtwirl32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\notepad32.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\olehelp.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\qttasks.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\quicken.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\rundll16.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pdbieapl.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\rundll32.vbe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\searchword.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\sistem.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\svcinit.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\systeem.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\systemcritical.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\time.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\users32.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\waol.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\win32e.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\win64.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\winajbm.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\window.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\winmgnt.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\xplugin.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\clbdriver.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msnav32.ax (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zxdnt3d.cfg (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\urqQjJYO.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\efcYqNFU.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\drivers\core.cache.dsk (Malware.Trace) -> Delete on reboot.
C:\Documents and Settings\Robert\Application Data\Microsoft\Internet Explorer\Quick Launch\AntiMalwareGuard.lnk (Rogue.AntiMalwareGuard) -> Quarantined and deleted successfully.
C:\Documents and Settings\Robert\Local Settings\Temp\snapsnet.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Robert\Local Settings\Temp\winvsnet.exe (Trojan.Agent) -> Quarantined and deleted successfully.


DSS Log:
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 3.20GHz
CPU 1: Intel® Pentium® 4 CPU 3.20GHz
Percentage of Memory in Use: 34%
Physical Memory (total/avail): 1023.36 MiB / 674.34 MiB
Pagefile Memory (total/avail): 2464.32 MiB / 2198.33 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1938.52 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 15.01 GiB total, 7.24 GiB free.
D: is Fixed (NTFS) - 134.04 GiB total, 125.16 GiB free.
E: is CDROM (No Media)
F: is CDROM (No Media)
G: is Removable (No Media)
H: is Removable (No Media)
I: is Removable (No Media)

\\.\PHYSICALDRIVE0 - ST3160021A - 149.05 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 15.01 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 134.04 GiB - D:

\\.\PHYSICALDRIVE2 - Sony UMH-U HS-CF USB Device

\\.\PHYSICALDRIVE1 - Sony UMH-U HS-MS USB Device

\\.\PHYSICALDRIVE3 - Sony UMH-U HS-SM USB Device



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

AntiVirusDisableNotify is set.
FirewallDisableNotify is set.
AntivirusOverride is set.

FW: McAfee Personal Firewall v (McAfee)
AV: McAfee VirusScan v (McAfee)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\support.com\\client\\bin\\tgcmd.exe"="C:\\Program Files\\support.com\\client\\bin\\tgcmd.exe:*:Disabled:tgcmd Module"
"D:\\World of Warcraft\\WoW-2.3.0-enUS-downloader.exe"="D:\\World of Warcraft\\WoW-2.3.0-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Robert\Application Data
CLASSPATH="C:\Program Files\Java\j2re1.4.2_01\lib\ext\QTJava.zip"
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=BOB
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Robert
LOGONSERVER=\\BOB
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI.ACE\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA="C:\Program Files\Java\j2re1.4.2_01\lib\ext\QTJava.zip"
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Robert\LOCALS~1\Temp
TMP=C:\DOCUME~1\Robert\LOCALS~1\Temp
USERDOMAIN=BOB
USERNAME=Robert
USERPROFILE=C:\Documents and Settings\Robert
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Robert (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{93B80FB1-7A23-11D3-B250-00105A1F4184}\setup.exe"
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player ActiveX --> C:\WINDOWS\System32\Macromed\Flash\uninstall_activeX.exe
Agere Systems AC'97 Modem --> agrsmdel
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Catalyst Control Center --> MsiExec.exe /I{EA9FAF16-0E5C-42C4-9742-9AF8D5F6D69B}
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,[email protected] -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Enhancement Browser Tools Gooochi --> C:\WINDOWS\system32\bnlctehnguds.exe
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Intel® Extreme Graphics Driver --> RUNDLL32.EXE C:\WINDOWS\System32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2572
Intel® PRO Network Adapters and Drivers --> Prounstl.exe
Java 2 Runtime Environment, SE v1.4.2_01 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142010}
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
McAfee SecurityCenter --> C:\Program Files\McAfee\MSC\mcuninst.exe
Memory Stick Formatter --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{27337663-2619-11D4-99DC-0000F49094C7}\setup.exe" -l0x9 /UNINSTALL
MoodLogic --> C:\WINDOWS\ml-uninstall-v10.exe
MySidesearch Search Assistant Adzgalore --> C:\WINDOWS\system32\dsvovbeqnepq.dll-uninst.exe
NVIDIA Windows 2000/XP Display Drivers --> rundll32.exe C:\WINDOWS\System32\nvinstnt.dll,NvUninstallNT4 nvsy.inf
OpenMG Secure Module 3.3.01 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5FA1C51C-6E35-42C1-B2EC-DC9FA1E20694}\Setup.exe" -l0x9 UNINSTALL
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\System32\QuickTime\Uninstall.log
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
SonicStage 1.6.00 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{71D6CE84-B7DC-4166-8E0D-56C1C37BFB5A}\setup.exe" -l0x9 UNINSTALL
Sony Certificate PCH --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D0448678-1203-4158-A58F-B3D0B616BF9E}\setup.exe"
Sony Video Shared Library --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6990A2BF-D1D2-11D3-81BC-00609789C908}\setup.exe"
VAIO BrightColor Wallpaper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4D1D6640-CD43-4AD9-A52F-E48265DB28E0}\setup.exe" -l0x9
VAIO Help and Support --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{E68B38DE-D7DD-4FB3-A453-3F03A947EA8E}
VAIO Media Redistribution 2.6 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7128C69B-8F7E-4336-8698-3FD3CDD955EC}\setup.exe" -l0x9 UNINSTALL
VAIO Registration --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{315BA29D-2644-4760-B5FD-5AC04A52B8C5}
VAIO Remote Commander Utility 6.2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4C75086F-7753-41B9-8B4C-F38DE6CC8C20}\Setup.exe"
VAIO Support --> "c:\program files\support.com\client\bin\tgfix.exe" /rm /nq
VAIO Survey Standalone --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{FA11D5B5-7D0A-43E8-88C4-960F97B194DE}
VAIO System Information --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CD7D5804-C157-48A6-AEE0-4A40A4B5C054}\setup.exe"
Ventrilo Client --> MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}
Viewpoint Media Player (Remove Only) --> C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
World of Warcraft --> C:\Program Files\Common Files\Blizzard Entertainment\World of Warcraft\Uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type630 / Error
Event Submitted/Written: 07/12/2008 06:54:48 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type628 / Error
Event Submitted/Written: 07/12/2008 06:39:44 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type620 / Error
Event Submitted/Written: 07/12/2008 06:09:55 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type616 / Error
Event Submitted/Written: 07/12/2008 05:49:35 PM
Event ID/Source: 4691 / COM+
Event Description:
The run-time environment was unable to initialize for transactions required to support transactional components. Make sure that MS-DTC is running. (DtcGetTransactionManagerEx(): hr = 0x8004d01b)

Event Record #/Type615 / Error
Event Submitted/Written: 07/12/2008 05:31:14 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 6.0.2900.2180, faulting module mshtml.dll, version 6.0.2900.3268, fault address 0x0009b4c2.
Processing media-specific event for [iexplore.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type11556 / Error
Event Submitted/Written: 07/12/2008 09:43:35 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The Windows Service Pack Installer update service service depends on the Security Accounts Manager service which failed to start because of the following error:
%%1058

Event Record #/Type11528 / Error
Event Submitted/Written: 07/12/2008 09:14:38 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The Windows Service Pack Installer update service service depends on the Security Accounts Manager service which failed to start because of the following error:
%%1058

Event Record #/Type11494 / Error
Event Submitted/Written: 07/12/2008 09:02:02 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The Windows Service Pack Installer update service service depends on the Security Accounts Manager service which failed to start because of the following error:
%%1058

Event Record #/Type11454 / Error
Event Submitted/Written: 07/12/2008 06:18:49 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The Windows Service Pack Installer update service service depends on the Security Accounts Manager service which failed to start because of the following error:
%%1058

Event Record #/Type11448 / Warning
Event Submitted/Written: 07/12/2008 06:15:58 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.



-- End of Deckard's System Scanner: finished at 2008-07-12 21:47:51 ------------

HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:55:05 PM, on 7/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: {31db784a-ae79-4439-49b4-8c9a6b1b8d28} - {82d8b1b6-a9c8-4b94-9344-97eaa487bd13} - C:\WINDOWS\system32\hfrkdl.dll
O20 - Winlogon Notify: wvUnKAqn - wvUnKAqn.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe

--
End of file - 2385 bytes
  • 0

#4
Ween

Ween

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
I think I posted the extrabits file only for DSS, this is the first part:

Deckard's System Scanner v20071014.68
Run by Robert on 2008-07-12 21:57:35
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Robert.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:57:36 PM, on 7/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Robert\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Robert.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: {31db784a-ae79-4439-49b4-8c9a6b1b8d28} - {82d8b1b6-a9c8-4b94-9344-97eaa487bd13} - C:\WINDOWS\system32\hfrkdl.dll
O20 - Winlogon Notify: wvUnKAqn - wvUnKAqn.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe

--
End of file - 2421 bytes

-- Files created between 2008-06-12 and 2008-07-12 -----------------------------

2008-07-12 21:41:36 1291 --ahs---- C:\WINDOWS\system32\bJQsutwa.ini2
2008-07-12 21:31:43 0 d-------- C:\Documents and Settings\Robert\Application Data\Malwarebytes
2008-07-12 21:31:33 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-12 21:31:31 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-12 21:20:36 0 d-------- C:\VundoFix Backups
2008-07-12 18:06:25 105248 --a------ C:\WINDOWS\system32\hfrkdl.dll
2008-07-12 18:06:24 105248 --a------ C:\WINDOWS\system32\fxkrcjrj.dll
2008-07-12 18:04:27 90992 -----n--- C:\WINDOWS\system32\pdbieapl.dll
2008-07-12 18:03:18 314688 -----n--- C:\WINDOWS\system32\awtusQJb.dll
2008-07-12 17:54:56 25888 -----n--- C:\WINDOWS\system32\efcYqNFU.dll
2008-07-12 17:39:12 0 d-------- C:\Program Files\Trend Micro
2008-07-12 16:39:31 143360 --a------ C:\WINDOWS\system32\dunzip32.dll <Not Verified; Inner Media, Inc.; DynaZIP-32 Multi-Threading UnZIP DLL>
2008-07-12 16:36:46 0 d-------- C:\Program Files\McAfee.com
2008-07-12 16:36:40 0 d-------- C:\Program Files\Common Files\McAfee
2008-07-12 16:36:22 0 d-------- C:\Program Files\McAfee
2008-07-12 16:28:32 0 d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-07-12 07:38:25 0 d------c- C:\WINDOWS\system32\DRVSTORE
2008-07-12 07:24:14 86 --ah----- C:\aaw7boot.cmd
2008-07-11 22:41:04 0 d-------- C:\WINDOWS\system32\3251
2008-07-11 22:24:48 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-11 21:46:05 64332 --a------ C:\WINDOWS\system32\bnlctehnguds.exe
2008-07-11 21:46:00 152157 --a------ C:\WINDOWS\system32\g99.exe
2008-07-11 21:43:13 1960 --ahs---- C:\WINDOWS\system32\HgMSYcdd.ini2
2008-07-11 21:38:24 192573 --a------ C:\WINDOWS\system32\ncntqkdm.exe
2008-07-11 21:38:19 1723 --a------ C:\WINDOWS\system32\clbinit.dll
2008-07-11 21:36:43 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-07-11 21:36:43 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-07-11 21:36:39 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-07-11 21:36:37 4 --a------ C:\WINDOWS\system32\hljwugsf.bin
2008-07-11 21:36:33 0 d-------- C:\WINDOWS\system32\?icrosoft
2008-07-11 21:36:32 0 d--hs---- C:\WINDOWS\Um9iZXJ0
2008-07-11 21:36:24 86144 -----n--- C:\WINDOWS\system32\drivers\slntamrr.sys
2008-07-11 21:36:23 0 d-------- C:\WINDOWS\system32\sfig
2008-07-11 21:36:23 0 d-------- C:\WINDOWS\system32\provdll
2008-07-11 21:36:23 0 d-------- C:\WINDOWS\system32\OBDE
2008-07-11 21:36:23 0 d-------- C:\WINDOWS\system32\imp32
2008-07-11 21:36:18 0 d-------- C:\WINDOWS\system32\olixds01
2008-07-11 21:36:18 0 d-------- C:\Temp
2008-07-03 09:45:24 364544 --a------ C:\WINDOWS\system32\dsvovbeqnepq.dll
2008-07-02 09:01:20 158208 --a------ C:\WINDOWS\system32\rfpkdfzbuqqlis.dll


-- Find3M Report ---------------------------------------------------------------

2008-07-12 16:36:40 0 d-------- C:\Program Files\Common Files
2008-07-12 08:13:58 0 d-------- C:\Program Files\Messenger
2008-07-12 07:40:47 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-09 21:25:27 0 d-------- C:\Documents and Settings\Robert\Application Data\Help


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{82d8b1b6-a9c8-4b94-9344-97eaa487bd13}]
07/12/2008 06:06 PM 105248 --a------ C:\WINDOWS\system32\hfrkdl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvUnKAqn]
wvUnKAqn.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\clbdriver.sys]
@="driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\MSMSGS.EXE" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Messenger"=2 (0x2)
"wscsvc"=2 (0x2)
"SamSs"=2 (0x2)
"NtLmSsp"=3 (0x3)
"ATI Smart"=2 (0x2)
"wuauserv"=2 (0x2)




-- End of Deckard's System Scanner: finished at 2008-07-12 21:58:13 ------------
  • 0

#5
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
in this post we will remove the remaining malware i can see and do three scans to see what else is on your machine.

the scans will likely take 3 hours, quite possibly much longer. so just let them run.


====STEP 1====
Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]
    C:\WINDOWS\system32\bJQsutwa.ini2
    C:\WINDOWS\system32\hfrkdl.dll
    C:\WINDOWS\system32\fxkrcjrj.dll
    C:\WINDOWS\system32\pdbieapl.dll
    C:\WINDOWS\system32\awtusQJb.dll
    C:\WINDOWS\system32\efcYqNFU.dll
    C:\WINDOWS\system32\bnlctehnguds.exe
    C:\WINDOWS\system32\g99.exe
    C:\WINDOWS\system32\HgMSYcdd.ini2
    C:\WINDOWS\system32\ncntqkdm.exe
    C:\WINDOWS\system32\clbinit.dll
    C:\WINDOWS\system32\hljwugsf.bin
    C:\WINDOWS\system32\dsvovbeqnepq.dll
    C:\WINDOWS\system32\rfpkdfzbuqqlis.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31db784a-ae79-4439-49b4-8c9a6b1b8d28}
    HKEY_CLASSES_ROOT\CLSID\{31db784a-ae79-4439-49b4-8c9a6b1b8d28}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wvUnKAqn
    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system\\DisableTaskMgr
    EmptyTemp
    purity 
    [start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


====STEP 2====
Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
====STEP 3====
Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
====STEP 4====
Download GMER from here:
http://www.gmer.net/files.php

Unzip it to the desktop.

Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
Click on Scan.
When the scan has run click Copy and paste the results (if any) into this thread.



====STEP 5====
Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
====STEP 6====
and could you re-run DSS by double clicking on the icon on your desktop again. only one report will be produced this time.




In your next reply could i see:
1. the OTMoveIT log
2. the SDFix log
3. the SUPERantispyware log
4. the GMER log
5. the Kaspersky log
6. the DSS log

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk
  • 0

#6
Ween

Ween

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Ok here we go:

Explorer killed successfully
C:\WINDOWS\system32\bJQsutwa.ini2 moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\hfrkdl.dll
C:\WINDOWS\system32\hfrkdl.dll NOT unregistered.
C:\WINDOWS\system32\hfrkdl.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\fxkrcjrj.dll
C:\WINDOWS\system32\fxkrcjrj.dll NOT unregistered.
C:\WINDOWS\system32\fxkrcjrj.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\pdbieapl.dll
C:\WINDOWS\system32\pdbieapl.dll NOT unregistered.
C:\WINDOWS\system32\pdbieapl.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\awtusQJb.dll
C:\WINDOWS\system32\awtusQJb.dll NOT unregistered.
C:\WINDOWS\system32\awtusQJb.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\efcYqNFU.dll
C:\WINDOWS\system32\efcYqNFU.dll NOT unregistered.
C:\WINDOWS\system32\efcYqNFU.dll moved successfully.
C:\WINDOWS\system32\bnlctehnguds.exe moved successfully.
C:\WINDOWS\system32\g99.exe moved successfully.
C:\WINDOWS\system32\HgMSYcdd.ini2 moved successfully.
C:\WINDOWS\system32\ncntqkdm.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\clbinit.dll
C:\WINDOWS\system32\clbinit.dll NOT unregistered.
C:\WINDOWS\system32\clbinit.dll moved successfully.
C:\WINDOWS\system32\hljwugsf.bin moved successfully.
C:\WINDOWS\system32\dsvovbeqnepq.dll unregistered successfully.
C:\WINDOWS\system32\dsvovbeqnepq.dll moved successfully.
C:\WINDOWS\system32\rfpkdfzbuqqlis.dll unregistered successfully.
C:\WINDOWS\system32\rfpkdfzbuqqlis.dll moved successfully.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31db784a-ae79-4439-49b4-8c9a6b1b8d28} >
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31db784a-ae79-4439-49b4-8c9a6b1b8d28}\\ not found.
< HKEY_CLASSES_ROOT\CLSID\{31db784a-ae79-4439-49b4-8c9a6b1b8d28} >
Registry key HKEY_CLASSES_ROOT\CLSID\{31db784a-ae79-4439-49b4-8c9a6b1b8d28}\\ not found.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wvUnKAqn >
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wvUnKAqn\\ deleted successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system\\DisableTaskMgr >
Registry value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system\\DisableTaskMgr deleted successfully.
< EmptyTemp >
File delete failed. C:\WINDOWS\temp\mcmsc_6gz63oo3VsdRMSl scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
< purity >
C:\WINDOWS\system32\Мicrosoft moved successfully.
C:\Documents and Settings\Robert\My Documents\Ѕymantec\Ѕymantec moved successfully.
C:\Documents and Settings\Robert\My Documents\Ѕymantec moved successfully.
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07132008_124309

-----------------------------------------------------------------------------------------


SDFix: Version 1.205
Run by Robert on Sun 07/13/2008 at 01:04 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\DOCUME~1\Robert\Desktop\SDFix

Checking Services :

Name :
clbdriver

Path :
\??\globalroot\systemroot\system32\drivers\clbdriver.sys

clbdriver - Deleted



Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\Temp\1cb\syscheck.log - Deleted
C:\WINDOWS\megavid.cdt - Deleted
C:\WINDOWS\muotr.so - Deleted
C:\WINDOWS\system32\drivers\core.cache.dsk - Deleted



Folder C:\Temp\1cb - Removed
Folder C:\Temp\tn3 - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-13 13:09:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\support.com\\client\\bin\\tgcmd.exe"="C:\\Program Files\\support.com\\client\\bin\\tgcmd.exe:*:Disabled:tgcmd Module"
"D:\\World of Warcraft\\WoW-2.3.0-enUS-downloader.exe"="D:\\World of Warcraft\\WoW-2.3.0-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\DOCUME~1\Robert\Desktop\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sat 12 Jul 2008 20,487 A.SHR --- "C:\Program Files\McAfee\MQC\MRU.bak"
Sat 12 Jul 2008 265 A.SHR --- "C:\Program Files\McAfee\MQC\qcconf.bak"
Sat 12 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\585dc2612ebcefc90e7dee4c276ee95e\BIT6D.tmp"
Sat 12 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\e3ae0283cc5a5b1aa1e0729354e5096d\BIT6E.tmp"

Finished!

-------------------------------------------------------------------------------------

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/13/2008 at 01:47 PM

Application Version : 4.15.1000

Core Rules Database Version : 3469
Trace Rules Database Version: 1494

Scan type : Complete Scan
Total Scan Time : 00:29:24

Memory items scanned : 322
Memory threats detected : 0
Registry items scanned : 3971
Registry threats detected : 0
File items scanned : 46775
File threats detected : 68

Adware.Tracking Cookie
C:\Documents and Settings\Robert\Cookies\[email protected][1].txt
C:\Documents and Settings\Robert\Cookies\[email protected][2].txt
C:\Deckard\System Scanner\20080712215725\backup\DOCUME~1\Robert\LOCALS~1\Temp\Cookies\[email protected][2].txt
C:\Deckard\System Scanner\20080712215725\backup\DOCUME~1\Robert\LOCALS~1\Temp\Cookies\[email protected][1].txt
C:\Deckard\System Scanner\20080712215725\backup\DOCUME~1\Robert\LOCALS~1\Temp\Cookies\[email protected][2].txt
C:\Deckard\System Scanner\20080712215725\backup\DOCUME~1\Robert\LOCALS~1\Temp\Cookies\[email protected][1].txt
C:\Deckard\System Scanner\20080712215725\backup\DOCUME~1\Robert\LOCALS~1\Temp\Cookies\[email protected][1].txt
C:\Deckard\System Scanner\20080712215725\backup\DOCUME~1\Robert\LOCALS~1\Temp\Cookies\[email protected][1].txt
C:\Deckard\System Scanner\20080712215725\backup\DOCUME~1\Robert\LOCALS~1\Temp\Cookies\[email protected][2].txt
C:\Deckard\System Scanner\20080712215725\backup\DOCUME~1\Robert\LOCALS~1\Temp\Cookies\[email protected][1].txt
C:\Deckard\System Scanner\20080712215725\backup\DOCUME~1\Robert\LOCALS~1\Temp\Cookies\[email protected][2].txt
C:\Deckard\System Scanner\20080712215725\backup\DOCUME~1\Robert\LOCALS~1\Temp\Cookies\[email protected][2].txt
C:\Deckard\System Scanner\20080712215725\backup\DOCUME~1\Robert\LOCALS~1\Temp\Cookies\[email protected][1].txt
C:\Deckard\System Scanner\20080712215725\backup\DOCUME~1\Robert\LOCALS~1\Temp\Cookies\[email protected][2].txt
C:\Deckard\System Scanner\20080712215725\backup\DOCUME~1\Robert\LOCALS~1\Temp\Cookies\[email protected][2].txt
C:\Deckard\System Scanner\20080712215725\backup\DOCUME~1\Robert\LOCALS~1\Temp\Cookies\[email protected][2].txt
C:\Deckard\System Scanner\20080712215725\backup\DOCUME~1\Robert\LOCALS~1\Temp\Cookies\[email protected][1].txt
C:\Deckard\System Scanner\20080712215725\backup\DOCUME~1\Robert\LOCALS~1\Temp\Cookies\[email protected][1].txt
C:\Deckard\System Scanner\20080712215725\backup\DOCUME~1\Robert\LOCALS~1\Temp\Cookies\[email protected][2].txt
C:\Deckard\System Scanner\20080712215725\backup\DOCUME~1\Robert\LOCALS~1\Temp\Cookies\[email protected][2].txt
C:\Deckard\System Scanner\20080712215725\backup\DOCUME~1\Robert\LOCALS~1\Temp\Cookies\[email protected][2].txt
C:\Deckard\System Scanner\20080712215725\backup\DOCUME~1\Robert\LOCALS~1\Temp\Cookies\[email protected][2].txt
C:\Deckard\System Scanner\20080712215725\backup\WINDOWS\temp\Cookies\[email protected][1].txt
C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt
C:\Documents and Settings\Robert\Cookies\[email protected][1].txt
C:\Documents and Settings\Robert\Cookies\[email protected][2].txt
C:\Documents and Settings\Robert\Cookies\[email protected][3].txt
C:\Documents and Settings\Robert\Cookies\[email protected][4].txt
C:\Documents and Settings\Robert\Cookies\[email protected][2].txt
C:\Documents and Settings\Robert\Cookies\[email protected][2].txt
C:\Documents and Settings\Robert\Cookies\[email protected][1].txt
C:\Documents and Settings\Robert\Cookies\[email protected][2].txt
C:\Documents and Settings\Robert\Cookies\[email protected][2].txt
C:\Documents and Settings\Robert\Cookies\[email protected][2].txt
C:\Documents and Settings\Robert\Cookies\[email protected][1].txt
C:\Documents and Settings\Robert\Cookies\[email protected][2].txt
C:\Documents and Settings\Robert\Cookies\[email protected][1].txt
C:\Documents and Settings\Robert\Cookies\[email protected][3].txt
C:\Documents and Settings\Robert\Cookies\[email protected][2].txt
C:\Documents and Settings\Robert\Cookies\[email protected][1].txt
C:\Documents and Settings\Robert\Cookies\[email protected][2].txt
C:\Documents and Settings\Robert\Cookies\[email protected][1].txt
C:\Documents and Settings\Robert\Cookies\[email protected][1].txt
C:\Documents and Settings\Robert\Cookies\[email protected][1].txt
C:\Documents and Settings\Robert\Cookies\[email protected][1].txt
C:\Documents and Settings\Robert\Cookies\[email protected][1].txt
C:\Documents and Settings\Robert\Cookies\[email protected][2].txt
C:\Documents and Settings\Robert\Cookies\[email protected][1].txt
C:\Documents and Settings\Robert\Cookies\[email protected][2].txt
C:\Documents and Settings\Robert\Cookies\[email protected][1].txt
C:\Documents and Settings\Robert\Cookies\[email protected][2].txt
C:\Documents and Settings\Robert\Cookies\[email protected][2].txt
C:\Documents and Settings\Robert\Cookies\[email protected][2].txt
C:\Documents and Settings\Robert\Cookies\[email protected][2].txt
C:\Documents and Settings\Robert\Cookies\[email protected][3].txt
C:\Documents and Settings\Robert\Cookies\[email protected][1].txt
C:\Documents and Settings\Robert\Cookies\[email protected][1].txt
C:\Documents and Settings\Robert\Cookies\[email protected][2].txt
C:\Documents and Settings\Robert\Cookies\[email protected][1].txt
C:\Documents and Settings\Robert\Cookies\[email protected][2].txt
C:\Documents and Settings\Robert\Cookies\[email protected][1].txt
C:\Documents and Settings\Robert\Cookies\[email protected][1].txt
C:\Documents and Settings\Robert\Cookies\[email protected][2].txt

Rootkit.TNCore-Installer
C:\SYSTEM VOLUME INFORMATION\_RESTORE{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP161\A0018750.EXE

Adware.Unknown Origin
C:\SYSTEM VOLUME INFORMATION\_RESTORE{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP171\A0020737.CFG

Adware.ClickSpring/Yazzle
C:\WINDOWS\PREFETCH\YAZZLE1281OINADMIN.EXE-2D8F7800.PF

Adware.Vundo Variant/Rel
C:\WINDOWS\SYSTEM32\MCRH.TMP

Trojan.Downloader-Gen/Suspicious
C:\WINDOWS\SYSTEM32\PROVDLL\GLOBSETUP.EXE

------------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER REPORT
Sunday, July 13, 2008 3:37:44 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 13/07/2008
Kaspersky Anti-Virus database records: 949040


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics
Total number of scanned objects 47687
Number of viruses found 9
Number of infected objects 13
Number of suspicious objects 0
Duration of the scan process 00:49:00

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{0C3D80DE-8FC5-4C48-AC28-D198A74BF29B}.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{B736B7E5-CA72-4E18-96CD-12690D936E39}.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR3.tmp Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Robert\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-df21699-5f28c0c0.zip/GetAccess.class Infected: Trojan-Downloader.Java.OpenConnection.aj skipped

C:\Documents and Settings\Robert\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-df21699-5f28c0c0.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.aj skipped

C:\Documents and Settings\Robert\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-df21699-5f28c0c0.zip/NewSecurityClassLoader.class Infected: Exploit.Java.ByteVerify skipped

C:\Documents and Settings\Robert\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-df21699-5f28c0c0.zip/NewURLClassLoader.class Infected: Exploit.Java.ByteVerify skipped

C:\Documents and Settings\Robert\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-df21699-5f28c0c0.zip ZIP: infected - 4 skipped

C:\Documents and Settings\Robert\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv435.jar-1c29204d-1b283994.zip/Matrix.class Infected: Trojan-Downloader.Java.OpenStream.c skipped

C:\Documents and Settings\Robert\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv435.jar-1c29204d-1b283994.zip/Counter.class Infected: Trojan.Java.ClassLoader.h skipped

C:\Documents and Settings\Robert\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv435.jar-1c29204d-1b283994.zip/Parser.class Infected: Trojan.Java.ClassLoader.d skipped

C:\Documents and Settings\Robert\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv435.jar-1c29204d-1b283994.zip ZIP: infected - 3 skipped

C:\Documents and Settings\Robert\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-7-13-2008( 13-53-20 ).LOG Object is locked skipped

C:\Documents and Settings\Robert\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Robert\Desktop\SDFix\apps\Process.exe Object is locked skipped

C:\Documents and Settings\Robert\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Robert\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Robert\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Robert\Local Settings\History\History.IE5\MSHist012008071320080714\index.dat Object is locked skipped

C:\Documents and Settings\Robert\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Robert\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Robert\ntuser.dat.LOG Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP160\A0017734.exe Object is locked skipped

C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP161\A0018736.dll Object is locked skipped

C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP161\A0018737.exe Object is locked skipped

C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP161\A0018738.exe Object is locked skipped

C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP161\A0018740.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped

C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP161\A0018741.exe Object is locked skipped

C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP161\A0018747.dll Object is locked skipped

C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP161\A0018749.exe Object is locked skipped

C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP161\A0018751.vbs Object is locked skipped

C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP161\A0018752.vbs Object is locked skipped

C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP162\A0018800.dll Object is locked skipped

C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP166\A0019013.dll Infected: Rootkit.Win32.Clbd.ez skipped

C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP174\A0020988.exe Infected: Trojan.Win32.DNSChanger.eyr skipped

C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP174\change.log Object is locked skipped

C:\WINDOWS\$NtUninstallKB824141$\user32.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB824141$\win32k.sys Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\accwiz.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\crypt32.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\cryptsvc.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\hh.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\hhctrl.ocx Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\hhsetup.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\html32.cnv Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\itircl.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\itss.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\locator.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\magnify.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\migwiz.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\mrxsmb.sys Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\msconv97.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\narrator.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\newdev.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\ntdll.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\ntkrnlpa.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\ntoskrnl.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\ole32.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\pchshell.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\raspptp.sys Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\rpcrt4.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\rpcss.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\shell32.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\shmedia.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\srrstr.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\srv.sys Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\user32.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\winsrv.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828035$\msgsvc.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828035$\wkssvc.dll Object is locked skipped

C:\WINDOWS\$NtUninstallQ828026$\msdxm.ocx Object is locked skipped

C:\WINDOWS\$NtUninstallQ828026$\wmpcore.dll Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\imp32\keysrve.exe Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\Temp\mcmsc_amEOsQSdjvm80CE Object is locked skipped

C:\WINDOWS\Temp\mcmsc_LHJYj2kdAR6MdeX Object is locked skipped

C:\WINDOWS\Temp\mcmsc_pMd0PDkRrFww659 Object is locked skipped

C:\WINDOWS\Temp\mcmsc_YA3NyHcMyv15DQF Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

C:\_OTMoveIt\MovedFiles\07132008_124309\WINDOWS\system32\ncntqkdm.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.bv skipped

D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

D:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP174\change.log Object is locked skipped

Scan process completed.

---------------------------------------------------------------------------------------

Deckard's System Scanner v20071014.68
Run by Robert on 2008-07-13 15:39:39
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Robert.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:39:44 PM, on 7/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Robert\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Robert.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: {31db784a-ae79-4439-49b4-8c9a6b1b8d28} - {82d8b1b6-a9c8-4b94-9344-97eaa487bd13} - C:\WINDOWS\system32\hfrkdl.dll (file missing)
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe

--
End of file - 2696 bytes

-- Files created between 2008-06-13 and 2008-07-13 -----------------------------

2008-07-13 14:15:36 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-13 14:15:34 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-07-13 14:15:30 0 d-------- C:\WINDOWS\LastGood
2008-07-13 13:14:04 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-13 13:13:57 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-07-13 13:13:57 0 d-------- C:\Documents and Settings\Robert\Application Data\SUPERAntiSpyware.com
2008-07-13 13:01:18 0 d-------- C:\WINDOWS\ERUNT
2008-07-12 21:31:43 0 d-------- C:\Documents and Settings\Robert\Application Data\Malwarebytes
2008-07-12 21:31:33 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-12 21:31:31 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-12 21:20:36 0 d-------- C:\VundoFix Backups
2008-07-12 17:39:12 0 d-------- C:\Program Files\Trend Micro
2008-07-12 16:39:31 143360 --a------ C:\WINDOWS\system32\dunzip32.dll <Not Verified; Inner Media, Inc.; DynaZIP-32 Multi-Threading UnZIP DLL>
2008-07-12 16:36:46 0 d-------- C:\Program Files\McAfee.com
2008-07-12 16:36:40 0 d-------- C:\Program Files\Common Files\McAfee
2008-07-12 16:36:22 0 d-------- C:\Program Files\McAfee
2008-07-12 16:28:32 0 d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-07-12 07:38:25 0 d------c- C:\WINDOWS\system32\DRVSTORE
2008-07-12 07:24:14 86 --ah----- C:\aaw7boot.cmd
2008-07-11 22:41:04 0 d-------- C:\WINDOWS\system32\3251
2008-07-11 22:24:48 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-11 21:36:43 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-07-11 21:36:43 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-07-11 21:36:39 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-07-11 21:36:32 0 d--hs---- C:\WINDOWS\Um9iZXJ0
2008-07-11 21:36:24 86144 -----n--- C:\WINDOWS\system32\drivers\slntamrr.sys
2008-07-11 21:36:23 0 d-------- C:\WINDOWS\system32\sfig
2008-07-11 21:36:23 0 d-------- C:\WINDOWS\system32\provdll
2008-07-11 21:36:23 0 d-------- C:\WINDOWS\system32\OBDE
2008-07-11 21:36:23 0 d-------- C:\WINDOWS\system32\imp32
2008-07-11 21:36:18 0 d-------- C:\WINDOWS\system32\olixds01
2008-07-11 21:36:18 0 d-------- C:\Temp


-- Find3M Report ---------------------------------------------------------------

2008-07-13 13:13:25 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-12 16:36:40 0 d-------- C:\Program Files\Common Files
2008-07-12 08:13:58 0 d-------- C:\Program Files\Messenger
2008-07-09 21:25:27 0 d-------- C:\Documents and Settings\Robert\Application Data\Help


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{82d8b1b6-a9c8-4b94-9344-97eaa487bd13}]
C:\WINDOWS\system32\hfrkdl.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [05/28/2008 10:33 AM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [05/13/2008 10:13 AM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\MSMSGS.EXE" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Messenger"=2 (0x2)
"wscsvc"=2 (0x2)
"SamSs"=2 (0x2)
"NtLmSsp"=3 (0x3)
"ATI Smart"=2 (0x2)
"wuauserv"=2 (0x2)

*Newly Created Service* - GMER



-- End of Deckard's System Scanner: finished at 2008-07-13 15:40:11 ------------
  • 0

#7
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
the kaspersky scan picked up some infections in your java cache, so we will clear it out and update your java. also, because it looks like you once had a rootkit, we will download and use another of tool to see what we find.

out of interest, are you still able to run your quicktime program? or is someone else helping you to fix your machine?

====STEP 1====
Clearing the Java cache:
there is a nice set of instructions http://www.java.com/.../5000020300.xml

  • Click Start > Control Panel.
  • Double-click the Java icon in the control panel and then the Java Control Panel will appear.
  • Click Settings under Temporary Internet Files and the Temporary Files Settings dialog box appears.
  • Click Delete Files and the Delete Temporary Files dialog box appears.
  • Make sure all three boxes are ticked: Downloaded Applets, Downloaded Applications and Other Files and then Click OK on Delete Temporary Files window. Note: This deletes all the Downloaded Applications and Applets from the cache.
  • Click OK on Temporary Files Settings window.
Upgrading Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 7.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u7-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.
====STEP 2====
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: {31db784a-ae79-4439-49b4-8c9a6b1b8d28} - {82d8b1b6-a9c8-4b94-9344-97eaa487bd13} - C:\WINDOWS\system32\hfrkdl.dll (file missing)

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.



====STEP 3====
if you have already downloaded combofix then could you delete the current version of combofix you have and then follow these instructions:

Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet. (All the instructions for installing the Recovery Console are in the above link, but for more information on the Windows XP Recovery Console read http://support.micro...com/kb/314058.)

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**




In your next reply could i see:
1. the combofix log
2. a new hijackthis log

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk
  • 0

#8
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP