Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Leif Needs help with Removing Viruses! [RESOLVED]

Started by Leifgreen , Jul 19 2008 11:00 AM

  • This topic is locked This topic is locked

#1
Leifgreen
Posted 19 July 2008 - 11:00 AM

Leifgreen

    Member

  • Member
  • PipPip
  • 49 posts
Hello, Geeks to go! ^_^

Being without Spy-Ware Protection for the last three days has resulted in a mass Malware attack on my computer, and I've come to request your unforgettable help! ^_^

On re-booting my computer, a security background was displayed, and fake anti-spy-ware programs have installed them selves, automatically staring-up and scanning. I've removed them from safe-mode, but they still display in the System configuration Utility. (I shut them off there too! ^_^ )

My "My computer" icon is gone. Hmm...

Also, the computer is suffering from random Blue-screen errors. Mostly at start up and shut down.

I know the viruses are still in there, because of a random pop-up, leading me to a website to purchase it's software, and the new Blue-screen errors, only happening in the presence of this attack!

Geeks to go, if you don't mind, I'm requesting your unforgettable help! ^_^ Thanks!

Thanks again! This is my third time here, eh? ^_^

- Little preacher man.

Edited by Leifgreen, 20 July 2008 - 02:56 PM.

  • 0

Advertisements

#2
andrewuk
Posted 19 July 2008 - 11:27 AM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Hi Leifgreen

welcome back to geekstogo :)

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

you may need to post the logs over 2 replies to ensure all the information is posted.

andrewuk
  • 0

#3
Leifgreen
Posted 19 July 2008 - 12:45 PM

Leifgreen

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
I apologize for the long wait... The computer keeps having blue screens, and sometimes automatic shut downs after a 1:00 message appears.

When I attempted to run DSS, there was an error message, telling me it encountered a problem, and shut it's self down. Afterwards followed by a Blue-screen error.

Any hints? Could I scan the system in Safe mode? Thanks again, and, again, sorry! ^_^

EDIT: I apoligize, again. Every attempt to start in Safe mode leads to another Blue screen error. It wouldn't let me on. Also, the task bar hasn't loaded, indicating a memory problem? No programs (But my browser) will load. it will start, but freeze in unresponsiveness.

What's you thoughts? Oh, and, THANKS again! ^_^

- Little preacher man.

Edited by Leifgreen, 19 July 2008 - 01:02 PM.

  • 0

#4
andrewuk
Posted 19 July 2008 - 01:47 PM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
ok, lets see if we can get a hijackthis up and running:

Click here to download HJTInstall.exe
  • Save HJTInstall.exe to your desktop.
  • Doubleclick on the HJTInstall.exe icon on your desktop.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

  • 0

#5
Leifgreen
Posted 19 July 2008 - 01:54 PM

Leifgreen

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Thanks andrewuk! ^_^ All right, it worked! The task bar popped a while ago, and now nothing is freezing! Here's your scan info:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:52:32, on 7/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\System Doctor\dcmon.exe
C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1D991F06-156C-4F2D-9DFF-EB5E2B221660} - C:\WINDOWS\system32\cryptdl.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PCPrivacyCleaner] C:\Program Files\PCPrivacyCleaner\pcpc.exe
O4 - HKLM\..\Run: [VirusRemover2008] C:\Program Files\VirusRemover2008\VRM2008.exe
O4 - HKLM\..\Run: [BMN] "C:\Program Files\Common Files\DriveCleaner Freeware\dcsm.exe" dm=http://drivecleaner.com ad=http://drivecleaner.com sd=http://log.drivecleaner.com
O4 - HKLM\..\Run: [BMN(1)] "C:\Program Files\Common Files\System Doctor\dcmon.exe" dm=http://systemdoctor.com ad=http://systemdoctor.com sd=http://log.systemdoctor.com/
O4 - HKCU\..\Run: [BMN] "C:\Program Files\Common Files\DriveCleaner Freeware\dcsm.exe" dm=http://drivecleaner.com ad=http://drivecleaner.com sd=http://log.drivecleaner.com
O4 - HKCU\..\Run: [BMN(1)] "C:\Program Files\Common Files\System Doctor\dcmon.exe" dm=http://systemdoctor.com ad=http://systemdoctor.com sd=http://log.systemdoctor.com/
O4 - HKUS\S-1-5-18\..\Run: [iexplorer] C:\WINDOWS\iexplorer.exe --system (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Windows update loader] C:\Windows\xpupdate.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Brave-Sentry] C:\Program Files\BraveSentry\BraveSentry.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [iexplorer] C:\WINDOWS\iexplorer.exe --system (User 'Default user')
O4 - Global Startup: ZDWLan Utility.lnk = C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gatew...r/PCPitStop.CAB
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gatew...rvest/gwCID.CAB
O21 - SSODL: uRbaRYBtxgYn - {2C03AA4D-86A9-00E7-E074-4D2A5F97D7F8} - C:\WINDOWS\system32\qwlse.dll

--
End of file - 3895 bytes

- Little preacher man.
  • 0

#6
andrewuk
Posted 19 July 2008 - 02:04 PM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
ok, you will need to get into safemode to run this tool. if you still cant get into safe mode, let me know and we will go another route.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

andrewuk
  • 0

#7
Leifgreen
Posted 19 July 2008 - 03:12 PM

Leifgreen

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Here you go! ^_^ I don't know if this is a different Hijackthis log or the old, but you'll be able to tell the difference! ^_^

Thanks again andrewuk! ^_^ God Bless you forever!

- Little preacher man.

Attached Files


  • 0

#8
Leifgreen
Posted 19 July 2008 - 03:15 PM

Leifgreen

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
And here's the HiJackTHisLog! ^_^

Thanks again! ^_^ God Bless you forever! ^_^

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:07:18, on 7/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1D991F06-156C-4F2D-9DFF-EB5E2B221660} - C:\WINDOWS\system32\cryptdl.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {93C31B01-29C5-465E-BD01-D77DABF41011} - C:\WINDOWS\system32\cryptdl.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [BMN] "C:\Program Files\Common Files\DriveCleaner Freeware\dcsm.exe" dm=http://drivecleaner.com ad=http://drivecleaner.com sd=http://log.drivecleaner.com
O4 - HKCU\..\Run: [BMN(1)] "C:\Program Files\Common Files\System Doctor\dcmon.exe" dm=http://systemdoctor.com ad=http://systemdoctor.com sd=http://log.systemdoctor.com/
O4 - HKUS\S-1-5-18\..\Run: [iexplorer] C:\WINDOWS\iexplorer.exe --system (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [iexplorer] C:\WINDOWS\iexplorer.exe --system (User 'Default user')
O4 - Global Startup: ZDWLan Utility.lnk = C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gatew...r/PCPitStop.CAB
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gatew...rvest/gwCID.CAB
O21 - SSODL: uRbaRYBtxgYn - {2C03AA4D-86A9-00E7-E074-4D2A5F97D7F8} - C:\WINDOWS\system32\qwlse.dll

--
End of file - 2804 bytes


- Little preacher man.

Edited by Leifgreen, 19 July 2008 - 03:16 PM.

  • 0

#9
andrewuk
Posted 19 July 2008 - 03:19 PM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
i am posting the contents of your report here. in future, please always copy and paste the logs into your replies instead of uploading them, unless i ask otherwise.

SDFix: Version 1.206
Run by Austin on Sat 07/19/2008 at 15:27

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name :
Google Online Services
ICF
{DEF85C80-216A-43ab-AF70-1665EDBE2780}

Path :
C:\Documents and Settings\Austin\ie_updates3r.exe -A
C:\WINDOWS\system32\svchost.exe:exe.exe
\??\C:\WINDOWS\TEMP\13.tmp

Google Online Services - Deleted
ICF - Deleted
{DEF85C80-216A-43ab-AF70-1665EDBE2780} - Deleted



Infected userinit.exe Found!

userinit.exe File Locations:

"C:\WINDOWS\system32\userinit.exe" 32120 07/18/2008 02:33
"C:\WINDOWS\system32\dllcache\userinit.exe" 24576 08/04/2004 14:00

Infected File Listed Below:

C:\WINDOWS\system32\userinit.exe

File copied to Backups Folder
Attempting to replace userinit.exe with original version

Original userinit.exe Restored

"C:\WINDOWS\system32\userinit.exe" 24576 08/04/2004 14:00
"C:\WINDOWS\system32\dllcache\userinit.exe" 24576 08/04/2004 14:00


[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\SubSystems]

Trojan File baseogn32.dll and startup entry Found!
baseogn32.dll will be removed after reboot if registry value is repaired


Restoring Default Security Values
Restoring Default Hosts File

Rebooting

Service asc3550p - Deleted
Service Xwsw71 - Deleted

Session Manager\SubSystems:
Windows ServerDll value restored to basesrv
Key export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems]
"Windows"=%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

Removing C:\WINDOWS\system32\baseogn32.dll



Checking Files :

Trojan Files Found:

C:\WINDOWS\SYSTEM32\09IXV8.SYZ - Deleted
C:\WINDOWS\SYSTEM32\1H1LDK.SYZ - Deleted
C:\WINDOWS\SYSTEM32\1OZJLU.SYZ - Deleted
C:\WINDOWS\SYSTEM32\4UTFCA.SYZ - Deleted
C:\WINDOWS\SYSTEM32\ATWJST.SYZ - Deleted
C:\WINDOWS\SYSTEM32\GX6HEV.SYZ - Deleted
C:\WINDOWS\SYSTEM32\JRBKES.SYZ - Deleted
C:\WINDOWS\SYSTEM32\LQ5TQG.SYZ - Deleted
C:\WINDOWS\SYSTEM32\M5XEKB.SYZ - Deleted
C:\WINDOWS\SYSTEM32\MQF2IC.SYZ - Deleted
C:\WINDOWS\SYSTEM32\PXD0IS.SYZ - Deleted
C:\WINDOWS\SYSTEM32\Q7CZZY.SYZ - Deleted
C:\WINDOWS\SYSTEM32\DFLGH8~1.EXE - Deleted
C:\Documents and Settings\NetworkService\Application Data\Install.dat - Deleted
C:\Documents and Settings\All Users\Application Data\System Doctor Free\Data\Abbr - Deleted
C:\Documents and Settings\All Users\Application Data\System Doctor Free\Data\ActivationCode - Deleted
C:\Documents and Settings\All Users\Application Data\System Doctor Free\Data\HOURS - Deleted
C:\Documents and Settings\All Users\Application Data\System Doctor Free\Data\ProductCode - Deleted
C:\Deckard\System Scanner\20080719123939\backup\WINDOWS\temp\1.dflb - Deleted
C:\Deckard\System Scanner\20080719123939\backup\WINDOWS\temp\2.dflb - Deleted
C:\Deckard\System Scanner\20080719123939\backup\WINDOWS\temp\5.dflb - Deleted
C:\Deckard\System Scanner\20080719123939\backup\WINDOWS\temp\6.dflb - Deleted
C:\Deckard\System Scanner\20080719123939\backup\WINDOWS\temp\7.dflb - Deleted
C:\Documents and Settings\Austin\ie_updates3r.exe - Deleted
C:\Deckard\System Scanner\backup\WINDOWS\temp\v3xd1.g22me - Deleted
C:\Deckard\System Scanner\backup\WINDOWS\temp\v4xd3.ga2me - Deleted
C:\Deckard\System Scanner\backup\WINDOWS\temp\v4xd6.gam5e - Deleted
C:\Deckard\System Scanner\backup\WINDOWS\temp\v5xd2.g3ame - Deleted
C:\Deckard\System Scanner\backup\WINDOWS\temp\v5xd4.ga2me - Deleted
C:\Deckard\System Scanner\backup\WINDOWS\temp\v6xdt4.game - Deleted
C:\Deckard\System Scanner\backup\WINDOWS\temp\vx1dt1.game - Deleted
C:\Deckard\System Scanner\backup\WINDOWS\temp\vx1dt3.game - Deleted
C:\Deckard\System Scanner\backup\WINDOWS\temp\vx3dt2.game - Deleted
C:\WINDOWS\system32\back.exe.exe - Deleted
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Brave-Sentry\BraveSentry.lnk - Deleted
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Brave-Sentry\Uninstall.lnk - Deleted
C:\Program Files\Common Files\System Doctor\dcmon.exe - Deleted
C:\WINDOWS\17PHolmes27.exe - Deleted
C:\WINDOWS\system32\dflgh8jkd2q1.exe - Deleted
C:\WINDOWS\system32\dflgh8jkd2q2.exe - Deleted
C:\WINDOWS\system32\dflgh8jkd2q5.exe - Deleted
C:\WINDOWS\system32\dflgh8jkd2q6.exe - Deleted
C:\WINDOWS\system32\dflgh8jkd2q7.exe - Deleted
C:\WINDOWS\system32\dflgh8jkd2q8.exe - Deleted
C:\WINDOWS\system32\vedxg4am1et2.exe - Deleted
C:\WINDOWS\system32\vedxg6ame4.exe - Deleted
C:\WINDOWS\system32\vedxga1me4t1.exe - Deleted
C:\WINDOWS\system32\vedxga3me2.exe - Deleted
C:\WINDOWS\system32\vedxga4m1et4.exe - Deleted
C:\WINDOWS\system32\vedxga4me1.exe - Deleted
C:\WINDOWS\system32\vedxga5me3.exe - Deleted
C:\WINDOWS\system32\wpx15.cpx - Deleted
C:\WINDOWS\system32\wpx2.cpx - Deleted
C:\WINDOWS\system32\wpx25.cpx - Deleted
C:\WINDOWS\system32\wpx27.cpx - Deleted
C:\WINDOWS\system32\wpx29.cpx - Deleted
C:\WINDOWS\system32\wpx31.cpx - Deleted
C:\WINDOWS\system32\wpx34.cpx - Deleted
C:\WINDOWS\system32\wpx35.cpx - Deleted
C:\WINDOWS\system32\wpx5.cpx - Deleted
C:\ie_updater.exe - Deleted
C:\WINDOWS\system32\cssrss.exe - Deleted
C:\WINDOWS\system32\kr_done1 - Deleted
C:\WINDOWS\system32\lich.dat - Deleted
C:\WINDOWS\system32\svchost.t__ - Deleted
C:\WINDOWS\system32\svcp.csv - Deleted
C:\WINDOWS\system32\vx.tll - Deleted
C:\WINDOWS\system32\winsub.xml - Deleted
C:\WINDOWS\Temp\ed47fa.$ - Deleted
C:\WINDOWS\wiaservb.log - Deleted
C:\WINDOWS\system32\baseogn32.dll - Deleted
C:\WINDOWS\system32\drivers\asc3550p.sys - Deleted
C:\WINDOWS\system32\ntos.exe - Deleted
C:\WINDOWS\system32\drivers\Xwsw71.sys - Deleted
C:\WINDOWS\system32\wsnpoem\video.dll - Deleted
C:\WINDOWS\system32\wsnpoem\audio.dll - Deleted

Note - Files associated with the MBR Rootkit have been found on this system, to check the PC use the MBR Rootkit Detector by Gmer or CureIt by Dr.Web

Could Not Remove C:\WINDOWS\Temp\bca4e2da.$$$
Could Not Remove C:\WINDOWS\Temp\fa56d7ec.$$$

Folder C:\Documents and Settings\All Users\Application Data\SalesMon - Removed
Folder C:\Documents and Settings\All Users\Application Data\System Doctor Free - Removed
Folder C:\Program Files\Common Files\System Doctor - Removed
Folder C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Brave-Sentry - Removed
Folder C:\WINDOWS\system32\wsnpoem - Removed


Removing Temp Files

ADS Check :


C:\WINDOWS\system32\svchost.exe
: ADS Found!
svchost.exe: deleted 23552 bytes in 1 streams.

Checking for remaining Streams

C:\WINDOWS\system32\svchost.exe
No streams found.



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-19 15:37:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_GLOK+793B-246A]
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_GLOK+793B-246A\0000]
"Service"="glok+793b-246a"
"DeviceDesc"="glok+793b-246a"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\glok+793b-246a]
"Type"=dword:00000001
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=str(2):"\??\C:\WINDOWS\glok+793b-246a.sys"
"DisplayName"="glok+793b-246a"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_GLOK+793B-246A]
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_GLOK+793B-246A\0000]
"Service"="glok+793b-246a"
"DeviceDesc"="glok+793b-246a"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\glok+793b-246a]
"Type"=dword:00000001
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=str(2):"\??\C:\WINDOWS\glok+793b-246a.sys"
"DisplayName"="glok+793b-246a"

scanning hidden registry entries ...

scanning hidden files ...

C:\WINDOWS\glok+793b-246a.sys 127104 bytes executable
C:\WINDOWS\glok+serv.config 43273 bytes

scan completed successfully
hidden processes: 0
hidden services: 1
hidden files: 2


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"c:\\6bne4e.exe"="c:\\6bne4e.exe:*:Enabled:DHCP Client"
"C:\\WINDOWS\\system32\\cssrss.exe"="C:\\WINDOWS\\system32\\cssrss.exe:*:Enabled:DHCP Client"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :

C:\WINDOWS\Temp\bca4e2da.$$$ Found
C:\WINDOWS\Temp\fa56d7ec.$$$ Found

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sat 19 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\66b1d8e81a20b4b541ab3e558f2fd638\BIT3.tmp"

Finished!
  • 0

#10
andrewuk
Posted 19 July 2008 - 03:25 PM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
in this post we will do some scans to see what they catch. the scans will likely take 3 hours, quite possibly much longer. so just let them run.

if you cant do a step, then just let me know and go onto the next one. and please copy and paste the logs into your next replies, dont upload them.

feel free to post the logs as you get them, i will wait for the final DSS log.


====STEP 1====
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


====STEP 2====
Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
====STEP 3====
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.



====STEP 4====
Download GMER from here:
http://www.gmer.net/files.php

Unzip it to the desktop.

Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
Click on Scan.
When the scan has run click Copy and paste the results (if any) into this thread.



====STEP 5====
Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
====STEP 6====
Please run dss.exe again, but use these instructions:

Click Start>Select 'Run' - then copy/paste the following text into the run box & click OK

"%userprofile%\desktop\dss.exe" /config
  • Click 'Run'
  • In the ensuing dialog box, uncheck 'Backing up Registry Hives'
  • Click Scan!
When finished, it shall produce main.txt and extra.txt for you.



In your next reply could i see:
1. the DrCureIT log
2. the malwarebytes log
3. the GMER log
3. the 2 DSS logs

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk
  • 0

Advertisements

#11
Leifgreen
Posted 19 July 2008 - 06:53 PM

Leifgreen

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Here's all the information, I'm also including the KASPERSKY report as well in a post. Thanks again, Be Blessed by God! ^_^

DrWeb-Cureit Log:

6bne4e.exe;C:\;Trojan.Spambot.3457;Deleted.;
installer.exe\data003;C:\Deckard\System Scanner\20080719123939\backup\DOCUME~1\Austin\LOCALS~1\Temp\UDC6_0001_D22M0802\installer.exe;Trojan.Fakealert.622;;
installer.exe\data004;C:\Deckard\System Scanner\20080719123939\backup\DOCUME~1\Austin\LOCALS~1\Temp\UDC6_0001_D22M0802\installer.exe;Trojan.Fakealert.623;;
installer.exe\data005;C:\Deckard\System Scanner\20080719123939\backup\DOCUME~1\Austin\LOCALS~1\Temp\UDC6_0001_D22M0802\installer.exe;Trojan.MulDrop.17207;;
installer.exe;C:\Deckard\System Scanner\20080719123939\backup\DOCUME~1\Austin\LOCALS~1\Temp\UDC6_0001_D22M0802;Archive contains infected objects;Moved.;
44.tmp.exe;C:\Deckard\System Scanner\20080719123939\backup\WINDOWS\temp;Probably DLOADER.Trojan;;
45.tmp.exe;C:\Deckard\System Scanner\20080719123939\backup\WINDOWS\temp;Probably DLOADER.Trojan;;
maxpaynow.game;C:\Deckard\System Scanner\20080719123939\backup\WINDOWS\temp;Trojan.DownLoader.59067;Deleted.;
maxpaynowti.game;C:\Deckard\System Scanner\20080719123939\backup\WINDOWS\temp;Dialer.Maxd;Deleted.;
rsyncini.exe;C:\Deckard\System Scanner\backup\WINDOWS\temp;Trojan.DownLoad.138;Deleted.;
SmitfraudFix.exe\SmitfraudFix\404Fix.exe;C:\Documents and Settings\Austin\Desktop\SmitfraudFix.exe;BackDoor.IRC.Chazz.38;;
SmitfraudFix.exe\SmitfraudFix\GenericRenosFix.exe;C:\Documents and Settings\Austin\Desktop\SmitfraudFix.exe;BackDoor.IRC.Chazz.38;;
SmitfraudFix.exe\SmitfraudFix\IEDFix.C.exe;C:\Documents and Settings\Austin\Desktop\SmitfraudFix.exe;BackDoor.IRC.Chazz.38;;
SmitfraudFix.exe\SmitfraudFix\IEDFix.exe;C:\Documents and Settings\Austin\Desktop\SmitfraudFix.exe;BackDoor.IRC.Chazz.38;;
SmitfraudFix.exe\SmitfraudFix\Process.exe;C:\Documents and Settings\Austin\Desktop\SmitfraudFix.exe;Tool.Prockill;;
SmitfraudFix.exe\SmitfraudFix\restart.exe;C:\Documents and Settings\Austin\Desktop\SmitfraudFix.exe;Tool.ShutDown.11;;
SmitfraudFix.exe;C:\Documents and Settings\Austin\Desktop;Archive contains infected objects;Moved.;
404Fix.exe;C:\Documents and Settings\Austin\Desktop\SmitfraudFix;BackDoor.IRC.Chazz.38;Deleted.;
GenericRenosFix.exe;C:\Documents and Settings\Austin\Desktop\SmitfraudFix;BackDoor.IRC.Chazz.38;Deleted.;
IEDFix.C.exe;C:\Documents and Settings\Austin\Desktop\SmitfraudFix;BackDoor.IRC.Chazz.38;Deleted.;
IEDFix.exe;C:\Documents and Settings\Austin\Desktop\SmitfraudFix;BackDoor.IRC.Chazz.38;Deleted.;
Process.exe;C:\Documents and Settings\Austin\Desktop\SmitfraudFix;Tool.Prockill;;
restart.exe;C:\Documents and Settings\Austin\Desktop\SmitfraudFix;Tool.ShutDown.11;;
Process.exe;C:\SDFix\apps;Tool.Prockill;;
A0001004.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0001007.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0001012.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0001013.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0002004.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0002005.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0002006.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0002008.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0002009.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0002010.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0002011.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0002012.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0002016.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0002017.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0003004.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0003005.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0003006.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0003008.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0003009.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0003010.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0003011.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0003012.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0003016.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0003017.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0003053.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0005004.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0005005.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0005006.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0005008.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0005009.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0005010.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0005011.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0005012.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0005016.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0005017.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0005053.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0006004.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0006005.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0006006.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0006008.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0006009.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0006010.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0006011.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0006012.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0006016.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0006017.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0006053.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0007004.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0007005.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0007006.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0007008.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0007009.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0007010.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0007011.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0007012.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0007016.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0007017.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0007053.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0008004.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0008005.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0008006.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0008008.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0008009.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0008010.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0008011.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0008012.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0008016.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0008017.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0008054.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0010004.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0010005.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0010006.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0010008.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0010009.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0010010.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0010011.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0010012.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0010016.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0010017.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0010053.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0011004.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0011005.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0011006.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0011008.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0011009.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0011010.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0011011.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0011012.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0011016.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0011017.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0011053.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0015001.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.Packed.142;Deleted.;
A0015005.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0015006.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0015007.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0015009.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0015010.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0015011.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0015012.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0015013.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0015017.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0015018.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0015055.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0016003.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0016004.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0016005.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0016007.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0016008.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0016009.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0016010.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0016011.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0016015.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0016016.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0016052.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0016058.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.PWS.FTPlich.2;Incurable.Moved.;
A0016060.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.DownLoader.based;Deleted.;
A0016061.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.Packed.555;Deleted.;
A0016065.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.DownLoader.62803;Deleted.;
A0016071.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.Packed.555;Deleted.;
A0016072.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.MulDrop.17277;Deleted.;
A0016074.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.DownLoad.2042;Deleted.;
A0016075.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.DownLoader.50175;Deleted.;
A0016076.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.DownLoader.50175;Deleted.;
A0016077.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.DownLoad.919;Deleted.;
A0016078.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.DownLoader.based;Deleted.;
A0016079.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.Spambot.3457;Deleted.;
A0016083.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.Okuks.based;Cured.;
A0016089.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.DownLoader.62803;Deleted.;
A0016090.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.Packed.555;Deleted.;
A0016092.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.Spambot.3457;Deleted.;
A0016100.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.DownLoader.based;Deleted.;
A0016101.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.DownLoader.based;Deleted.;
A0016104.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.PWS.FTPlich.2;Incurable.Moved.;
A0016105.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.Packed.555;Deleted.;
A0016106.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.MulDrop.17277;Deleted.;
A0016108.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.DownLoad.2042;Deleted.;
A0016109.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.DownLoader.50175;Deleted.;
A0016110.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.DownLoader.50175;Deleted.;
A0016111.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.DownLoad.919;Deleted.;
A0016140.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.Starter.384;Cured.;
A0016153.exe\SDFix\apps\Process.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2\A0016153.exe;Tool.Prockill;;
A0016153.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Archive contains infected objects;Moved.;
A0016154.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.Starter.384;Cured.;
A0016155.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.MulDrop.17826;Deleted.;
A0016156.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0016157.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0016158.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0016159.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0016160.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0016161.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0016162.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0016163.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0016164.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0016165.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0016166.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.1180;Deleted.;
A0016167.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.Starter.384;Cured.;
A0016177.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.Proxy.3351;Deleted.;
A0016178.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.Starter.384;Cured.;
A0016179.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.Starter.384;Cured.;
A0016180.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.Starter.384;Cured.;
A0017086.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.Spambot.3457;Deleted.;
A0017087.exe\data003;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2\A0017087.exe;Trojan.Fakealert.622;;
A0017087.exe\data004;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2\A0017087.exe;Trojan.Fakealert.623;;
A0017087.exe\data005;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2\A0017087.exe;Trojan.MulDrop.17207;;
A0017087.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Archive contains infected objects;Moved.;
A0017088.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.DownLoad.138;Deleted.;
A0017089.exe\SmitfraudFix\404Fix.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2\A0017089.exe;BackDoor.IRC.Chazz.38;;
A0017089.exe\SmitfraudFix\GenericRenosFix.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2\A0017089.exe;BackDoor.IRC.Chazz.38;;
A0017089.exe\SmitfraudFix\IEDFix.C.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2\A0017089.exe;BackDoor.IRC.Chazz.38;;
A0017089.exe\SmitfraudFix\IEDFix.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2\A0017089.exe;BackDoor.IRC.Chazz.38;;
A0017089.exe\SmitfraudFix\Process.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2\A0017089.exe;Tool.Prockill;;
A0017089.exe\SmitfraudFix\restart.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2\A0017089.exe;Tool.ShutDown.11;;
A0017089.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Archive contains infected objects;Moved.;
A0017090.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;BackDoor.IRC.Chazz.38;Deleted.;
A0017091.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;BackDoor.IRC.Chazz.38;Deleted.;
A0017092.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;BackDoor.IRC.Chazz.38;Deleted.;
A0017093.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;BackDoor.IRC.Chazz.38;Deleted.;
404Fix.exe;C:\WINDOWS\system32;BackDoor.IRC.Chazz.38;Deleted.;
gwil534.exe;C:\WINDOWS\system32;Trojan.Packed.555;Deleted.;
gwil749.exe;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
IEDFix.C.exe;C:\WINDOWS\system32;BackDoor.IRC.Chazz.38;Deleted.;
IEDFix.exe;C:\WINDOWS\system32;BackDoor.IRC.Chazz.38;Deleted.;
Process.exe;C:\WINDOWS\system32;Tool.Prockill;;
svchost.exe;C:\WINDOWS\system32\dllcache;Trojan.Starter.384;Cured.;

GMER Scan:

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-07-19 18:36:13
Windows 5.1.2600 Service Pack 2


---- User code sections - GMER 1.0.14 ----

.rsrc C:\WINDOWS\system32\winlogon.exe[600] C:\WINDOWS\system32\winlogon.exe section is executable [0x01076000, 0xB000, 0x60000060]
.rsrc C:\WINDOWS\system32\services.exe[644] C:\WINDOWS\system32\services.exe section is executable [0x0101B000, 0x2000, 0x60000060]
.rsrc C:\WINDOWS\system32\svchost.exe[800] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x2000, 0x60000060]
.rsrc C:\WINDOWS\system32\svchost.exe[860] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x2000, 0x60000060]
.rsrc C:\WINDOWS\System32\svchost.exe[912] C:\WINDOWS\System32\svchost.exe section is executable [0x01005000, 0x2000, 0x60000060]
.rsrc C:\WINDOWS\system32\svchost.exe[1004] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x2000, 0x60000060]
.rsrc C:\WINDOWS\system32\svchost.exe[1056] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x2000, 0x60000060]
.reloc C:\WINDOWS\Explorer.EXE[1260] C:\WINDOWS\Explorer.EXE section is executable [0x010FB000, 0x5000, 0x62000060]

---- Disk sectors - GMER 1.0.14 ----

Disk \Device\Harddisk0\DR0 sector 61: malicious code @ sector 0xba50e41 size 0x1fd
Disk \Device\Harddisk0\DR0 sector 62: copy of MBR

---- Files - GMER 1.0.14 ----

ADS C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2\A0016140.exe:exe.exe 23552 bytes executable

---- EOF - GMER 1.0.14 ----

Malwarebyte's Log:

Malwarebytes' Anti-Malware 1.21
Database version: 967
Windows 5.1.2600 Service Pack 2

6:26:02 PM 7/19/2008
mbam-log-7-19-2008 (18-26-02).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|)
Objects scanned: 56138
Time elapsed: 20 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 14
Registry Values Infected: 8
Registry Data Items Infected: 0
Folders Infected: 4
Files Infected: 15

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\{5222008a-dd62-49c7-a735-7bd18ecc7350} (Rogue.VirusRemover) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\{5222008a-dd62-49c7-a735-7bd18ecc7350} (Rogue.VirusRemover) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\{65de966d-11d1-4bb1-bf7e-b8a273514daf} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\udcpchk.udcpchk (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\udcpchk.udcpchk.1 (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{943b96a4-9bf6-42fe-8d0b-4bca71c3632f} (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{5954b2db-09a7-4023-847c-107539dc560d} (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{4f43b1f3-0ce8-493b-96d2-990cec05edbb} (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1d991f06-156c-4f2d-9dff-eb5e2b221660} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1d991f06-156c-4f2d-9dff-eb5e2b221660} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{93c31b01-29c5-465e-bd01-d77dabf41011} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{93c31b01-29c5-465e-bd01-d77dabf41011} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\drivecleaner freeware (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\drivecleaner freeware (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Austin\Application Data\DriveCleaner Freeware (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Documents and Settings\Austin\Application Data\DriveCleaner Freeware\Logs (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Documents and Settings\Austin\Application Data\System Doctor Free (Rogue.SystemDoctor) -> Quarantined and deleted successfully.
C:\Documents and Settings\Austin\Application Data\System Doctor Free\Logs (Rogue.SystemDoctor) -> Quarantined and deleted successfully.

Files Infected:
C:\Deckard\System Scanner\backup\WINDOWS\temp\tcdexgxp.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Austin\DoctorWeb\Quarantine\A0016058.exe (Trojan.Pakes) -> Quarantined and deleted successfully.
C:\Documents and Settings\Austin\DoctorWeb\Quarantine\A0016104.exe (Trojan.Pakes) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2\A0016073.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2\A0016107.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2\A0016064.exe (Rogue.SystemDoctor) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2\A0016093.exe (Rogue.SystemDoctor) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2\A0017095.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2\A0017096.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Austin\Application Data\DriveCleaner Freeware\Logs\update.log (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Documents and Settings\Austin\Application Data\System Doctor Free\Logs\update.log (Rogue.SystemDoctor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cryptdl.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\glok+serv.config (Worm.Zhelatin) -> Quarantined and deleted successfully.
C:\Documents and Settings\Austin\Application Data\Microsoft\Internet Explorer\Quick Launch\VirusRemover2008.lnk (Rogue.VirusRemove) -> Quarantined and deleted successfully.
C:\Documents and Settings\Austin\Application Data\Microsoft\Internet Explorer\Quick Launch\PCPrivacyCleaner.lnk (Rogue.PCPrivacyCleaner) -> Quarantined and deleted successfully.

- Little preacher man.

Edited by Leifgreen, 19 July 2008 - 06:56 PM.

  • 0

#12
Leifgreen
Posted 19 July 2008 - 06:58 PM

Leifgreen

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
DSS:

Deckard's System Scanner v20071014.68
Run by Austin on 2008-07-19 19:41:46
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------



-- Last 2 Restore Point(s) --
2: 2008-07-19 17:39:59 UTC - RP2 - Deckard's System Scanner Restore Point
1: 2008-07-19 17:35:38 UTC - RP1 - System Checkpoint


Performed disk cleanup.

Total Physical Memory: 223 MiB (512 MiB recommended).


-- HijackThis (run as Austin.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:41:50, on 7/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Austin\desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Austin.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [BMN] "C:\Program Files\Common Files\DriveCleaner Freeware\dcsm.exe" dm=http://drivecleaner.com ad=http://drivecleaner.com sd=http://log.drivecleaner.com
O4 - HKCU\..\Run: [BMN(1)] "C:\Program Files\Common Files\System Doctor\dcmon.exe" dm=http://systemdoctor.com ad=http://systemdoctor.com sd=http://log.systemdoctor.com/
O4 - HKUS\S-1-5-18\..\Run: [iexplorer] C:\WINDOWS\iexplorer.exe --system (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [iexplorer] C:\WINDOWS\iexplorer.exe --system (User 'Default user')
O4 - Global Startup: ZDWLan Utility.lnk = C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gatew...r/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gatew...rvest/gwCID.CAB

--
End of file - 2652 bytes

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 ZD1211BU(ZyDAS) (ZyDAS ZD1211B IEEE 802.11 b+g Wireless LAN Driver (USB)(ZyDAS)) - c:\windows\system32\drivers\zd1211bu.sys <Not Verified; ZyDAS Technology Corporation; ZD1211B 802.11 b+g USB LAN Adapter>
R3 ZDPSp50 (ZDPSp50 NDIS Protocol Driver) - c:\windows\system32\drivers\zdpsp50.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>

S3 catchme - c:\docume~1\austin\locals~1\temp\catchme.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Video Controller (VGA Compatible)
Device ID: PCI\VEN_10DE&DEV_0242&SUBSYS_60061509&REV_A2\3&2411E6FE&0&28
Manufacturer:
Name: Video Controller (VGA Compatible)
PNP Device ID: PCI\VEN_10DE&DEV_0242&SUBSYS_60061509&REV_A2\3&2411E6FE&0&28
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: SM Bus Controller
Device ID: PCI\VEN_10DE&DEV_0264&SUBSYS_60061509&REV_A2\3&2411E6FE&0&51
Manufacturer:
Name: SM Bus Controller
PNP Device ID: PCI\VEN_10DE&DEV_0264&SUBSYS_60061509&REV_A2\3&2411E6FE&0&51
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Simple Communications Controller
Device ID: PCI\VEN_14F1&DEV_2F20&SUBSYS_200014F1&REV_00\4&DC268A3&0&3880
Manufacturer:
Name: PCI Simple Communications Controller
PNP Device ID: PCI\VEN_14F1&DEV_2F20&SUBSYS_200014F1&REV_00\4&DC268A3&0&3880
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Other PCI Bridge Device
Device ID: PCI\VEN_10DE&DEV_0269&SUBSYS_60061509&REV_A1\3&2411E6FE&0&A0
Manufacturer:
Name: Other PCI Bridge Device
PNP Device ID: PCI\VEN_10DE&DEV_0269&SUBSYS_60061509&REV_A1\3&2411E6FE&0&A0
Service:

Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Description: Microsoft Kernel Acoustic Echo Canceller
Device ID: SW\{4245FF73-1DB4-11D2-86E4-98AE20524153}\{9B365890-165F-11D0-A195-0020AFD156E4}
Manufacturer: Microsoft
Name: Microsoft Kernel Acoustic Echo Canceller
PNP Device ID: SW\{4245FF73-1DB4-11D2-86E4-98AE20524153}\{9B365890-165F-11D0-A195-0020AFD156E4}
Service: aec

Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Description: Microsoft Kernel DLS Synthesizer
Device ID: SW\{8C07DD50-7A8D-11D2-8F8C-00C04FBF8FEF}\DMUSIC
Manufacturer: Microsoft
Name: Microsoft Kernel DLS Synthesizer
PNP Device ID: SW\{8C07DD50-7A8D-11D2-8F8C-00C04FBF8FEF}\DMUSIC
Service: DMusic

Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Description: Microsoft Kernel DRM Audio Descrambler
Device ID: SW\{EEC12DB6-AD9C-4168-8658-B03DAEF417FE}\{ABD61E00-9350-47E2-A632-4438B90C6641}
Manufacturer: Microsoft
Name: Microsoft Kernel DRM Audio Descrambler
PNP Device ID: SW\{EEC12DB6-AD9C-4168-8658-B03DAEF417FE}\{ABD61E00-9350-47E2-A632-4438B90C6641}
Service: drmkaud


-- Files created between 2008-06-19 and 2008-07-19 -----------------------------

2008-07-19 18:39:31 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-19 18:39:30 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-07-19 18:39:28 0 d-------- C:\WINDOWS\LastGood
2008-07-19 17:58:35 0 d-------- C:\Documents and Settings\Austin\Application Data\Malwarebytes
2008-07-19 17:58:30 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-19 17:58:29 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-19 16:46:04 0 d-------- C:\Documents and Settings\Austin\DoctorWeb
2008-07-19 15:43:02 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-07-19 15:23:38 0 d-------- C:\WINDOWS\ERUNT
2008-07-19 14:51:24 0 d-------- C:\Program Files\Trend Micro
2008-07-18 19:16:27 1508 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-18 19:12:08 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-07-18 19:12:08 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-07-18 19:12:08 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-07-18 19:12:08 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-07-18 19:12:08 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-07-18 19:12:08 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-07-18 18:29:09 0 d-------- C:\Program Files\msn gaming zone
2008-07-18 18:18:21 0 d-------- C:\Documents and Settings\Administrator\Application Data\Uniblue
2008-07-18 17:56:44 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2008-07-18 17:54:14 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-07-18 17:54:13 0 d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-07-18 17:54:13 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-07-18 17:54:13 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-07-18 17:54:13 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-07-18 17:54:13 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-07-18 17:54:13 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-07-18 17:54:13 786432 --ah----- C:\Documents and Settings\Administrator\ntuser.dat
2008-07-18 17:54:13 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-07-18 17:54:13 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-07-18 17:54:13 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-07-18 17:54:13 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-07-18 17:54:13 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-07-18 17:54:13 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-07-18 17:54:13 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-07-18 17:54:13 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-07-18 02:40:44 0 d-------- C:\Documents and Settings\LocalService\Start Menu
2008-07-17 23:51:08 91648 --a------ C:\WINDOWS\system32\cnvfa.dll
2008-07-17 15:29:40 0 d-------- C:\WINDOWS\Sun
2008-07-17 15:29:40 0 d-------- C:\Documents and Settings\Austin\Application Data\Sun
2008-07-16 21:51:13 0 d-------- C:\Program Files\Java
2008-07-16 21:49:23 0 d-------- C:\Program Files\Common Files\Java
2008-07-16 16:33:33 6400 --a------ C:\WINDOWS\system32\drivers\splitter.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-16 16:33:31 82944 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-16 16:33:14 172416 --a------ C:\WINDOWS\system32\drivers\kmixer.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-16 16:32:33 0 d-------- C:\Program Files\Realtek AC97
2008-07-16 15:51:19 0 d-------- C:\Documents and Settings\Austin\Application Data\Uniblue
2008-07-16 15:51:14 0 d-------- C:\Program Files\Uniblue
2008-07-16 13:15:43 0 d-------- C:\My Recordings
2008-07-16 13:09:28 0 d-------- C:\Program Files\FREE Hi-Q Recorder
2008-07-16 11:05:07 272128 -----n--- C:\WINDOWS\system32\drivers\bthport.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-16 10:32:08 0 d-------- C:\WINDOWS\system32\PreInstall
2008-07-16 10:32:06 0 d--h----- C:\WINDOWS\$hf_mig$
2008-07-16 10:26:13 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-07-16 10:20:26 0 --a------ C:\WINDOWS\nsreg.dat
2008-07-16 10:20:23 0 d-------- C:\Documents and Settings\Austin\Application Data\Mozilla
2008-07-16 09:31:46 0 d-------- C:\Program Files\Realtek Sound Manager
2008-07-16 09:31:44 0 d-------- C:\Program Files\AvRack
2008-07-16 09:31:43 147456 --a------ C:\WINDOWS\system32\RtlCPAPI.dll <Not Verified; ; RtlCPAPI Module>
2008-07-16 09:31:43 4127488 -ra------ C:\WINDOWS\system32\drivers\alcxwdm.sys <Not Verified; Realtek Semiconductor Corp.; Windows ® WDM driver for Realtek AC'97 Audio(HRTF data Copyright 1994 by MIT Media Lab)>
2008-07-16 09:31:43 49152 --a------ C:\WINDOWS\system32\ChCfg.exe
2008-07-16 09:31:43 577536 --a------ C:\WINDOWS\soundman.exe <Not Verified; Realtek Semiconductor Corp.; Realtek Sound Manager>
2008-07-16 09:31:42 10528768 --a------ C:\WINDOWS\system32\RTLCPL.exe <Not Verified; Realtek Semiconductor Corp.; Realtek Audio Sound Effect Manager>
2008-07-16 09:31:42 315392 --a------ C:\WINDOWS\alcupd.exe <Not Verified; Realtek Semiconductor Corp.; Realtek AC'97 Update driver Tool>
2008-07-16 09:31:42 217088 --a------ C:\WINDOWS\Alcrmv.exe <Not Verified; Realtek Semiconductor Corp.; Realtek AC'97 Removing driver Tool>
2008-07-16 09:27:52 0 d-------- C:\cabs
2008-07-16 08:46:36 0 d-------- C:\Documents and Settings\Austin\Application Data\Macromedia
2008-07-15 23:06:25 17151 --a------ C:\WINDOWS\system32\ZDPNDIS5.SYS <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
2008-07-15 23:06:25 81920 --a------ C:\WINDOWS\system32\ZDPN50.DLL <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
2008-07-15 23:06:25 31744 --a------ C:\WINDOWS\system32\drivers\ZDPSp50a64.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
2008-07-15 23:06:25 17664 --a------ C:\WINDOWS\system32\drivers\ZDPSp50.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
2008-07-15 23:06:25 488960 --a------ C:\WINDOWS\system32\drivers\ZD1211BU.sys <Not Verified; ZyDAS Technology Corporation; ZD1211B 802.11 b+g USB LAN Adapter>
2008-07-15 23:06:25 29184 --a------ C:\WINDOWS\system32\drivers\BRGSp50a64.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
2008-07-15 23:06:24 24576 --a------ C:\WINDOWS\system32\ZyDelReg.exe <Not Verified; ; ZyDelReg Application>
2008-07-15 23:06:24 15872 --a------ C:\WINDOWS\system32\InsDrvZD64.DLL <Not Verified; ; InsDrvZD Dynamic Link Library>
2008-07-15 23:06:24 28672 --a------ C:\WINDOWS\system32\InsDrvZD.dll <Not Verified; ; InsDrvZD Dynamic Link Library>
2008-07-15 23:06:24 0 d-------- C:\Program Files\ZyDAS Technology Corporation
2008-07-15 23:06:24 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-15 23:06:18 0 d-------- C:\Program Files\Common Files\InstallShield
2008-07-15 22:47:14 102400 --a------ C:\WINDOWS\system32\unzip32.dll <Not Verified; Info-ZIP; Info-ZIP's UnZip Windows DLL>
2008-07-15 22:47:14 160768 --a------ C:\WINDOWS\system32\unrar.dll
2008-07-15 22:47:14 77312 --a------ C:\WINDOWS\system32\UNACEV2.DLL
2008-07-15 22:47:13 0 d-------- C:\Program Files\UnzipThemAll
2008-07-14 17:37:23 0 d-------- C:\WINDOWS\pss
2008-07-13 19:59:17 0 d-------- C:\WINDOWS\system32\NtmsData
2008-07-07 16:22:02 0 d-------- C:\Documents and Settings\Austin\Application Data\AdobeUM
2008-07-07 16:21:57 0 d-------- C:\Documents and Settings\Austin\Application Data\Adobe
2008-07-07 16:21:56 0 d-------- C:\Program Files\Common Files\Adobe
2008-07-07 13:47:59 0 d-------- C:\Documents and Settings\Austin\Application Data\Identities
2008-07-07 13:47:58 0 d-------- C:\Documents and Settings\Austin\WINDOWS
2008-07-07 13:47:58 0 d--h----- C:\Documents and Settings\Austin\Templates
2008-07-07 13:47:58 0 dr------- C:\Documents and Settings\Austin\Start Menu
2008-07-07 13:47:58 0 dr-h----- C:\Documents and Settings\Austin\SendTo
2008-07-07 13:47:58 0 dr-h----- C:\Documents and Settings\Austin\Recent
2008-07-07 13:47:58 0 d--h----- C:\Documents and Settings\Austin\PrintHood
2008-07-07 13:47:58 1572864 --ah----- C:\Documents and Settings\Austin\ntuser.dat
2008-07-07 13:47:58 0 d--h----- C:\Documents and Settings\Austin\NetHood
2008-07-07 13:47:58 0 dr------- C:\Documents and Settings\Austin\My Documents
2008-07-07 13:47:58 0 d--h----- C:\Documents and Settings\Austin\Local Settings
2008-07-07 13:47:58 0 dr------- C:\Documents and Settings\Austin\Favorites
2008-07-07 13:47:58 0 d-------- C:\Documents and Settings\Austin\Desktop
2008-07-07 13:47:58 0 d---s---- C:\Documents and Settings\Austin\Cookies
2008-07-07 13:47:58 0 dr-h----- C:\Documents and Settings\Austin\Application Data
2008-07-07 13:47:42 0 d-------- C:\Documents and Settings\Default User\WINDOWS
2008-07-07 13:47:42 0 d-------- C:\Documents and Settings\Default User\Application Data\Identities
2008-07-07 13:44:01 262144 --a------ C:\Documents and Settings\All Users\ntuser.dat
2008-07-07 13:44:00 2 --a------ C:\REQUEST_OEMRESET_ENDUSER
2008-07-07 13:41:15 0 d--hs---- C:\System Volume Information
2008-07-07 13:39:55 60 --a------ C:\WINDOWS\system32\SYSDRV.DAT
2008-07-07 13:35:09 0 d-------- C:\WINDOWS\SMINST
2008-07-07 13:34:48 506368 --a------ C:\WINDOWS\system32\winlogon.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-07 13:34:32 17408 --a------ C:\WINDOWS\system32\svchost.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-07 13:34:32 4096 --ahs---- C:\WINDOWS\system32\qweasdf.dat
2008-07-07 13:34:29 58880 --a------ C:\WINDOWS\system32\spoolsv.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-07 13:34:23 110592 --a------ C:\WINDOWS\system32\services.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-07 13:33:19 14848 --a------ C:\WINDOWS\system32\lsass.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-07 13:32:20 1034752 --a------ C:\WINDOWS\explorer.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-07 13:31:09 0 d-------- C:\WINDOWS\I386


-- Find3M Report ---------------------------------------------------------------

2008-07-19 15:37:43 0 d-------- C:\Program Files\Common Files
2008-07-17 19:15:37 0 d-------- C:\Program Files\Windows NT
2008-07-17 19:15:32 0 d-------- C:\Program Files\Movie Maker
2008-07-17 19:15:31 0 d-------- C:\Program Files\Messenger
2008-07-17 19:01:51 0 d-------- C:\Program Files\Online Services


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [04/16/2007 15:28 C:\WINDOWS\soundman.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BMN"="C:\Program Files\Common Files\DriveCleaner Freeware\dcsm.exe" []
"BMN(1)"="C:\Program Files\Common Files\System Doctor\dcmon.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"iexplorer"=C:\WINDOWS\iexplorer.exe --system

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
ZDWLan Utility.lnk - C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe [7/15/2008 11:06:24 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"=0 (0x0)
"ForceActiveDesktopOn"=1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Brave-Sentry]
C:\Program Files\BraveSentry\BraveSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DriveCleaner Freeware]
"C:\Program Files\DriveCleaner Freeware\UDC.exe" /min

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DriveSystem]
C:\WINDOWS\system32\maxpaynowti1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lphcr5mj0e71n]
C:\WINDOWS\system32\lphcr5mj0e71n.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System Doctor Free]
C:\Program Files\System Doctor Free\systemdoc.exe -scan

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System32]
C:\WINDOWS\system32\winds32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemDoctor Free]
C:\Program Files\System Doctor Free\systemdoc.exe /min

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemDrive]
C:\WINDOWS\system32\maxpaynow1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UDC6_cw]
"C:\Program Files\DriveCleaner Freeware\UDC6_cw.exe" -c

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows update loader]
C:\Windows\xpupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMDM PMSP Service]
C:\WINDOWS\system32\cssrss.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ICF"=2 (0x2)
"Google Online Services"=2 (0x2)

*Newly Created Service* - GMER



-- End of Deckard's System Scanner: finished at 2008-07-19 19:44:52 ------------

DSS 2:

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Sempron™ Processor 3300+
Percentage of Memory in Use: 50%
Physical Memory (total/avail): 222.42 MiB / 111.11 MiB
Pagefile Memory (total/avail): 542.56 MiB / 386.71 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1911.21 MiB

C: is Fixed (NTFS) - 93.16 GiB total, 87.67 GiB free.
D: is CDROM (No Media)
E: is Removable (No Media)
F: is Removable (No Media)
G: is Removable (No Media)
H: is Removable (No Media)

\\.\PHYSICALDRIVE0 - ST3100011A - 93.16 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 93.16 GiB - C:

\\.\PHYSICALDRIVE2 - Generic USB CF Reader USB Device

\\.\PHYSICALDRIVE4 - Generic USB MS Reader USB Device

\\.\PHYSICALDRIVE1 - Generic USB SD Reader USB Device

\\.\PHYSICALDRIVE3 - Generic USB SM Reader USB Device



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.


[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"c:\\6bne4e.exe"="c:\\6bne4e.exe:*:Enabled:DHCP Client"
"C:\\WINDOWS\\system32\\cssrss.exe"="C:\\WINDOWS\\system32\\cssrss.exe:*:Enabled:DHCP Client"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Austin\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=YOUR-E0B3EB9D47
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Austin
LOGONSERVER=\\YOUR-E0B3EB9D47
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 44 Stepping 0, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=2c00
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Austin\LOCALS~1\Temp
TMP=C:\DOCUME~1\Austin\LOCALS~1\Temp
USERDOMAIN=YOUR-E0B3EB9D47
USERNAME=Austin
USERPROFILE=C:\Documents and Settings\Austin
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Austin (admin)
Administrator (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 6.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-000000000001}
FREE Hi-Q Recorder 1.92 --> "C:\Program Files\FREE Hi-Q Recorder\unins000.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Java™ 6 Update 7 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Mozilla Firefox (3.0.1) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" -l0x9 -removeonly
Uniblue RegistryBooster 2 --> "C:\Program Files\Uniblue\RegistryBooster 2\unins000.exe"
UnzipThemAll 1.3 --> "C:\Program Files\UnzipThemAll\unins000.exe"
Windows Backup Utility --> MsiExec.exe /I{76EFFC7C-17A6-479D-9E47-8E658C1695AE}
ZyDAS IEEE 802.11 b+g Wireless LAN - USB --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{581CE7EA-A30D-0000-1211-088635773309}\SETUP.EXE" -l0x9


-- Application Event Log -------------------------------------------------------

Event Record #/Type159 / Error
Event Submitted/Written: 07/19/2008 07:41:26 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application dss.exe, version 3.2.8.1, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x0003426d.
Processing media-specific event for [dss.exe!ws!]

Event Record #/Type124 / Error
Event Submitted/Written: 07/19/2008 00:46:31 PM
Event ID/Source: 8193 / VSS
Event Description:
Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance. hr = 0x80040206.

Event Record #/Type123 / Error
Event Submitted/Written: 07/19/2008 00:46:31 PM
Event ID/Source: 4609 / EventSystem
Event Description:
The COM+ Event System detected a bad return code during its internal processing. HRESULT was 800706BA from line 44 of d:\qxp_slp\com\com1x\src\events\tier1\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error.

Event Record #/Type122 / Error
Event Submitted/Written: 07/19/2008 00:40:14 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application dss.exe, version 3.2.8.1, faulting module unknown, version 0.0.0.0, fault address 0x00bd2985.
Processing media-specific event for [dss.exe!ws!]

Event Record #/Type121 / Error
Event Submitted/Written: 07/19/2008 00:37:07 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application dss.exe, version 3.2.8.1, faulting module unknown, version 0.0.0.0, fault address 0x00bd2985.
Processing media-specific event for [dss.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type1802 / Error
Event Submitted/Written: 07/19/2008 05:26:57 PM
Event ID/Source: 29 / W32Time
Event Description:
The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.

Event Record #/Type1801 / Error
Event Submitted/Written: 07/19/2008 05:26:57 PM
Event ID/Source: 17 / W32Time
Event Description:
Time Provider NtpClient: An error occurred during DNS lookup of the manually
configured peer 'time.windows.com,time.nist.gov'. NtpClient will try the DNS lookup again in 15
minutes.
The error was: A socket operation was attempted to an unreachable host. (0x80072751)

Event Record #/Type1791 / Warning
Event Submitted/Written: 07/19/2008 05:17:54 PM
Event ID/Source: 8021 / BROWSER
Event Description:
The browser was unable to retrieve a list of servers from the browser master \\KEN-2Y1S8XPHV70 on the network \Device\NetBT_Tcpip_{DCEA6DC9-DEC1-49C9-A63C-C1717289461B}.
The data is the error code.

Event Record #/Type1707 / Error
Event Submitted/Written: 07/19/2008 03:36:48 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The Computer Browser service depends on the Server service which failed to start because of the following error:
%%231

Event Record #/Type1706 / Error
Event Submitted/Written: 07/19/2008 03:36:48 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Server service failed to start due to the following error:
%%231



-- End of Deckard's System Scanner: finished at 2008-07-19 19:44:52 ------------

KASPERSKY:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, July 19, 2008 19:36:49
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 20/07/2008
Kaspersky Anti-Virus database records: 975692
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\

Scan Statistics:
Total number of scanned objects: 23873
Number of viruses found: 25
Number of infected objects: 66
Number of suspicious objects: 0
Duration of the scan process: 00:22:49

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Austin\Application Data\Mozilla\Firefox\Profiles\yjkfjmvz.default\cert8.db Object is locked skipped
C:\Documents and Settings\Austin\Application Data\Mozilla\Firefox\Profiles\yjkfjmvz.default\content-prefs.sqlite Object is locked skipped
C:\Documents and Settings\Austin\Application Data\Mozilla\Firefox\Profiles\yjkfjmvz.default\cookies.sqlite Object is locked skipped
C:\Documents and Settings\Austin\Application Data\Mozilla\Firefox\Profiles\yjkfjmvz.default\downloads.sqlite Object is locked skipped
C:\Documents and Settings\Austin\Application Data\Mozilla\Firefox\Profiles\yjkfjmvz.default\formhistory.sqlite Object is locked skipped
C:\Documents and Settings\Austin\Application Data\Mozilla\Firefox\Profiles\yjkfjmvz.default\key3.db Object is locked skipped
C:\Documents and Settings\Austin\Application Data\Mozilla\Firefox\Profiles\yjkfjmvz.default\parent.lock Object is locked skipped
C:\Documents and Settings\Austin\Application Data\Mozilla\Firefox\Profiles\yjkfjmvz.default\permissions.sqlite Object is locked skipped
C:\Documents and Settings\Austin\Application Data\Mozilla\Firefox\Profiles\yjkfjmvz.default\places.sqlite Object is locked skipped
C:\Documents and Settings\Austin\Application Data\Mozilla\Firefox\Profiles\yjkfjmvz.default\places.sqlite-journal Object is locked skipped
C:\Documents and Settings\Austin\Application Data\Mozilla\Firefox\Profiles\yjkfjmvz.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Austin\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Austin\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Austin\DoctorWeb\Quarantine\A0017089.exe/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Austin\DoctorWeb\Quarantine\A0017089.exe RAR: infected - 1 skipped
C:\Documents and Settings\Austin\DoctorWeb\Quarantine\SmitfraudFix.exe/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Austin\DoctorWeb\Quarantine\SmitfraudFix.exe RAR: infected - 1 skipped
C:\Documents and Settings\Austin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Austin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Austin\Local Settings\Application Data\Mozilla\Firefox\Profiles\yjkfjmvz.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Austin\Local Settings\Application Data\Mozilla\Firefox\Profiles\yjkfjmvz.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Austin\Local Settings\Application Data\Mozilla\Firefox\Profiles\yjkfjmvz.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Austin\Local Settings\Application Data\Mozilla\Firefox\Profiles\yjkfjmvz.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Austin\Local Settings\Application Data\Mozilla\Firefox\Profiles\yjkfjmvz.default\urlclassifier3.sqlite Object is locked skipped
C:\Documents and Settings\Austin\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Austin\Local Settings\History\History.IE5\MSHist012008071920080720\index.dat Object is locked skipped
C:\Documents and Settings\Austin\Local Settings\Temp\etilqs_MHDFfhmY0K1FzJ86rZf5 Object is locked skipped
C:\Documents and Settings\Austin\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Austin\ntuser.dat Object is locked skipped
C:\Documents and Settings\Austin\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\SDFix\backups\backups.zip/backups/09iXV8.syz Infected: Rootkit.Win32.Agent.bby skipped
C:\SDFix\backups\backups.zip/backups/1.dflb Infected: Trojan-Downloader.Win32.Tibs.afo skipped
C:\SDFix\backups\backups.zip/backups/17PHolmes27.exe Infected: Trojan-Downloader.Win32.Homles.br skipped
C:\SDFix\backups\backups.zip/backups/1H1lDK.syz Infected: Rootkit.Win32.Agent.bby skipped
C:\SDFix\backups\backups.zip/backups/1oZJLu.syz Infected: Rootkit.Win32.Agent.bby skipped
C:\SDFix\backups\backups.zip/backups/2.dflb Infected: Hoax.Win32.Renos.vany skipped
C:\SDFix\backups\backups.zip/backups/4utfCa.syz Infected: Rootkit.Win32.Agent.bby skipped
C:\SDFix\backups\backups.zip/backups/6.dflb Infected: Trojan.Win32.Pakes.jvb skipped
C:\SDFix\backups\backups.zip/backups/7.dflb Infected: Trojan.Win32.Pakes.jvc skipped
C:\SDFix\backups\backups.zip/backups/aTwJSt.syz Infected: Rootkit.Win32.Agent.bby skipped
C:\SDFix\backups\backups.zip/backups/back.exe.exe Infected: Email-Worm.Win32.Zhelatin.aep skipped
C:\SDFix\backups\backups.zip/backups/dflgh8jkd2q1.exe Infected: Trojan-Downloader.Win32.Tibs.afo skipped
C:\SDFix\backups\backups.zip/backups/dflgh8jkd2q2.exe Infected: Hoax.Win32.Renos.vany skipped
C:\SDFix\backups\backups.zip/backups/dflgh8jkd2q6.exe Infected: Trojan.Win32.Pakes.jvb skipped
C:\SDFix\backups\backups.zip/backups/dflgh8jkd2q7.exe Infected: Trojan.Win32.Pakes.jvc skipped
C:\SDFix\backups\backups.zip/backups/GX6hev.syz Infected: Rootkit.Win32.Agent.bby skipped
C:\SDFix\backups\backups.zip/backups/ie_updater.exe Infected: Trojan-Downloader.Win32.Winlagons.aas skipped
C:\SDFix\backups\backups.zip/backups/ie_updates3r.exe Infected: Trojan-Downloader.Win32.Winlagons.aas skipped
C:\SDFix\backups\backups.zip/backups/jRBkES.syz Infected: Rootkit.Win32.Agent.bby skipped
C:\SDFix\backups\backups.zip/backups/lQ5TqG.syz Infected: Rootkit.Win32.Agent.bby skipped
C:\SDFix\backups\backups.zip/backups/m5XEKB.syz Infected: Rootkit.Win32.Agent.bby skipped
C:\SDFix\backups\backups.zip/backups/MQF2IC.syz Infected: Rootkit.Win32.Agent.bby skipped
C:\SDFix\backups\backups.zip/backups/pxD0Is.syz Infected: Rootkit.Win32.Agent.bby skipped
C:\SDFix\backups\backups.zip/backups/Q7CzzY.syz Infected: Rootkit.Win32.Agent.bby skipped
C:\SDFix\backups\backups.zip/backups/userinit.exe Infected: Trojan.Win32.Pakes.ddu skipped
C:\SDFix\backups\backups.zip/backups/v3xd1.g22me/data0000 Infected: Trojan-Downloader.Win32.Tibs.afp skipped
C:\SDFix\backups\backups.zip/backups/v3xd1.g22me Infected: Trojan-Downloader.Win32.Tibs.afp skipped
C:\SDFix\backups\backups.zip/backups/v4xd3.ga2me Infected: Trojan-Downloader.Win32.Small.xpq skipped
C:\SDFix\backups\backups.zip/backups/v4xd6.gam5e Infected: Trojan-Downloader.Win32.Small.yja skipped
C:\SDFix\backups\backups.zip/backups/v5xd2.g3ame/data0000 Infected: Trojan-Downloader.Win32.Agent.wlz skipped
C:\SDFix\backups\backups.zip/backups/v5xd2.g3ame Infected: Trojan-Downloader.Win32.Agent.wlz skipped
C:\SDFix\backups\backups.zip/backups/v6xdt4.game Infected: Trojan-Downloader.Win32.Tibs.afp skipped
C:\SDFix\backups\backups.zip/backups/vedxg4am1et2.exe Infected: Trojan-Downloader.Win32.Cntr.ioq skipped
C:\SDFix\backups\backups.zip/backups/vedxga1me4t1.exe Infected: Trojan-Downloader.Win32.Tibs.afn skipped
C:\SDFix\backups\backups.zip/backups/vedxga4m1et4.exe Infected: Trojan-Downloader.Win32.Tibs.afp skipped
C:\SDFix\backups\backups.zip/backups/vedxga4me1.exe/data0000 Infected: Trojan-Downloader.Win32.Tibs.afp skipped
C:\SDFix\backups\backups.zip/backups/vedxga4me1.exe Infected: Trojan-Downloader.Win32.Tibs.afp skipped
C:\SDFix\backups\backups.zip/backups/vedxga5me3.exe Infected: Trojan-Downloader.Win32.Small.xpq skipped
C:\SDFix\backups\backups.zip/backups/vx1dt1.game Infected: Trojan-Downloader.Win32.Tibs.afn skipped
C:\SDFix\backups\backups.zip/backups/vx1dt3.game Infected: Trojan-Downloader.Win32.Tibs.afq skipped
C:\SDFix\backups\backups.zip/backups/vx3dt2.game Infected: Trojan-Downloader.Win32.Cntr.ioq skipped
C:\SDFix\backups\backups.zip/backups/wpx15.cpx Infected: Trojan-Downloader.Win32.Cntr.ca skipped
C:\SDFix\backups\backups.zip/backups/wpx2.cpx Infected: Trojan.Win32.Pakes.ddu skipped
C:\SDFix\backups\backups.zip/backups/wpx25.cpx Infected: Trojan.Win32.Pakes.juv skipped
C:\SDFix\backups\backups.zip/backups/wpx27.cpx Infected: Email-Worm.Win32.Zhelatin.adt skipped
C:\SDFix\backups\backups.zip/backups/wpx29.cpx Infected: Trojan.Win32.Buzus.mey skipped
C:\SDFix\backups\backups.zip/backups/wpx34.cpx Infected: Trojan.Win32.Buzus.mly skipped
C:\SDFix\backups\backups.zip/backups/wpx35.cpx Infected: Trojan-Spy.Win32.Zbot.dhj skipped
C:\SDFix\backups\backups.zip/backups/wpx5.cpx Infected: Trojan-Downloader.Win32.Small.ykb skipped
C:\SDFix\backups\backups.zip ZIP: infected - 49 skipped
C:\SDFix\backups\catchme.zip/ntos.exe Infected: Trojan-Spy.Win32.Zbot.dhj skipped
C:\SDFix\backups\catchme.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2\A0016066.exe Infected: Trojan-Downloader.Win32.Tibs.afo skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2\A0016067.exe Infected: Hoax.Win32.Renos.vany skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2\A0016069.exe Infected: Trojan.Win32.Pakes.jvb skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2\A0016070.exe Infected: Trojan.Win32.Pakes.jvc skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2\A0016094.exe Infected: Trojan-Downloader.Win32.Tibs.afo skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2\A0016095.exe Infected: Hoax.Win32.Renos.vany skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2\A0016097.exe Infected: Trojan.Win32.Pakes.jvb skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2\A0016098.exe Infected: Trojan.Win32.Pakes.jvc skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2\A0017099.exe Infected: Trojan.Win32.Patched.aa skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\Default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Sam Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\Security Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\Software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\System Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

- Little preacher man.
  • 0

#13
andrewuk
Posted 19 July 2008 - 07:07 PM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
in this post we will get an antivirus program onto your machine and run it before we continue with the fix. we are in danger of just getting re-infected as we go along and so ending up chasing our tails.

This program is basic for the security of your computer and in todays age not having one will probably lead to disaster for your computer.

Please go http://www.avast.com.../down_home.html and download avast! 4 Home Edition to your desktop. Locate the file that you just downloaded, double-click on the file to launch the installation of avast!

Click Next on the avast! Setup window and on the next window with the ReadMe File.
Now you will see the Legal Agreement, just click I agree, and then click Next to continue.

You will be prompted with Configuration window, make sure that you choose Typical configuration and then click Next. Click Next to the windows that will follow, when the installation will finish, you will be given an option to schedule a boot time scan, select No

Now you have to restart your machine, select Restart and then click Finish.

After you restart you will get a message about avast! it will give you the general "Hello and Thank you for choosing our Product." Also after you restart you will notice 2 new icons in the bottom right corner of the screen.

VERY IMPORTANT - after restarting, right click on the a in the taskbar and select Updating, then highlight and click Program.

You will get popup after its done updating. If avast! had to download anything for your computer you may get a message asking you to restart.

After you have updated avast! right click the small icon a in task bar and click Start Avast! AntiVirus

Click Program Registration and you will be taken to their website. Fill out the form and then check you e-mail. Once you get an e-mail from them (usually about 1 minute after submitting the form) copy and paste the serial they provided into the highlighted box. Then click ok.

After this, you will need to Schedule Boot-Time Scan with avast! Click on the little button placed up in the left corner, and select Schedule Boot-Time Scan. Read also this tutorial http://www.schmahl.n...astbootscan.htm it may make it easier to you to follow the steps.

Next, choose
Scan all local disks
scan archive files
click on Schedule
On the next dialog Operating system restart needed select Yes
Now avast! will restart your computer and start to scan before Windows fully loads.

IMPORTANT NOTE since your system has infections on it, avast! will give you dialog box with recommended actions, and options, please make sure if this happens, to click the Move to Chest button, and not to delete any reported files.

On completion of the boot scan there will be a report at this location C:\Program Files\Alwil Software\Avast4\DATA\report\AswBoot.txt Please post that in your next reply.



In your next reply could i see:
1. the avast log
2. a new hijackthis log

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk
  • 0

#14
Leifgreen
Posted 20 July 2008 - 01:54 PM

Leifgreen

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
All Right! Thanks for your help! ^_^ I will redo the scan, since I hit "Ignore all" instead of "Move all to the Chest!" ^_^"

Also, before I scan again, I have a question ask. The system has been running low on memory, so I restored (Not wiped! ^_^ ) The computer with the system recovery CD thinking it would update my memory. Was this all right to do? ^_^

Thanks again for your help! GOD Bless you! ^_^

- Little preacher man.
  • 0

#15
Leifgreen
Posted 20 July 2008 - 02:55 PM

Leifgreen

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Uh oh! When ever I try to Move all items into the chest, it brings an error: 43111. "The operation is not supported by this kind of archive."

Do you know what's wrong? Sorry for the trouble, if I'm causing any... ^_^

GOD Bless you! ^_^

- Little preacher man.

Edited by Leifgreen, 20 July 2008 - 03:13 PM.

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP