Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Leif Needs help with Removing Viruses! [RESOLVED]


  • This topic is locked This topic is locked

#16
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
ok, you seem to have moved things on here.

uninstall the avast from the add/remove programs in the control panel

then, assuming you still have the DSS program (if not download it Deckard's System Scanner (DSS) and save it to your Desktop.

click on Start, click on Run
copy and paste the following in bold in the open window and then click OK

"%userprofile%\desktop\dss.exe" /config

This will open up DSS configuration
click on Check All
click Scan
DSS will now run again when finished
Please post back both logs that open in notepad
Main txt and extra txt

andrewuk
  • 0

Advertisements


#17
Leifgreen

Leifgreen

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
main.txt

Deckard's System Scanner v20071014.68
Run by Austin on 2008-07-20 16:38:54
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 4 Restore Point(s) --
4: 2008-07-20 21:38:57 UTC - RP4 - Deckard's System Scanner Restore Point
3: 2008-07-20 20:25:29 UTC - RP3 - System Checkpoint
2: 2008-07-19 17:39:59 UTC - RP2 - Deckard's System Scanner Restore Point
1: 2008-07-19 17:35:38 UTC - RP1 - System Checkpoint


Performed disk cleanup.

Total Physical Memory: 223 MiB (512 MiB recommended).


-- HijackThis (run as Austin.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:39:28, on 7/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Austin\desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Austin.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [BMN] "C:\Program Files\Common Files\DriveCleaner Freeware\dcsm.exe" dm=http://drivecleaner.com ad=http://drivecleaner.com sd=http://log.drivecleaner.com
O4 - HKCU\..\Run: [BMN(1)] "C:\Program Files\Common Files\System Doctor\dcmon.exe" dm=http://systemdoctor.com ad=http://systemdoctor.com sd=http://log.systemdoctor.com/
O4 - HKUS\S-1-5-18\..\Run: [iexplorer] C:\WINDOWS\iexplorer.exe --system (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [iexplorer] C:\WINDOWS\iexplorer.exe --system (User 'Default user')
O4 - Global Startup: ZDWLan Utility.lnk = C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gatew...r/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gatew...rvest/gwCID.CAB

--
End of file - 2703 bytes

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 ZDPSp50 (ZDPSp50 NDIS Protocol Driver) - c:\windows\system32\drivers\zdpsp50.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>

S3 catchme - c:\docume~1\austin\locals~1\temp\catchme.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Video Controller (VGA Compatible)
Device ID: PCI\VEN_10DE&DEV_0242&SUBSYS_60061509&REV_A2\3&2411E6FE&0&28
Manufacturer:
Name: Video Controller (VGA Compatible)
PNP Device ID: PCI\VEN_10DE&DEV_0242&SUBSYS_60061509&REV_A2\3&2411E6FE&0&28
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: SM Bus Controller
Device ID: PCI\VEN_10DE&DEV_0264&SUBSYS_60061509&REV_A2\3&2411E6FE&0&51
Manufacturer:
Name: SM Bus Controller
PNP Device ID: PCI\VEN_10DE&DEV_0264&SUBSYS_60061509&REV_A2\3&2411E6FE&0&51
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Simple Communications Controller
Device ID: PCI\VEN_14F1&DEV_2F20&SUBSYS_200014F1&REV_00\4&DC268A3&0&3880
Manufacturer:
Name: PCI Simple Communications Controller
PNP Device ID: PCI\VEN_14F1&DEV_2F20&SUBSYS_200014F1&REV_00\4&DC268A3&0&3880
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Other PCI Bridge Device
Device ID: PCI\VEN_10DE&DEV_0269&SUBSYS_60061509&REV_A1\3&2411E6FE&0&A0
Manufacturer:
Name: Other PCI Bridge Device
PNP Device ID: PCI\VEN_10DE&DEV_0269&SUBSYS_60061509&REV_A1\3&2411E6FE&0&A0
Service:

Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Description: Microsoft Kernel Acoustic Echo Canceller
Device ID: SW\{4245FF73-1DB4-11D2-86E4-98AE20524153}\{9B365890-165F-11D0-A195-0020AFD156E4}
Manufacturer: Microsoft
Name: Microsoft Kernel Acoustic Echo Canceller
PNP Device ID: SW\{4245FF73-1DB4-11D2-86E4-98AE20524153}\{9B365890-165F-11D0-A195-0020AFD156E4}
Service: aec

Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Description: Microsoft Kernel DLS Synthesizer
Device ID: SW\{8C07DD50-7A8D-11D2-8F8C-00C04FBF8FEF}\DMUSIC
Manufacturer: Microsoft
Name: Microsoft Kernel DLS Synthesizer
PNP Device ID: SW\{8C07DD50-7A8D-11D2-8F8C-00C04FBF8FEF}\DMUSIC
Service: DMusic

Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Description: Microsoft Kernel DRM Audio Descrambler
Device ID: SW\{EEC12DB6-AD9C-4168-8658-B03DAEF417FE}\{ABD61E00-9350-47E2-A632-4438B90C6641}
Manufacturer: Microsoft
Name: Microsoft Kernel DRM Audio Descrambler
PNP Device ID: SW\{EEC12DB6-AD9C-4168-8658-B03DAEF417FE}\{ABD61E00-9350-47E2-A632-4438B90C6641}
Service: drmkaud


-- Process Modules -------------------------------------------------------------

All modules okay.


-- Files created between 2008-06-20 and 2008-07-20 -----------------------------

2008-07-19 20:14:02 0 d-------- C:\Program Files\Alwil Software
2008-07-19 18:39:31 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-19 18:39:30 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-07-19 17:58:35 0 d-------- C:\Documents and Settings\Austin\Application Data\Malwarebytes
2008-07-19 17:58:30 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-19 17:58:29 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-19 16:46:04 0 d-------- C:\Documents and Settings\Austin\DoctorWeb
2008-07-19 15:43:02 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-07-19 15:23:38 0 d-------- C:\WINDOWS\ERUNT
2008-07-19 14:51:24 0 d-------- C:\Program Files\Trend Micro
2008-07-18 19:16:27 1508 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-18 19:12:08 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-07-18 19:12:08 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-07-18 19:12:08 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-07-18 19:12:08 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-07-18 19:12:08 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-07-18 19:12:08 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-07-18 18:18:21 0 d-------- C:\Documents and Settings\Administrator\Application Data\Uniblue
2008-07-18 17:56:44 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2008-07-18 17:54:14 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-07-18 17:54:13 0 d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-07-18 17:54:13 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-07-18 17:54:13 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-07-18 17:54:13 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-07-18 17:54:13 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-07-18 17:54:13 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-07-18 17:54:13 786432 --ah----- C:\Documents and Settings\Administrator\ntuser.dat
2008-07-18 17:54:13 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-07-18 17:54:13 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-07-18 17:54:13 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-07-18 17:54:13 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-07-18 17:54:13 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-07-18 17:54:13 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-07-18 17:54:13 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-07-18 17:54:13 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-07-18 02:40:44 0 d-------- C:\Documents and Settings\LocalService\Start Menu
2008-07-17 23:51:08 91648 --a------ C:\WINDOWS\system32\cnvfa.dll
2008-07-17 15:29:40 0 d-------- C:\WINDOWS\Sun
2008-07-17 15:29:40 0 d-------- C:\Documents and Settings\Austin\Application Data\Sun
2008-07-16 21:51:13 0 d-------- C:\Program Files\Java
2008-07-16 21:49:23 0 d-------- C:\Program Files\Common Files\Java
2008-07-16 16:32:33 0 d-------- C:\Program Files\Realtek AC97
2008-07-16 15:51:19 0 d-------- C:\Documents and Settings\Austin\Application Data\Uniblue
2008-07-16 15:51:14 0 d-------- C:\Program Files\Uniblue
2008-07-16 13:15:43 0 d-------- C:\My Recordings
2008-07-16 13:09:28 0 d-------- C:\Program Files\FREE Hi-Q Recorder
2008-07-16 10:32:08 0 d-------- C:\WINDOWS\system32\PreInstall
2008-07-16 10:32:06 0 d--h----- C:\WINDOWS\$hf_mig$
2008-07-16 10:26:13 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-07-16 10:20:26 0 --a------ C:\WINDOWS\nsreg.dat
2008-07-16 10:20:23 0 d-------- C:\Documents and Settings\Austin\Application Data\Mozilla
2008-07-16 09:31:46 0 d-------- C:\Program Files\Realtek Sound Manager
2008-07-16 09:31:44 0 d-------- C:\Program Files\AvRack
2008-07-16 09:31:42 315392 --a------ C:\WINDOWS\alcupd.exe <Not Verified; Realtek Semiconductor Corp.; Realtek AC'97 Update driver Tool>
2008-07-16 09:27:52 0 d-------- C:\cabs
2008-07-16 08:46:36 0 d-------- C:\Documents and Settings\Austin\Application Data\Macromedia
2008-07-15 23:06:25 17151 --a------ C:\WINDOWS\system32\ZDPNDIS5.SYS <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
2008-07-15 23:06:25 81920 --a------ C:\WINDOWS\system32\ZDPN50.DLL <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
2008-07-15 23:06:25 31744 --a------ C:\WINDOWS\system32\drivers\ZDPSp50a64.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
2008-07-15 23:06:25 17664 --a------ C:\WINDOWS\system32\drivers\ZDPSp50.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
2008-07-15 23:06:25 29184 --a------ C:\WINDOWS\system32\drivers\BRGSp50a64.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
2008-07-15 23:06:24 24576 --a------ C:\WINDOWS\system32\ZyDelReg.exe <Not Verified; ; ZyDelReg Application>
2008-07-15 23:06:24 15872 --a------ C:\WINDOWS\system32\InsDrvZD64.DLL <Not Verified; ; InsDrvZD Dynamic Link Library>
2008-07-15 23:06:24 28672 --a------ C:\WINDOWS\system32\InsDrvZD.dll <Not Verified; ; InsDrvZD Dynamic Link Library>
2008-07-15 23:06:24 0 d-------- C:\Program Files\ZyDAS Technology Corporation
2008-07-15 23:06:24 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-15 23:06:18 0 d-------- C:\Program Files\Common Files\InstallShield
2008-07-15 22:47:14 102400 --a------ C:\WINDOWS\system32\unzip32.dll <Not Verified; Info-ZIP; Info-ZIP's UnZip Windows DLL>
2008-07-15 22:47:14 160768 --a------ C:\WINDOWS\system32\unrar.dll
2008-07-15 22:47:14 77312 --a------ C:\WINDOWS\system32\UNACEV2.DLL
2008-07-15 22:47:13 0 d-------- C:\Program Files\UnzipThemAll
2008-07-14 17:37:23 0 d-------- C:\WINDOWS\pss
2008-07-13 19:59:17 0 d-------- C:\WINDOWS\system32\NtmsData
2008-07-07 16:22:02 0 d-------- C:\Documents and Settings\Austin\Application Data\AdobeUM
2008-07-07 16:21:57 0 d-------- C:\Documents and Settings\Austin\Application Data\Adobe
2008-07-07 16:21:56 0 d-------- C:\Program Files\Common Files\Adobe
2008-07-07 13:47:59 0 d-------- C:\Documents and Settings\Austin\Application Data\Identities
2008-07-07 13:47:58 0 d-------- C:\Documents and Settings\Austin\WINDOWS
2008-07-07 13:47:58 0 d--h----- C:\Documents and Settings\Austin\Templates
2008-07-07 13:47:58 0 dr------- C:\Documents and Settings\Austin\Start Menu
2008-07-07 13:47:58 0 dr-h----- C:\Documents and Settings\Austin\SendTo
2008-07-07 13:47:58 0 dr-h----- C:\Documents and Settings\Austin\Recent
2008-07-07 13:47:58 0 d--h----- C:\Documents and Settings\Austin\PrintHood
2008-07-07 13:47:58 1572864 --ah----- C:\Documents and Settings\Austin\ntuser.dat
2008-07-07 13:47:58 0 d--h----- C:\Documents and Settings\Austin\NetHood
2008-07-07 13:47:58 0 dr------- C:\Documents and Settings\Austin\My Documents
2008-07-07 13:47:58 0 d--h----- C:\Documents and Settings\Austin\Local Settings
2008-07-07 13:47:58 0 dr------- C:\Documents and Settings\Austin\Favorites
2008-07-07 13:47:58 0 d-------- C:\Documents and Settings\Austin\Desktop
2008-07-07 13:47:58 0 d---s---- C:\Documents and Settings\Austin\Cookies
2008-07-07 13:47:58 0 dr-h----- C:\Documents and Settings\Austin\Application Data
2008-07-07 13:47:42 0 d-------- C:\Documents and Settings\Default User\WINDOWS
2008-07-07 13:47:42 0 d-------- C:\Documents and Settings\Default User\Application Data\Identities
2008-07-07 13:44:01 262144 --a------ C:\Documents and Settings\All Users\ntuser.dat
2008-07-07 13:44:00 2 --a------ C:\REQUEST_OEMRESET_ENDUSER
2008-07-07 13:41:15 0 d--hs---- C:\System Volume Information
2008-07-07 13:39:55 60 --a------ C:\WINDOWS\system32\SYSDRV.DAT
2008-07-07 13:35:09 0 d-------- C:\WINDOWS\SMINST
2008-07-07 13:34:32 4096 --ahs---- C:\WINDOWS\system32\qweasdf.dat
2008-07-07 13:31:09 0 d-------- C:\WINDOWS\I386


-- Find3M Report ---------------------------------------------------------------

2008-07-20 16:01:32 0 d-------- C:\Program Files\Windows NT
2008-07-20 16:01:28 0 d-------- C:\Program Files\Movie Maker
2008-07-20 16:01:26 0 d-------- C:\Program Files\Messenger
2008-07-20 15:47:47 0 d-------- C:\Program Files\Online Services


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [08/04/2004 14:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BMN"="C:\Program Files\Common Files\DriveCleaner Freeware\dcsm.exe" []
"BMN(1)"="C:\Program Files\Common Files\System Doctor\dcmon.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"iexplorer"=C:\WINDOWS\iexplorer.exe --system

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
ZDWLan Utility.lnk - C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe [7/15/2008 11:06:24 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"=0 (0x0)
"ForceActiveDesktopOn"=1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Brave-Sentry]
C:\Program Files\BraveSentry\BraveSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DriveCleaner Freeware]
"C:\Program Files\DriveCleaner Freeware\UDC.exe" /min

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DriveSystem]
C:\WINDOWS\system32\maxpaynowti1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lphcr5mj0e71n]
C:\WINDOWS\system32\lphcr5mj0e71n.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System Doctor Free]
C:\Program Files\System Doctor Free\systemdoc.exe -scan

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System32]
C:\WINDOWS\system32\winds32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemDoctor Free]
C:\Program Files\System Doctor Free\systemdoc.exe /min

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemDrive]
C:\WINDOWS\system32\maxpaynow1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UDC6_cw]
"C:\Program Files\DriveCleaner Freeware\UDC6_cw.exe" -c

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows update loader]
C:\Windows\xpupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMDM PMSP Service]
C:\WINDOWS\system32\cssrss.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ICF"=2 (0x2)
"Google Online Services"=2 (0x2)
"avast! Web Scanner"=3 (0x3)
"avast! Mail Scanner"=3 (0x3)
"aswUpdSv"=2 (0x2)




-- End of Deckard's System Scanner: finished at 2008-07-20 16:42:37 ------------


extra.txt

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Sempron™ Processor 3300+
Percentage of Memory in Use: 57%
Physical Memory (total/avail): 222.42 MiB / 94.46 MiB
Pagefile Memory (total/avail): 542.56 MiB / 433.79 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1911.21 MiB

C: is Fixed (NTFS) - 93.16 GiB total, 87.59 GiB free.
D: is CDROM (No Media)
E: is Removable (No Media)
F: is Removable (No Media)
G: is Removable (No Media)
H: is Removable (No Media)

\\.\PHYSICALDRIVE0 - ST3100011A - 93.16 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 93.16 GiB - C:

\\.\PHYSICALDRIVE2 - Generic USB CF Reader USB Device

\\.\PHYSICALDRIVE4 - Generic USB MS Reader USB Device

\\.\PHYSICALDRIVE1 - Generic USB SD Reader USB Device

\\.\PHYSICALDRIVE3 - Generic USB SM Reader USB Device



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.


[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"c:\\6bne4e.exe"="c:\\6bne4e.exe:*:Enabled:DHCP Client"
"C:\\WINDOWS\\system32\\cssrss.exe"="C:\\WINDOWS\\system32\\cssrss.exe:*:Enabled:DHCP Client"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Austin\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=YOUR-E0B3EB9D47
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Austin
LOGONSERVER=\\YOUR-E0B3EB9D47
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 44 Stepping 0, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=2c00
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Austin\LOCALS~1\Temp
TMP=C:\DOCUME~1\Austin\LOCALS~1\Temp
USERDOMAIN=YOUR-E0B3EB9D47
USERNAME=Austin
USERPROFILE=C:\Documents and Settings\Austin
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Austin (admin)
Administrator (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 6.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-000000000001}
FREE Hi-Q Recorder 1.92 --> "C:\Program Files\FREE Hi-Q Recorder\unins000.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Java™ 6 Update 7 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Mozilla Firefox (3.0.1) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" -l0x9 -removeonly
Uniblue RegistryBooster 2 --> "C:\Program Files\Uniblue\RegistryBooster 2\unins000.exe"
UnzipThemAll 1.3 --> "C:\Program Files\UnzipThemAll\unins000.exe"
Windows Backup Utility --> MsiExec.exe /I{76EFFC7C-17A6-479D-9E47-8E658C1695AE}
ZyDAS IEEE 802.11 b+g Wireless LAN - USB --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{581CE7EA-A30D-0000-1211-088635773309}\SETUP.EXE" -l0x9


-- Application Event Log -------------------------------------------------------

Event Record #/Type78 / Error
Event Submitted/Written: 07/20/2008 04:39:00 PM
Event ID/Source: 454 / ESENT
Event Description:
Catalog Database (904) Database recovery/restore failed with unexpected error -1202.

Event Record #/Type18 / Error
Event Submitted/Written: 07/20/2008 02:50:09 PM
Event ID/Source: 471 / ESENT
Event Description:
Catalog Database (948) Unable to rollback operation #92 on database C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb. Error: -510. All future database updates will be rejected.

Event Record #/Type17 / Error
Event Submitted/Written: 07/20/2008 02:50:09 PM
Event ID/Source: 492 / ESENT
Event Description:
Catalog Database (948) The logfile sequence in "C:\WINDOWS\system32\CatRoot2\" has been halted due to a fatal error. No further updates are possible for the databases that use this logfile sequence. Please correct the problem and restart or restore from backup.

Event Record #/Type16 / Error
Event Submitted/Written: 07/20/2008 02:50:09 PM
Event ID/Source: 413 / ESENT
Event Description:
Catalog Database (948) Unable to create a new logfile because the database cannot write to the log drive. The drive may be read-only, out of disk space, misconfigured, or corrupted. Error -1022.

Event Record #/Type15 / Error
Event Submitted/Written: 07/20/2008 02:50:09 PM
Event ID/Source: 486 / ESENT
Event Description:
svchost (948) An attempt to move the file "C:\WINDOWS\system32\CatRoot2\edb.log" to "C:\WINDOWS\system32\CatRoot2\edb00017.log" failed with system error 183 (0x000000b7): "Cannot create a file when that file already exists. ". The move file operation will fail with error -1022 (0xfffffc02).



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type273 / Warning
Event Submitted/Written: 07/20/2008 04:37:29 PM
Event ID/Source: 2504 / Server
Event Description:
The server could not bind to the transport \Device\NetBT_Tcpip_{DCEA6DC9-DEC1-49C9-A63C-C1717289461B}.

Event Record #/Type196 / Warning
Event Submitted/Written: 07/20/2008 04:11:16 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 000E8E0DE588. The following
error occurred:
%%1223.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type141 / Warning
Event Submitted/Written: 07/20/2008 03:40:59 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 000E8E0DE588. The following
error occurred:
%%1223.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type106 / Error
Event Submitted/Written: 07/20/2008 03:31:52 PM
Event ID/Source: 7006 / Service Control Manager
Event Description:
The ScRegSetValueExW call failed for Start with the following error:
%%5

Event Record #/Type105 / Error
Event Submitted/Written: 07/20/2008 03:31:52 PM
Event ID/Source: 7006 / Service Control Manager
Event Description:
The ScRegSetValueExW call failed for Start with the following error:
%%5



-- End of Deckard's System Scanner: finished at 2008-07-20 16:42:37 ------------


- Little preacher man.
  • 0

#18
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Please run the MGA Diagnostic Tool and post back the report it shall produce:
  • Download MGADiag to your desktop.
  • Double-click on MGADiag.exe to launch the program
  • Click "Continue"
  • Ensure that the "Windows" tab is selected (it should be by default).
  • Click the "Copy" button to copy the MGA Diagnostic Report to the Windows clipboard.
  • Paste the MGA Diagnostic Report back here in your next reply.

  • 0

#19
Leifgreen

Leifgreen

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Diagnostic Report (1.7.0095.0):
-----------------------------------------
WGA Data-->
Validation Status: Validation Control not Installed
Validation Code: 0
Online Validation Code: N/A
Cached Validation Code: N/A
Windows Product Key: *****-*****-J8BM6-MXPH6-3R2BW
Windows Product Key Hash: YMRVitCEjlJfwDQfjDvm97FbWA4=
Windows Product ID: 76477-OEM-2111907-00103
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 5.1.2600.2.00010300.2.0.hom
CSVLK Server: N/A
CSVLK PID: N/A
ID: {21F9642F-061C-42A4-A3FD-903B36DB6C0E}(3)
Is Admin: Yes
TestCab: 0x0
WGA Version: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-171-1_16E0B333-156-80004005
Resolution Status: N/A

WgaER Data-->
ThreatID(s): N/A
Version: N/A

WGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
WGATray.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: B4D0AA8B-543-80070002_025D1FF3-171-1

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{21F9642F-061C-42A4-A3FD-903B36DB6C0E}</UGUID><Version>1.7.0095.0</Version><OS>5.1.2600.2.00010300.2.0.hom</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-3R2BW</PKey><PID>76477-OEM-2111907-00103</PID><PIDType>2</PIDType><SID>S-1-5-21-3593971301-91526757-1643272074</SID><SYSTEM><Manufacturer>Gateway</Manufacturer><Model>D3315</Model></SYSTEM><BIOS><Manufacturer>Phoenix Technologies, LTD</Manufacturer><Version>6.00 PG</Version><SMBIOSVersion major="2" minor="3"/><Date>20051125000000.000000+000</Date><SLPBIOS>Gateway,Gateway,Gateway,Gateway</SLPBIOS></BIOS><HWID>84873F070184C04C</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Central Standard Time(GMT-06:00)</TimeZone><iJoin>0</iJoin><SBID><stat>2</stat><msppid></msppid><name>Generic</name><model>Generic</model></SBID><OEM/><BRT/></MachineData> <Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>


- Little preacher man.
  • 0

#20
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
lets try a different antivirus program:

Please install Avira Antivirus: http://www.free-av.com/ This is a free Antivirus.
  • Perform a full scan with Avira and let it delete everything it is finding.
  • Then reboot.
  • After reboot, open your Avira and select "reports".
  • There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThislog.

andrewuk
  • 0

#21
Leifgreen

Leifgreen

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Here it is! ^_^

Avira AntiVir Personal
Report file date: Sunday, July 20, 2008 17:42

Scanning for 1480850 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: YOUR-E0B3EB9D47

Version information:
BUILD.DAT : 8.1.00.295 16479 Bytes 4/9/2008 16:24:00
AVSCAN.EXE : 8.1.2.12 311553 Bytes 3/18/2008 16:02:56
AVSCAN.DLL : 8.1.1.0 53505 Bytes 2/7/2008 15:43:37
LUKE.DLL : 8.1.2.9 151809 Bytes 2/28/2008 15:41:23
LUKERES.DLL : 8.1.2.1 12033 Bytes 2/21/2008 15:28:40
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 17:33:34
ANTIVIR1.VDF : 7.0.5.1 8182784 Bytes 6/24/2008 22:39:09
ANTIVIR2.VDF : 7.0.5.119 1264128 Bytes 7/15/2008 22:39:22
ANTIVIR3.VDF : 7.0.5.141 391168 Bytes 7/20/2008 22:39:27
Engineversion : 8.1.1.11
AEVDF.DLL : 8.1.0.5 102772 Bytes 2/25/2008 16:58:21
AESCRIPT.DLL : 8.1.0.59 307579 Bytes 7/20/2008 22:39:50
AESCN.DLL : 8.1.0.23 119156 Bytes 7/20/2008 22:39:49
AERDL.DLL : 8.1.0.20 418165 Bytes 7/20/2008 22:39:48
AEPACK.DLL : 8.1.2.1 364917 Bytes 7/20/2008 22:39:45
AEOFFICE.DLL : 8.1.0.21 192891 Bytes 7/20/2008 22:39:43
AEHEUR.DLL : 8.1.0.43 1339767 Bytes 7/20/2008 22:39:41
AEHELP.DLL : 8.1.0.15 115063 Bytes 7/20/2008 22:39:34
AEGEN.DLL : 8.1.0.29 307573 Bytes 7/20/2008 22:39:33
AEEMU.DLL : 8.1.0.6 430451 Bytes 7/20/2008 22:39:31
AECORE.DLL : 8.1.1.6 172405 Bytes 7/20/2008 22:39:29
AEBB.DLL : 8.1.0.1 53617 Bytes 7/20/2008 22:39:28
AVWINLL.DLL : 1.0.0.7 14593 Bytes 1/24/2008 00:07:53
AVPREF.DLL : 8.0.0.1 25857 Bytes 2/18/2008 17:37:50
AVREP.DLL : 7.0.0.1 155688 Bytes 4/16/2007 20:26:47
AVREG.DLL : 8.0.0.0 30977 Bytes 1/24/2008 00:07:49
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 15:29:23
AVEVTLOG.DLL : 8.0.0.11 114945 Bytes 2/28/2008 15:31:31
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/23/2008 00:28:02
SMTPLIB.DLL : 1.2.0.19 28929 Bytes 1/24/2008 00:08:39
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 19:05:10
RCIMAGE.DLL : 8.0.0.35 2371841 Bytes 3/10/2008 21:37:25
RCTEXT.DLL : 8.0.32.0 86273 Bytes 3/6/2008 19:02:11

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Sunday, July 20, 2008 17:42

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'wscntfy.exe' - '1' Module(s) have been scanned
Scan process 'ZDWlan.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
21 processes with 21 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
[WARNING] The device is not ready.
Master boot sector HD2
[INFO] No virus was found!
[WARNING] The device is not ready.
Master boot sector HD3
[INFO] No virus was found!
[WARNING] The device is not ready.
Master boot sector HD4
[INFO] No virus was found!
[WARNING] The device is not ready.

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '21' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Deckard\System Scanner\20080719123939\backup\WINDOWS\temp\44.tmp.exe
[DETECTION] Is the Trojan horse TR/Dldr.Agent.rpc
[NOTE] The file was deleted!
C:\Deckard\System Scanner\20080719123939\backup\WINDOWS\temp\45.tmp.exe
[DETECTION] Is the Trojan horse TR/Dldr.Agent.rpc
[NOTE] The file was deleted!
C:\Documents and Settings\Austin\DoctorWeb\Quarantine\A0017089.exe
[0] Archive type: RAR SFX (self extracting)
--> SmitfraudFix\404Fix.exe
[DETECTION] Contains a detection pattern of the (dangerous) backdoor program BDS/IRC.Chazz.41 Backdoor server programs
[DETECTION] Contains detection pattern of the dropper DR/Tool.Reboot.F.108
--> SmitfraudFix\IEDFix.exe
[DETECTION] Contains a detection pattern of the (dangerous) backdoor program BDS/IRC.Chazz.42 Backdoor server programs
[NOTE] The file was deleted!
C:\Documents and Settings\Austin\DoctorWeb\Quarantine\SmitfraudFix.exe
[0] Archive type: RAR SFX (self extracting)
--> SmitfraudFix\404Fix.exe
[DETECTION] Contains a detection pattern of the (dangerous) backdoor program BDS/IRC.Chazz.41 Backdoor server programs
[DETECTION] Contains detection pattern of the dropper DR/Tool.Reboot.F.108
--> SmitfraudFix\IEDFix.exe
[DETECTION] Contains a detection pattern of the (dangerous) backdoor program BDS/IRC.Chazz.42 Backdoor server programs
[NOTE] The file was deleted!
C:\Documents and Settings\LocalService\Application Data\Microsoft\Internet Explorer\Desktop.htt
[DETECTION] Contains detection pattern of the HTML script virus HTML/Ficticious
[NOTE] The file was deleted!
C:\SDFix\backups\backups.zip
[0] Archive type: ZIP
--> backups/09iXV8.syz
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
--> backups/1.dflb
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
--> backups/17PHolmes27.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
--> backups/1H1lDK.syz
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
--> backups/1oZJLu.syz
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
--> backups/2.dflb
[DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
--> backups/4utfCa.syz
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
--> backups/5.dflb
[DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
--> backups/6.dflb
[DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
--> backups/7.dflb
[DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
--> backups/aTwJSt.syz
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
--> backups/back.exe.exe
[DETECTION] Contains detection pattern of the worm WORM/Zhelatin.zh
--> backups/baseogn32.dll
[DETECTION] Is the Trojan horse TR/Agent.AGKK.86
--> backups/cssrss.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
--> backups/dflgh8jkd2q1.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
--> backups/dflgh8jkd2q2.exe
[DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
--> backups/dflgh8jkd2q5.exe
[DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
--> backups/dflgh8jkd2q6.exe
[DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
--> backups/dflgh8jkd2q7.exe
[DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
--> backups/GX6hev.syz
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
--> backups/jRBkES.syz
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
--> backups/lQ5TqG.syz
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
--> backups/m5XEKB.syz
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
--> backups/MQF2IC.syz
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
--> backups/pxD0Is.syz
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
--> backups/Q7CzzY.syz
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
--> backups/userinit.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
--> backups/v3xd1.g22me
[DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
--> backups/v4xd3.ga2me
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
--> backups/v4xd6.gam5e
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
--> backups/v5xd2.g3ame
[DETECTION] Is the Trojan horse TR/Downloader.Gen
--> backups/v5xd4.ga2me
[1] Archive type: RSRC
--> Object
[DETECTION] Contains a detection pattern of the (dangerous) backdoor program BDS/Small.eki Backdoor server programs
--> backups/v6xdt4.game
[DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
--> backups/vedxg4am1et2.exe
[DETECTION] Contains detection pattern of the worm WORM/Zhelatin.zh
--> backups/vedxg6ame4.exe
[1] Archive type: RSRC
--> Object
[DETECTION] Contains a detection pattern of the (dangerous) backdoor program BDS/Small.eki Backdoor server programs
--> backups/vedxga1me4t1.exe
[DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
--> backups/vedxga3me2.exe
[DETECTION] Is the Trojan horse TR/Downloader.Gen
--> backups/vedxga4m1et4.exe
[DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
--> backups/vedxga4me1.exe
[DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
--> backups/vedxga5me3.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
--> backups/vx1dt1.game
[DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
--> backups/vx1dt3.game
[DETECTION] Is the Trojan horse TR/Dropper.Gen
--> backups/vx3dt2.game
[DETECTION] Contains detection pattern of the worm WORM/Zhelatin.zh
--> backups/wpx15.cpx
[DETECTION] Is the Trojan horse TR/Dldr.Cntr.CA.88
--> backups/wpx2.cpx
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
--> backups/wpx25.cpx
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
--> backups/wpx27.cpx
[DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
--> backups/wpx29.cpx
[DETECTION] Contains detection pattern of the dropper DR/Delphi.Gen
--> backups/wpx31.cpx
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
--> backups/wpx34.cpx
[DETECTION] Contains detection pattern of the dropper DR/Delphi.Gen
--> backups/wpx5.cpx
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was deleted!
C:\SDFix\backups\catchme.zip
[0] Archive type: ZIP
--> Xwsw71.sys
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
--> asc3550p.sys
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
[NOTE] The file was deleted!
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2\A0016066.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was deleted!
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2\A0016067.exe
[DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
[NOTE] The file was deleted!
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2\A0016068.exe
[DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
[NOTE] The file was deleted!
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2\A0016069.exe
[DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
[NOTE] The file was deleted!
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2\A0016070.exe
[DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
[NOTE] The file was deleted!
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2\A0016094.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was deleted!
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2\A0016095.exe
[DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
[NOTE] The file was deleted!
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2\A0016096.exe
[DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
[NOTE] The file was deleted!
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2\A0016097.exe
[DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
[NOTE] The file was deleted!
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2\A0016098.exe
[DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
[NOTE] The file was deleted!
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2\A0016140.exe:exe.exe
[DETECTION] Is the Trojan horse TR/Downloader.Gen
[NOTE] The file was deleted!
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2\A0017094.exe
[DETECTION] Contains a detection pattern of the (dangerous) backdoor program BDS/IRC.Chazz.41 Backdoor server programs
[NOTE] The file was deleted!
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2\A0017098.exe
[DETECTION] Contains a detection pattern of the (dangerous) backdoor program BDS/IRC.Chazz.42 Backdoor server programs
[NOTE] The file was deleted!
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2\A0017100.exe
[DETECTION] Is the Trojan horse TR/Trash.Gen
[NOTE] The file was deleted!
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2\A0017101.dll
[DETECTION] Is the Trojan horse TR/Trash.Gen
[NOTE] The file was deleted!
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP5\A0023457.exe
[DETECTION] Is the Trojan horse TR/Dldr.Agent.rpc
[NOTE] The file was deleted!
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP5\A0023458.exe
[DETECTION] Is the Trojan horse TR/Dldr.Agent.rpc
[NOTE] The file was deleted!
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP5\A0023459.exe
[0] Archive type: RAR SFX (self extracting)
--> SmitfraudFix\404Fix.exe
[DETECTION] Contains a detection pattern of the (dangerous) backdoor program BDS/IRC.Chazz.41 Backdoor server programs
[DETECTION] Contains detection pattern of the dropper DR/Tool.Reboot.F.108
--> SmitfraudFix\IEDFix.exe
[DETECTION] Contains a detection pattern of the (dangerous) backdoor program BDS/IRC.Chazz.42 Backdoor server programs
[NOTE] The file was deleted!
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP5\A0023460.exe
[0] Archive type: RAR SFX (self extracting)
--> SmitfraudFix\404Fix.exe
[DETECTION] Contains a detection pattern of the (dangerous) backdoor program BDS/IRC.Chazz.41 Backdoor server programs
[DETECTION] Contains detection pattern of the dropper DR/Tool.Reboot.F.108
--> SmitfraudFix\IEDFix.exe
[DETECTION] Contains a detection pattern of the (dangerous) backdoor program BDS/IRC.Chazz.42 Backdoor server programs
[NOTE] The file was deleted!


End of the scan: Sunday, July 20, 2008 17:56
Used time: 13:50 min

The scan has been done completely.

2358 Scanning directories
101181 Files were scanned
85 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
26 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
1 Files cannot be scanned
101096 Files not concerned
6014 Archives were scanned
5 Warnings
26 Notes


- Little preacher man.
  • 0

#22
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
.

Edited by andrewuk, 20 July 2008 - 05:20 PM.

  • 0

#23
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
ok, lets get another DSS scan done to see where we stand:

Please run dss.exe again, but use these instructions:

Click Start>Select 'Run' - then copy/paste the following text into the run box & click OK

"%userprofile%\desktop\dss.exe" /config
  • Click 'Run'
  • In the ensuing dialog box, uncheck 'Backing up Registry Hives'
  • Click Scan!
When finished, it shall produce main.txt and extra.txt for you.

andrewuk
  • 0

#24
Leifgreen

Leifgreen

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Not saying to check all boxes, I didn't, and only Main.txt appeared. Sorry if if I did it wrong! ^_^"

Deckard's System Scanner v20071014.68
Run by Austin on 2008-07-20 18:22:59
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 223 MiB (512 MiB recommended).


-- HijackThis (run as Austin.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:23:13, on 7/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Austin\desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Austin.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [BMN] "C:\Program Files\Common Files\DriveCleaner Freeware\dcsm.exe" dm=http://drivecleaner.com ad=http://drivecleaner.com sd=http://log.drivecleaner.com
O4 - HKCU\..\Run: [BMN(1)] "C:\Program Files\Common Files\System Doctor\dcmon.exe" dm=http://systemdoctor.com ad=http://systemdoctor.com sd=http://log.systemdoctor.com/
O4 - HKUS\S-1-5-18\..\Run: [iexplorer] C:\WINDOWS\iexplorer.exe --system (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [iexplorer] C:\WINDOWS\iexplorer.exe --system (User 'Default user')
O4 - Global Startup: ZDWLan Utility.lnk = C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gatew...r/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gatew...rvest/gwCID.CAB
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

--
End of file - 3295 bytes

-- Files created between 2008-06-20 and 2008-07-20 -----------------------------

2008-07-20 18:00:57 0 d-------- C:\WINDOWS\LastGood
2008-07-20 17:36:22 0 d-------- C:\Program Files\Avira
2008-07-20 17:36:22 0 d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-07-20 17:01:16 0 d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-07-20 16:56:31 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-07-19 20:14:02 0 d-------- C:\Program Files\Alwil Software
2008-07-19 18:39:31 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-19 18:39:30 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-07-19 17:58:35 0 d-------- C:\Documents and Settings\Austin\Application Data\Malwarebytes
2008-07-19 17:58:30 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-19 17:58:29 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-19 16:46:04 0 d-------- C:\Documents and Settings\Austin\DoctorWeb
2008-07-19 15:43:02 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-07-19 15:23:38 0 d-------- C:\WINDOWS\ERUNT
2008-07-19 14:51:24 0 d-------- C:\Program Files\Trend Micro
2008-07-18 19:16:27 1508 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-18 19:12:08 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-07-18 19:12:08 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-07-18 19:12:08 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-07-18 19:12:08 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-07-18 19:12:08 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-07-18 19:12:08 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-07-18 18:18:21 0 d-------- C:\Documents and Settings\Administrator\Application Data\Uniblue
2008-07-18 17:56:44 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2008-07-18 17:54:14 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-07-18 17:54:13 0 d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-07-18 17:54:13 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-07-18 17:54:13 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-07-18 17:54:13 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-07-18 17:54:13 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-07-18 17:54:13 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-07-18 17:54:13 786432 --ah----- C:\Documents and Settings\Administrator\ntuser.dat
2008-07-18 17:54:13 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-07-18 17:54:13 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-07-18 17:54:13 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-07-18 17:54:13 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-07-18 17:54:13 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-07-18 17:54:13 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-07-18 17:54:13 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-07-18 17:54:13 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-07-18 02:40:44 0 d-------- C:\Documents and Settings\LocalService\Start Menu
2008-07-17 23:51:08 91648 --a------ C:\WINDOWS\system32\cnvfa.dll
2008-07-17 15:29:40 0 d-------- C:\WINDOWS\Sun
2008-07-17 15:29:40 0 d-------- C:\Documents and Settings\Austin\Application Data\Sun
2008-07-16 21:51:13 0 d-------- C:\Program Files\Java
2008-07-16 21:49:23 0 d-------- C:\Program Files\Common Files\Java
2008-07-16 16:32:33 0 d-------- C:\Program Files\Realtek AC97
2008-07-16 15:51:19 0 d-------- C:\Documents and Settings\Austin\Application Data\Uniblue
2008-07-16 15:51:14 0 d-------- C:\Program Files\Uniblue
2008-07-16 13:15:43 0 d-------- C:\My Recordings
2008-07-16 13:09:28 0 d-------- C:\Program Files\FREE Hi-Q Recorder
2008-07-16 10:32:08 0 d-------- C:\WINDOWS\system32\PreInstall
2008-07-16 10:32:06 0 d--h----- C:\WINDOWS\$hf_mig$
2008-07-16 10:26:13 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-07-16 10:20:26 0 --a------ C:\WINDOWS\nsreg.dat
2008-07-16 10:20:23 0 d-------- C:\Documents and Settings\Austin\Application Data\Mozilla
2008-07-16 09:31:46 0 d-------- C:\Program Files\Realtek Sound Manager
2008-07-16 09:31:44 0 d-------- C:\Program Files\AvRack
2008-07-16 09:31:42 315392 --a------ C:\WINDOWS\alcupd.exe <Not Verified; Realtek Semiconductor Corp.; Realtek AC'97 Update driver Tool>
2008-07-16 09:27:52 0 d-------- C:\cabs
2008-07-16 08:46:36 0 d-------- C:\Documents and Settings\Austin\Application Data\Macromedia
2008-07-15 23:06:25 17151 --a------ C:\WINDOWS\system32\ZDPNDIS5.SYS <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
2008-07-15 23:06:25 81920 --a------ C:\WINDOWS\system32\ZDPN50.DLL <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
2008-07-15 23:06:25 31744 --a------ C:\WINDOWS\system32\drivers\ZDPSp50a64.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
2008-07-15 23:06:25 17664 --a------ C:\WINDOWS\system32\drivers\ZDPSp50.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
2008-07-15 23:06:25 29184 --a------ C:\WINDOWS\system32\drivers\BRGSp50a64.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
2008-07-15 23:06:24 24576 --a------ C:\WINDOWS\system32\ZyDelReg.exe <Not Verified; ; ZyDelReg Application>
2008-07-15 23:06:24 15872 --a------ C:\WINDOWS\system32\InsDrvZD64.DLL <Not Verified; ; InsDrvZD Dynamic Link Library>
2008-07-15 23:06:24 28672 --a------ C:\WINDOWS\system32\InsDrvZD.dll <Not Verified; ; InsDrvZD Dynamic Link Library>
2008-07-15 23:06:24 0 d-------- C:\Program Files\ZyDAS Technology Corporation
2008-07-15 23:06:24 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-15 23:06:18 0 d-------- C:\Program Files\Common Files\InstallShield
2008-07-15 22:47:14 102400 --a------ C:\WINDOWS\system32\unzip32.dll <Not Verified; Info-ZIP; Info-ZIP's UnZip Windows DLL>
2008-07-15 22:47:14 160768 --a------ C:\WINDOWS\system32\unrar.dll
2008-07-15 22:47:14 77312 --a------ C:\WINDOWS\system32\UNACEV2.DLL
2008-07-15 22:47:13 0 d-------- C:\Program Files\UnzipThemAll
2008-07-14 17:37:23 0 d-------- C:\WINDOWS\pss
2008-07-13 19:59:17 0 d-------- C:\WINDOWS\system32\NtmsData
2008-07-07 16:22:02 0 d-------- C:\Documents and Settings\Austin\Application Data\AdobeUM
2008-07-07 16:21:57 0 d-------- C:\Documents and Settings\Austin\Application Data\Adobe
2008-07-07 16:21:56 0 d-------- C:\Program Files\Common Files\Adobe
2008-07-07 13:47:59 0 d-------- C:\Documents and Settings\Austin\Application Data\Identities
2008-07-07 13:47:58 0 d-------- C:\Documents and Settings\Austin\WINDOWS
2008-07-07 13:47:58 0 d--h----- C:\Documents and Settings\Austin\Templates
2008-07-07 13:47:58 0 dr------- C:\Documents and Settings\Austin\Start Menu
2008-07-07 13:47:58 0 dr-h----- C:\Documents and Settings\Austin\SendTo
2008-07-07 13:47:58 0 dr-h----- C:\Documents and Settings\Austin\Recent
2008-07-07 13:47:58 0 d--h----- C:\Documents and Settings\Austin\PrintHood
2008-07-07 13:47:58 1572864 --ah----- C:\Documents and Settings\Austin\ntuser.dat
2008-07-07 13:47:58 0 d--h----- C:\Documents and Settings\Austin\NetHood
2008-07-07 13:47:58 0 dr------- C:\Documents and Settings\Austin\My Documents
2008-07-07 13:47:58 0 d--h----- C:\Documents and Settings\Austin\Local Settings
2008-07-07 13:47:58 0 dr------- C:\Documents and Settings\Austin\Favorites
2008-07-07 13:47:58 0 d-------- C:\Documents and Settings\Austin\Desktop
2008-07-07 13:47:58 0 d---s---- C:\Documents and Settings\Austin\Cookies
2008-07-07 13:47:58 0 dr-h----- C:\Documents and Settings\Austin\Application Data
2008-07-07 13:47:42 0 d-------- C:\Documents and Settings\Default User\WINDOWS
2008-07-07 13:47:42 0 d-------- C:\Documents and Settings\Default User\Application Data\Identities
2008-07-07 13:44:01 262144 --a------ C:\Documents and Settings\All Users\ntuser.dat
2008-07-07 13:44:00 2 --a------ C:\REQUEST_OEMRESET_ENDUSER
2008-07-07 13:41:15 0 d--hs---- C:\System Volume Information
2008-07-07 13:39:55 60 --a------ C:\WINDOWS\system32\SYSDRV.DAT
2008-07-07 13:35:09 0 d-------- C:\WINDOWS\SMINST
2008-07-07 13:34:32 4096 --ahs---- C:\WINDOWS\system32\qweasdf.dat
2008-07-07 13:31:09 0 d-------- C:\WINDOWS\I386


-- Find3M Report ---------------------------------------------------------------

2008-07-20 16:01:32 0 d-------- C:\Program Files\Windows NT
2008-07-20 16:01:28 0 d-------- C:\Program Files\Movie Maker
2008-07-20 16:01:26 0 d-------- C:\Program Files\Messenger
2008-07-20 15:47:47 0 d-------- C:\Program Files\Online Services


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [08/04/2004 14:00]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [02/12/2008 10:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BMN"="C:\Program Files\Common Files\DriveCleaner Freeware\dcsm.exe" []
"BMN(1)"="C:\Program Files\Common Files\System Doctor\dcmon.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"iexplorer"=C:\WINDOWS\iexplorer.exe --system

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
ZDWLan Utility.lnk - C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe [7/15/2008 11:06:24 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"=0 (0x0)
"ForceActiveDesktopOn"=1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Brave-Sentry]
C:\Program Files\BraveSentry\BraveSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DriveCleaner Freeware]
"C:\Program Files\DriveCleaner Freeware\UDC.exe" /min

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DriveSystem]
C:\WINDOWS\system32\maxpaynowti1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lphcr5mj0e71n]
C:\WINDOWS\system32\lphcr5mj0e71n.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System Doctor Free]
C:\Program Files\System Doctor Free\systemdoc.exe -scan

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System32]
C:\WINDOWS\system32\winds32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemDoctor Free]
C:\Program Files\System Doctor Free\systemdoc.exe /min

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemDrive]
C:\WINDOWS\system32\maxpaynow1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UDC6_cw]
"C:\Program Files\DriveCleaner Freeware\UDC6_cw.exe" -c

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows update loader]
C:\Windows\xpupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMDM PMSP Service]
C:\WINDOWS\system32\cssrss.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ICF"=2 (0x2)
"Google Online Services"=2 (0x2)
"avast! Web Scanner"=3 (0x3)
"avast! Mail Scanner"=3 (0x3)
"aswUpdSv"=2 (0x2)

*Newly Created Service* - SSMDRV



-- End of Deckard's System Scanner: finished at 2008-07-20 18:26:26 ------------


- Little preacher man.
  • 0

#25
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
in this post we will clean the malware i can see, scan a couple of suspicious looking files and do a general scan. with luck, we wont have too much more to go, though i will want to do some more scans to make sure after this, you had a highly infected machine.

as an aside, many of the programs you downloaded were rogue security programs. i will leave you with a list of good free programs at the end of this fix.


====STEP 1====
Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\BMN
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\BMN(1)
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Brave-Sentry
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DriveCleaner Freeware
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DriveSystem
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lphcr5mj0e71n
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System Doctor Free
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System32
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemDoctor Free
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemDrive
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UDC6_cw
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows update loader
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMDM PMSP Service
    C:\Program Files\BraveSentry\BraveSentry.exe
    C:\Program Files\DriveCleaner Freeware\UDC.exe /min
    C:\WINDOWS\system32\maxpaynowti1.exe
    C:\WINDOWS\system32\lphcr5mj0e71n.exe
    C:\Program Files\System Doctor Free\systemdoc.exe -scan
    C:\WINDOWS\system32\winds32.exe
    C:\Program Files\System Doctor Free\systemdoc.exe /min
    C:\WINDOWS\system32\maxpaynow1.exe
    C:\Program Files\DriveCleaner Freeware\UDC6_cw.exe
    C:\Windows\xpupdate.exe
    C:\WINDOWS\system32\cssrss.exe
    C:\Program Files\Common Files\DriveCleaner Freeware\dcsm.exe
    C:\Program Files\Common Files\System Doctor\dcmon.exe
    EmptyTemp
    purity 
    [start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.




====STEP 2====
Jotti File Submission:

Please go to Jotti's malware scan
Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
C:\WINDOWS\system32\cnvfa.dll

Click on the submit button

Please also do the same with the following file:
C:\WINDOWS\iexplorer.exe



Please post the results of the scan in your next reply.

If Jotti is busy, try the same atVirustotal




====STEP 3====
Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.


In your next reply could i see:
1. the OTMoveIT log
2. the 2 Jotti logs
3. the SUPERantispyware log
4. a new DSS log (just re-run DSS as per normal)

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk
  • 0

Advertisements


#26
Leifgreen

Leifgreen

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
I did as said, and the folder "C:\_OTMoveIt\MovedFiles\07202008_190406" has no log files, but the Malware appearances at the MSConfig is gone. YAY! ^_^

Do I proceed, or try again? If needed, that is! ^_^ Be Blessed!

- Little preacher man.
  • 0

#27
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
go ahead and do the rest of the instructions starting with the Jotti scans - looks as if the OTMoveIT worked, though we will find out when the DSS log is produced.

andrewuk

Edited by andrewuk, 21 July 2008 - 12:28 AM.

  • 0

#28
Leifgreen

Leifgreen

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Thank you, again! ^_^

Jotti's Malware Scanner Results:

C:\WINDOWS\system32\cnvfa.dll

Scanner results
Scan taken on 22 Jul 2008 14:56:05 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found BHO.O
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found Trojan.DownLoad.2084
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Ikarus
Found Virus.Trojan.Win32.Pakes.cdw
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

The file iexplorer.exe was not found. it's not there!


Also, the SUPERAnti-spyware setup will not run, do to an error message stating:
"The Windows installer service could not be accessed."

Know what's wrong? ^_^ Be Blessed!

- Little preacher man.

Edited by Leifgreen, 22 July 2008 - 09:03 AM.

  • 0

#29
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts

Also, the SUPERAnti-spyware setup will not run, do to an error message stating:
"The Windows installer service could not be accessed."

Know what's wrong?

.....looks like a software issue, but lets clean your machine of malware first.

in this post we will clear off the last of the malware (that file was infected), re-run a couple of scans we have done before in case anything sneaked back on before we installed the antivirus program and then see where we stand. i am hoping that we will be there.


====STEP 1====
Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]
    C:\WINDOWS\system32\cnvfa.dll
    HKEY_USERS\.default\software\microsoft\windows\currentversion\run\\iexplorer
    EmptyTemp
    purity 
    [start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


====STEP 2====
We will run SDFix again.

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum
====STEP 3====
and could you run malwarebytes again by double clikcing the icon to open the program
  • select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
====STEP 4====
and could you re-run DSS.


In your next reply could i see:
1. the OTMoveIT log
2. the SDFix log
3. the malwarebytes log
4. the DSS log (there will only be one)
5. some idea of how your machine is running now

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk
  • 0

#30
Leifgreen

Leifgreen

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
OTMoveIT Log:

Explorer killed successfully
C:\WINDOWS\system32\cnvfa.dll unregistered successfully.
C:\WINDOWS\system32\cnvfa.dll moved successfully.
< HKEY_USERS\.default\software\microsoft\windows\currentversion\run\\iexplorer >
Registry value HKEY_USERS\.default\software\microsoft\windows\currentversion\run\\iexplorer deleted successfully.
< EmptyTemp >
File delete failed. C:\DOCUME~1\Austin\LOCALS~1\Temp\etilqs_bbR70KXLap5EPMs1FWlI scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
< purity >
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07222008_165212

Files moved on Reboot...
File C:\DOCUME~1\Austin\LOCALS~1\Temp\etilqs_bbR70KXLap5EPMs1FWlI not found!


SDFix Log:


SDFix: Version 1.206
Run by Austin on Tue 07/22/2008 at 17:11

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\braviax.exe - Deleted

Note - Files associated with the MBR Rootkit have been found on this system, to check the PC use the MBR Rootkit Detector by Gmer or CureIt by Dr.Web




Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-22 17:14:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"c:\\6bne4e.exe"="c:\\6bne4e.exe:*:Enabled:DHCP Client"
"C:\\WINDOWS\\system32\\cssrss.exe"="C:\\WINDOWS\\system32\\cssrss.exe:*:Enabled:DHCP Client"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Tue 22 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\66b1d8e81a20b4b541ab3e558f2fd638\BIT1.tmp"

Finished!


Malwarebytes' Anto Malware Log:

Malwarebytes' Anti-Malware 1.21
Database version: 967
Windows 5.1.2600 Service Pack 2

5:37:34 PM 7/22/2008
mbam-log-7-22-2008 (17-37-34).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|)
Objects scanned: 58497
Time elapsed: 17 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\sysyytz.exe (Trojan.Downloader) -> Quarantined and deleted successfully.


DSS Log:

Deckard's System Scanner v20071014.68
Run by Austin on 2008-07-22 17:39:07
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 223 MiB (512 MiB recommended).


-- HijackThis (run as Austin.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:39:20, on 7/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Austin\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Austin.exe

O2 - BHO: (no name) - {1036B735-2574-4CCC-93E7-80B84A3C1FB0} - C:\WINDOWS\system32\cnvfa.dll (file missing)
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - Global Startup: ZDWLan Utility.lnk = C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gatew...r/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gatew...rvest/gwCID.CAB
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

--
End of file - 2568 bytes

-- Files created between 2008-06-22 and 2008-07-22 -----------------------------

2008-07-22 09:44:01 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-21 21:16:38 0 d---s---- C:\Documents and Settings\Austin\UserData
2008-07-20 17:36:22 0 d-------- C:\Program Files\Avira
2008-07-20 17:36:22 0 d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-07-20 17:01:16 0 d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-07-20 16:56:31 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-07-19 20:14:02 0 d-------- C:\Program Files\Alwil Software
2008-07-19 18:39:31 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-19 18:39:30 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-07-19 17:58:35 0 d-------- C:\Documents and Settings\Austin\Application Data\Malwarebytes
2008-07-19 17:58:30 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-19 17:58:29 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-19 16:46:04 0 d-------- C:\Documents and Settings\Austin\DoctorWeb
2008-07-19 15:43:02 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-07-19 15:23:38 0 d-------- C:\WINDOWS\ERUNT
2008-07-19 14:51:24 0 d-------- C:\Program Files\Trend Micro
2008-07-18 19:16:27 1508 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-18 19:12:08 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-07-18 19:12:08 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-07-18 19:12:08 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-07-18 19:12:08 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-07-18 19:12:08 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-07-18 19:12:08 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-07-18 18:18:21 0 d-------- C:\Documents and Settings\Administrator\Application Data\Uniblue
2008-07-18 17:56:44 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2008-07-18 17:54:14 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-07-18 17:54:13 0 d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-07-18 17:54:13 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-07-18 17:54:13 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-07-18 17:54:13 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-07-18 17:54:13 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-07-18 17:54:13 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-07-18 17:54:13 786432 --ah----- C:\Documents and Settings\Administrator\ntuser.dat
2008-07-18 17:54:13 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-07-18 17:54:13 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-07-18 17:54:13 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-07-18 17:54:13 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-07-18 17:54:13 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-07-18 17:54:13 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-07-18 17:54:13 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-07-18 17:54:13 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-07-18 02:40:44 0 d-------- C:\Documents and Settings\LocalService\Start Menu
2008-07-17 15:29:40 0 d-------- C:\WINDOWS\Sun
2008-07-17 15:29:40 0 d-------- C:\Documents and Settings\Austin\Application Data\Sun
2008-07-16 21:51:13 0 d-------- C:\Program Files\Java
2008-07-16 21:49:23 0 d-------- C:\Program Files\Common Files\Java
2008-07-16 16:32:33 0 d-------- C:\Program Files\Realtek AC97
2008-07-16 15:51:19 0 d-------- C:\Documents and Settings\Austin\Application Data\Uniblue
2008-07-16 15:51:14 0 d-------- C:\Program Files\Uniblue
2008-07-16 13:15:43 0 d-------- C:\My Recordings
2008-07-16 13:09:28 0 d-------- C:\Program Files\FREE Hi-Q Recorder
2008-07-16 10:32:08 0 d-------- C:\WINDOWS\system32\PreInstall
2008-07-16 10:32:06 0 d--h----- C:\WINDOWS\$hf_mig$
2008-07-16 10:26:13 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-07-16 10:20:26 0 --a------ C:\WINDOWS\nsreg.dat
2008-07-16 10:20:23 0 d-------- C:\Documents and Settings\Austin\Application Data\Mozilla
2008-07-16 09:31:46 0 d-------- C:\Program Files\Realtek Sound Manager
2008-07-16 09:31:44 0 d-------- C:\Program Files\AvRack
2008-07-16 09:31:42 315392 --a------ C:\WINDOWS\alcupd.exe <Not Verified; Realtek Semiconductor Corp.; Realtek AC'97 Update driver Tool>
2008-07-16 09:27:52 0 d-------- C:\cabs
2008-07-16 08:46:36 0 d-------- C:\Documents and Settings\Austin\Application Data\Macromedia
2008-07-15 23:06:25 17151 --a------ C:\WINDOWS\system32\ZDPNDIS5.SYS <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
2008-07-15 23:06:25 81920 --a------ C:\WINDOWS\system32\ZDPN50.DLL <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
2008-07-15 23:06:25 31744 --a------ C:\WINDOWS\system32\drivers\ZDPSp50a64.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
2008-07-15 23:06:25 17664 --a------ C:\WINDOWS\system32\drivers\ZDPSp50.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
2008-07-15 23:06:25 29184 --a------ C:\WINDOWS\system32\drivers\BRGSp50a64.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
2008-07-15 23:06:24 24576 --a------ C:\WINDOWS\system32\ZyDelReg.exe <Not Verified; ; ZyDelReg Application>
2008-07-15 23:06:24 15872 --a------ C:\WINDOWS\system32\InsDrvZD64.DLL <Not Verified; ; InsDrvZD Dynamic Link Library>
2008-07-15 23:06:24 28672 --a------ C:\WINDOWS\system32\InsDrvZD.dll <Not Verified; ; InsDrvZD Dynamic Link Library>
2008-07-15 23:06:24 0 d-------- C:\Program Files\ZyDAS Technology Corporation
2008-07-15 23:06:24 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-15 23:06:18 0 d-------- C:\Program Files\Common Files\InstallShield
2008-07-15 22:47:14 102400 --a------ C:\WINDOWS\system32\unzip32.dll <Not Verified; Info-ZIP; Info-ZIP's UnZip Windows DLL>
2008-07-15 22:47:14 160768 --a------ C:\WINDOWS\system32\unrar.dll
2008-07-15 22:47:14 77312 --a------ C:\WINDOWS\system32\UNACEV2.DLL
2008-07-15 22:47:13 0 d-------- C:\Program Files\UnzipThemAll
2008-07-14 17:37:23 0 d-------- C:\WINDOWS\pss
2008-07-13 19:59:17 0 d-------- C:\WINDOWS\system32\NtmsData
2008-07-07 16:22:02 0 d-------- C:\Documents and Settings\Austin\Application Data\AdobeUM
2008-07-07 16:21:57 0 d-------- C:\Documents and Settings\Austin\Application Data\Adobe
2008-07-07 16:21:56 0 d-------- C:\Program Files\Common Files\Adobe
2008-07-07 13:47:59 0 d-------- C:\Documents and Settings\Austin\Application Data\Identities
2008-07-07 13:47:58 0 d-------- C:\Documents and Settings\Austin\WINDOWS
2008-07-07 13:47:58 0 d--h----- C:\Documents and Settings\Austin\Templates
2008-07-07 13:47:58 0 dr------- C:\Documents and Settings\Austin\Start Menu
2008-07-07 13:47:58 0 dr-h----- C:\Documents and Settings\Austin\SendTo
2008-07-07 13:47:58 0 dr-h----- C:\Documents and Settings\Austin\Recent
2008-07-07 13:47:58 0 d--h----- C:\Documents and Settings\Austin\PrintHood
2008-07-07 13:47:58 1835008 --ah----- C:\Documents and Settings\Austin\ntuser.dat
2008-07-07 13:47:58 0 d--h----- C:\Documents and Settings\Austin\NetHood
2008-07-07 13:47:58 0 dr------- C:\Documents and Settings\Austin\My Documents
2008-07-07 13:47:58 0 d--h----- C:\Documents and Settings\Austin\Local Settings
2008-07-07 13:47:58 0 dr------- C:\Documents and Settings\Austin\Favorites
2008-07-07 13:47:58 0 d-------- C:\Documents and Settings\Austin\Desktop
2008-07-07 13:47:58 0 d---s---- C:\Documents and Settings\Austin\Cookies
2008-07-07 13:47:58 0 dr-h----- C:\Documents and Settings\Austin\Application Data
2008-07-07 13:47:42 0 d-------- C:\Documents and Settings\Default User\WINDOWS
2008-07-07 13:47:42 0 d-------- C:\Documents and Settings\Default User\Application Data\Identities
2008-07-07 13:44:01 262144 --a------ C:\Documents and Settings\All Users\ntuser.dat
2008-07-07 13:44:00 2 --a------ C:\REQUEST_OEMRESET_ENDUSER
2008-07-07 13:41:15 0 d--hs---- C:\System Volume Information
2008-07-07 13:39:55 60 --a------ C:\WINDOWS\system32\SYSDRV.DAT
2008-07-07 13:35:09 0 d-------- C:\WINDOWS\SMINST
2008-07-07 13:34:32 4096 --ahs---- C:\WINDOWS\system32\qweasdf.dat
2008-07-07 13:31:09 0 d-------- C:\WINDOWS\I386


-- Find3M Report ---------------------------------------------------------------

2008-07-22 09:44:01 0 d-------- C:\Program Files\Common Files
2008-07-20 16:01:32 0 d-------- C:\Program Files\Windows NT
2008-07-20 16:01:28 0 d-------- C:\Program Files\Movie Maker
2008-07-20 16:01:26 0 d-------- C:\Program Files\Messenger
2008-07-20 15:47:47 0 d-------- C:\Program Files\Online Services


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1036B735-2574-4CCC-93E7-80B84A3C1FB0}]
C:\WINDOWS\system32\cnvfa.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [02/12/2008 10:06]
"SoundMan"="SOUNDMAN.EXE" [04/16/2007 15:28 C:\WINDOWS\soundman.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
ZDWLan Utility.lnk - C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe [7/15/2008 11:06:24 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"=0 (0x0)
"ForceActiveDesktopOn"=1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\braviax]
C:\WINDOWS\system32\braviax.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ICF"=2 (0x2)
"Google Online Services"=2 (0x2)
"avast! Web Scanner"=3 (0x3)
"avast! Mail Scanner"=3 (0x3)
"aswUpdSv"=2 (0x2)




-- End of Deckard's System Scanner: finished at 2008-07-22 17:42:05 ------------


Idea of System performance:

The computer is running quick and what most would call normal. The only different thing is that at start up, the task bar isn't there. it's just an empty dark blue line with no start button, no roaming programs and no clock. When I plug in my WI-FI dongle, turn on my browser, and access this page, it loads up.

Is that an what you were looking for? ^_^



- Little preacher man.

Edited by Leifgreen, 22 July 2008 - 04:52 PM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP