Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

antivirusxp08 [RESOLVED]


  • This topic is locked This topic is locked

#16
mbrikha

mbrikha

    Member

  • Topic Starter
  • Member
  • PipPip
  • 47 posts
Malwarebytes' Anti-Malware 1.23
Database version: 1008
Windows 5.1.2600 Service Pack 1

6:44:17 PM 7/29/2008
mbam-log-7-29-2008 (18-44-17).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 483577
Time elapsed: 5 hour(s), 30 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 24
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 37
Files Infected: 79

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{c89435b0-cdfe-11d3-976a-00e02913a9e0} (Adware.WebHancer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\nn_bar_dummy.nn_bardummy (Adware.Mirar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\nn_bar_dummy.nn_bardummy.1 (Adware.Mirar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2bb15d36-43be-4743-a3a0-3308f4b1a610} (Adware.Delphinmediaviewer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{41700749-a109-4254-af13-be54011e8783} (Adware.Delphinmediaviewer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\dyfuca_bh.bhobj (Adware.NetOptimizer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\dyfuca_bh.bhobj.1 (Adware.NetOptimizer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\dyfuca_bh.sinkobj (Adware.NetOptimizer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\dyfuca_bh.sinkobj.1 (Adware.NetOptimizer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{aa4939c3-deca-4a48-a454-97cd587c0ef5} (Adware.NetOptimizer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{eee4a2e5-9f56-432f-a6ed-f6f625b551e0} (Adware.NetOptimizer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{0be10b0d-b4db-4693-9b1f-9aead54d17dc} (Adware.NetOptimizer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7149e79c-dc19-4c5e-a53c-a54ddf75eee9} (Adware.MediaMotor) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{7149e79c-dc19-4c5e-a53c-a54ddf75eee9} (Adware.MediaMotor) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhcpwhj0e561 (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\rhcpwhj0e561 (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Outerinfo (Adware.ClickSpring) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Web Rebates (Adware.WebRebates) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\webHancer (Adware.WebHancer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\winantispyware 2007 (Rogue.WinAntiSpyware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\AMeOpt (Adware.NetOptimizer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kapabout (Adware.NetOptimizer) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\f02WtR (Malware.Trace) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\2.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Game (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Game\CHECKERS (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\History (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\SrchAstt (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\SrchAstt\1.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\SrchAstt\2.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\SrchAstt\Cache (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\SrchAstt\Settings (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Installr (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Installr\3.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\PopSwatr (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\PopSwatr\History (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver\Images (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared\Cache (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\YourSiteBar (Adware.ISTBar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.YOUR-KYBTG65GXE.000\Start Menu\Programs\Outerinfo (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.YOUR-KYBTG65GXE.000\Application Data\rhcpwhj0e561 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.YOUR-KYBTG65GXE.000\Application Data\rhcpwhj0e561\Quarantine (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.YOUR-KYBTG65GXE.000\Application Data\rhcpwhj0e561\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.YOUR-KYBTG65GXE.000\Application Data\rhcpwhj0e561\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.YOUR-KYBTG65GXE.000\Application Data\rhcpwhj0e561\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.YOUR-KYBTG65GXE.000\Application Data\rhcpwhj0e561\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.YOUR-KYBTG65GXE.000\Application Data\rhcpwhj0e561\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.YOUR-KYBTG65GXE.000\Application Data\rhcpwhj0e561\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.YOUR-KYBTG65GXE.000\Application Data\rhcpwhj0e561\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.YOUR-KYBTG65GXE.000\Application Data\rhcpwhj0e561\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.YOUR-KYBTG65GXE.000\Application Data\rhcpwhj0e561\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\f3PSSavr.scr (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ide21201.vxd (Adware.Winad) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\2.bin\F3PSSAVR.SCR (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\2.bin\F3BKGERR.JPG (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\2.bin\F3SPACER.WMV (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\2.bin\F3WALLPP.DAT (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\2.bin\MWSBAR.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\00D51977.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\00D51A13.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\00D51ABF.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\00D51B6B.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\00D51C07.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\00D51C94.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\00D51D21.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\00D51DBD.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\00D51E49.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\00D5324E.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\00D532EB.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\00D53377.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\00EB8323.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\00FF9F35.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\00FFA33C.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\0117D1AA (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\01E7EC91 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\01E82E6D.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\01E84B0D.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\01E84FB0.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\files.ini (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Game\CHECKERS.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Game\CHESS.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Game\REVERSI.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Game\CHECKERS\board.gif (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Game\CHECKERS\btn-flat.gif (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Game\CHECKERS\btn-push.gif (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Game\CHECKERS\checkers.js (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Game\CHECKERS\common-r.gif (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Game\CHECKERS\common-w.gif (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Game\CHECKERS\index.htm (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Game\CHECKERS\king-r.gif (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Game\CHECKERS\king-w.gif (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\History\search (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\prevcfg.htm (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\settings.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\settings.htm (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\SrchAstt\Cache\00028FC3 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\SrchAstt\Cache\00D51178 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\SrchAstt\Cache\files.ini (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\SrchAstt\Settings\prevcfg.htm (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\PopSwatr\History\allowed (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\PopSwatr\History\notallow (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared\Cache\CheckersAIMBtn-new.html (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared\Cache\CheckersAIMBtn.html (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared\Cache\ChessAIMBtn-new.html (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared\Cache\ChessAIMBtn.html (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared\Cache\CursorManiaBtn.html (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared\Cache\EnableDisableAIMBtn.html (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared\Cache\FunBuddyIconBtn.html (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared\Cache\MailStampBtn.html (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared\Cache\MySignatureInsertBtn-new.html (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared\Cache\MySignatureInsertBtn.html (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared\Cache\MySignaturePreviewBtn-new.html (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared\Cache\MySignaturePreviewBtn.html (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared\Cache\MyStationeryBtn-new.html (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared\Cache\MyStationeryBtn.html (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared\Cache\NoSettingAIMBtn-new.html (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared\Cache\NoSettingAIMBtn.html (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared\Cache\ReversiAIMBtn-new.html (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared\Cache\ReversiAIMBtn.html (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\YourSiteBar\imagemap_normal.bmp (Adware.ISTBar) -> Quarantined and deleted successfully.
C:\Program Files\YourSiteBar\version.txt (Adware.ISTBar) -> Quarantined and deleted successfully.
C:\Program Files\YourSiteBar\yoursitebar.xml (Adware.ISTBar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.YOUR-KYBTG65GXE.000\Start Menu\Programs\Outerinfo\Terms.lnk (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hosts (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\phctwhj0e561.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\Yazzle1275OinUninstaller.exe (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.YOUR-KYBTG65GXE.000\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
  • 0

Advertisements


#17
mbrikha

mbrikha

    Member

  • Topic Starter
  • Member
  • PipPip
  • 47 posts
Deckard's System Scanner v20071014.68
Run by Owner on 2008-07-29 18:46:00
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 504 MiB (512 MiB recommended).


-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:46:19, on 7/29/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Common Files\AOL\1139186156\ee\AOLSoftware.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
c:\program files\common files\aol\1139186156\ee\AOLOpenRide.exe
C:\Program Files\Common Files\AOL\1139186156\ee\aolsoftware.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\system32\calc.exe
C:\Documents and Settings\Owner.YOUR-KYBTG65GXE.000\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O4 - HKLM\..\Run: [BlockTracker] c:\hp\bin\BlockTracker.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1139186156\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Comcast\COMCAS~1\data\xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: AOL OpenRide.lnk = C:\Program Files\Common Files\AOL\Launch\aollaunch.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...96/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) -
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go...y/OTOYAX29b.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,26/mcgdmgr.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\System32\svchosts.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O24 - Desktop Component 0: (no name) - http://i21.photobuck...Grl90/black.jpg

--
End of file - 7521 bytes

-- Files created between 2008-06-29 and 2008-07-29 -----------------------------

2008-07-29 13:11:23 0 d-------- C:\Documents and Settings\Owner.YOUR-KYBTG65GXE.000\Application Data\Malwarebytes
2008-07-29 13:11:18 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-29 13:11:17 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-28 21:44:27 0 d-------- C:\Documents and Settings\Owner.YOUR-KYBTG65GXE.000\Application Data\Comcast
2008-07-28 21:23:41 3022 --a------ C:\WINDOWS\System32\tmp.reg
2008-07-28 21:22:44 53248 --a------ C:\WINDOWS\System32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-07-28 21:22:13 81920 --a------ C:\WINDOWS\System32\404Fix.exe <Not Verified; S!Ri.URZ; 404Fix>
2008-07-28 21:22:12 25600 --a------ C:\WINDOWS\System32\WS2Fix.exe
2008-07-28 21:22:12 289144 --a------ C:\WINDOWS\System32\VCCLSID.exe <Not Verified; S!Ri; >
2008-07-28 21:22:12 86528 --a------ C:\WINDOWS\System32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-07-28 21:22:12 82944 --a------ C:\WINDOWS\System32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-07-28 21:22:11 288417 --a------ C:\WINDOWS\System32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-07-28 21:22:11 51200 --a------ C:\WINDOWS\System32\dumphive.exe
2008-07-27 23:47:14 0 d-------- C:\Program Files\Trend Micro
2008-07-27 23:15:36 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP


-- Find3M Report ---------------------------------------------------------------

2008-07-29 18:44:16 0 d-------- C:\Program Files\Common Files
2008-07-28 21:56:28 0 d-------- C:\Program Files\WildTangent
2008-07-28 21:52:56 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-28 21:52:33 0 d-------- C:\Program Files\NewSoft
2008-07-28 21:50:43 0 d-------- C:\Documents and Settings\Owner.YOUR-KYBTG65GXE.000\Application Data\Musicmatch
2008-07-28 21:50:41 0 d-------- C:\Program Files\MUSICMATCH
2008-07-28 21:48:04 0 d-------- C:\Program Files\Microsoft Money
2008-07-28 21:41:57 0 d-------- C:\Program Files\Common Files\aolshare
2008-07-28 21:31:21 0 d-------- C:\Program Files\Viewpoint
2008-06-24 12:26:30 0 d-------- C:\Program Files\McAfee
2008-06-23 14:31:07 0 d-------- C:\Program Files\Common Files\McAfee
2008-06-02 22:36:44 0 d-------- C:\Program Files\LimeWire
2008-05-31 21:40:26 9604 --a------ C:\WINDOWS\mozver.dat
2008-05-31 21:33:33 0 d-------- C:\Program Files\Common Files\xing shared
2008-05-31 21:33:26 0 d-------- C:\Program Files\Common Files\Real
2008-05-31 21:33:18 1770 --a------ C:\WINDOWS\nsreg.dat
2008-05-31 20:33:26 0 d-------- C:\Documents and Settings\Owner.YOUR-KYBTG65GXE.000\Application Data\Real
2008-05-31 20:31:44 0 d-------- C:\Program Files\Common Files\csshare


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BlockTracker"="c:\hp\bin\BlockTracker.exe" []
"NvCplDaemon"="NvQTwk" []
"nwiz"="nwiz.exe" [09/30/2002 23:39 C:\WINDOWS\system32\nwiz.exe]
"HostManager"="C:\Program Files\Common Files\AOL\1139186156\ee\AOLSoftware.exe" [09/25/2006 16:52]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 21:16]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [05/31/2008 21:32]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [11/01/2007 18:12]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIEW"="nview.dll,nViewLoadHook" []
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Comcast\COMCAS~1\data\xtras\mssysmgr.exe" []
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" []
"Aim6"="" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\Documents and Settings\Owner.YOUR-KYBTG65GXE.000\Start Menu\Programs\Startup\
AOL OpenRide.lnk - C:\Program Files\Common Files\AOL\Launch\aollaunch.exe [9/25/2006 4:52:49 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [12/3/2002 4:58:20 PM]
NkvMon.exe.lnk - C:\Program Files\Nikon\NkView6\NkvMon.exe [10/11/2003 8:19:17 AM]
officejet 6100.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe [12/3/2002 4:23:30 PM]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [9/20/2002 7:20:02 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\86942b4f-d046-4526-8f8c-669ad3dd860b]
C:\WINDOWS\System32\dccnncr.exe



-- End of Deckard's System Scanner: finished at 2008-07-29 18:47:05 ------------
  • 0

#18
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Please re-open HijackThis and click on Do a system scan only. Check the boxes next to all the entries listed below.

O3 - Toolbar: (no name) - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)


Now close all windows other than HijackThis, then click Fix checked. Close HijackThis.




NEXT


We need to get rid of some of the services running on your machine. To do this, copy (Ctrl +C) and paste (Ctrl +V) the text in the code box below to Notepad.

@echo off
sc stop "COM+ Messages"
sc delete "COM+ Messages"
exit

Save it to your desktop as File name: Service.bat
Save as type: All Files

Once done, double click Service.bat to run it. A command window will open briefly, then close. This is quite normal.

If you do not sure how to make a batch file, please visit HERE for the tutorial.




NEXT


Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Let the Unregister Dll's and Ocx's remain ticked and Zip Files After Moves remain unticked..
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]
    COM+ Messages <delete service>
    C:\WINDOWS\System32\dccnncr.exe
    C:\WINDOWS\System32\svchosts.exe
    HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\86942b4f-d046-4526-8f8c-669ad3dd860b
    EmptyTemp
    purity
    [start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.




NEXT


Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.



Please post the following logs in your next reply..

1. OTMoveIt2
2. Kaspersky Webscanner (please attach this log)
3. A fresh DSS log (after Kaspersky step)


Regards
fenzodahl512
  • 0

#19
mbrikha

mbrikha

    Member

  • Topic Starter
  • Member
  • PipPip
  • 47 posts
Explorer killed successfully
Service not present: COM+ Messages.
File/Folder C:\WINDOWS\System32\dccnncr.exe not found.
File/Folder C:\WINDOWS\System32\svchosts.exe not found.
< HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\86942b4f-d046-4526-8f8c-669ad3dd860b >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\86942b4f-d046-4526-8f8c-669ad3dd860b\\ not found.
< EmptyTemp >
File delete failed. C:\DOCUME~1\OWNERY~1.000\LOCALS~1\Temp\10.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\OWNERY~1.000\LOCALS~1\Temp\Acr42B2.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\OWNERY~1.000\LOCALS~1\Temp\Acr42B3.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\OWNERY~1.000\LOCALS~1\Temp\Acr42B4.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\OWNERY~1.000\LOCALS~1\Temp\Acr42BA.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\OWNERY~1.000\LOCALS~1\Temp\Acr42BB.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\OWNERY~1.000\LOCALS~1\Temp\Acr42BC.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\OWNERY~1.000\LOCALS~1\Temp\Acr42BD.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\OWNERY~1.000\LOCALS~1\Temp\Acr4311.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\OWNERY~1.000\LOCALS~1\Temp\Acr431C.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\OWNERY~1.000\LOCALS~1\Temp\Acr431D.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\OWNERY~1.000\LOCALS~1\Temp\Acr431E.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\OWNERY~1.000\LOCALS~1\Temp\Acr4320.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\OWNERY~1.000\LOCALS~1\Temp\Acr4321.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\OWNERY~1.000\LOCALS~1\Temp\Acr4322.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\OWNERY~1.000\LOCALS~1\Temp\Acr4323.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\OWNERY~1.000\LOCALS~1\Temp\Acr4324.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcafee_WzuCavjfReC89vj scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcmsc_bbxT0GQZQx1K1ad scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
< purity >
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07292008_191220

Files moved on Reboot...
File C:\DOCUME~1\OWNERY~1.000\LOCALS~1\Temp\10.tmp not found!
File C:\DOCUME~1\OWNERY~1.000\LOCALS~1\Temp\Acr42B2.tmp not found!
File C:\DOCUME~1\OWNERY~1.000\LOCALS~1\Temp\Acr42B3.tmp not found!
File C:\DOCUME~1\OWNERY~1.000\LOCALS~1\Temp\Acr42B4.tmp not found!
File C:\DOCUME~1\OWNERY~1.000\LOCALS~1\Temp\Acr42BA.tmp not found!
File C:\DOCUME~1\OWNERY~1.000\LOCALS~1\Temp\Acr42BB.tmp not found!
File C:\DOCUME~1\OWNERY~1.000\LOCALS~1\Temp\Acr42BC.tmp not found!
File C:\DOCUME~1\OWNERY~1.000\LOCALS~1\Temp\Acr42BD.tmp not found!
File C:\DOCUME~1\OWNERY~1.000\LOCALS~1\Temp\Acr4311.tmp not found!
File C:\DOCUME~1\OWNERY~1.000\LOCALS~1\Temp\Acr431C.tmp not found!
File C:\DOCUME~1\OWNERY~1.000\LOCALS~1\Temp\Acr431D.tmp not found!
File C:\DOCUME~1\OWNERY~1.000\LOCALS~1\Temp\Acr431E.tmp not found!
File C:\DOCUME~1\OWNERY~1.000\LOCALS~1\Temp\Acr4320.tmp not found!
File C:\DOCUME~1\OWNERY~1.000\LOCALS~1\Temp\Acr4321.tmp not found!
File C:\DOCUME~1\OWNERY~1.000\LOCALS~1\Temp\Acr4322.tmp not found!
File C:\DOCUME~1\OWNERY~1.000\LOCALS~1\Temp\Acr4323.tmp not found!
File C:\DOCUME~1\OWNERY~1.000\LOCALS~1\Temp\Acr4324.tmp not found!
File C:\WINDOWS\temp\mcafee_WzuCavjfReC89vj not found!
File C:\WINDOWS\temp\mcmsc_bbxT0GQZQx1K1ad not found!
  • 0

#20
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Hi there.. I have to go to class now and will be back about after 4hrs or so..

Thank you :)
  • 0

#21
mbrikha

mbrikha

    Member

  • Topic Starter
  • Member
  • PipPip
  • 47 posts
ok, no problem
  • 0

#22
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Dont forget to post your Kaspersky and DSS log :)
  • 0

#23
mbrikha

mbrikha

    Member

  • Topic Starter
  • Member
  • PipPip
  • 47 posts
ya, once it finishes the scan
  • 0

#24
mbrikha

mbrikha

    Member

  • Topic Starter
  • Member
  • PipPip
  • 47 posts
Deckard's System Scanner v20071014.68
Run by Owner on 2008-07-30 09:16:15
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 504 MiB (512 MiB recommended).


-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:17:05 AM, on 7/30/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Common Files\AOL\1139186156\ee\AOLSoftware.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
c:\program files\common files\aol\1139186156\ee\AOLOpenRide.exe
C:\Program Files\Common Files\AOL\1139186156\ee\aolsoftware.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner.YOUR-KYBTG65GXE.000\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O4 - HKLM\..\Run: [BlockTracker] c:\hp\bin\BlockTracker.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1139186156\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Comcast\COMCAS~1\data\xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: AOL OpenRide.lnk = C:\Program Files\Common Files\AOL\Launch\aollaunch.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...96/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) -
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go...y/OTOYAX29b.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,26/mcgdmgr.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O24 - Desktop Component 0: (no name) - http://i21.photobuck...Grl90/black.jpg

--
End of file - 7527 bytes

-- Files created between 2008-06-30 and 2008-07-30 -----------------------------

2008-07-29 19:27:28 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-29 19:27:22 0 d-------- C:\WINDOWS\System32\Kaspersky Lab
2008-07-29 13:11:23 0 d-------- C:\Documents and Settings\Owner.YOUR-KYBTG65GXE.000\Application Data\Malwarebytes
2008-07-29 13:11:18 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-29 13:11:17 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-28 21:44:27 0 d-------- C:\Documents and Settings\Owner.YOUR-KYBTG65GXE.000\Application Data\Comcast
2008-07-28 21:23:41 3022 --a------ C:\WINDOWS\System32\tmp.reg
2008-07-28 21:22:44 53248 --a------ C:\WINDOWS\System32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-07-28 21:22:13 81920 --a------ C:\WINDOWS\System32\404Fix.exe <Not Verified; S!Ri.URZ; 404Fix>
2008-07-28 21:22:12 25600 --a------ C:\WINDOWS\System32\WS2Fix.exe
2008-07-28 21:22:12 289144 --a------ C:\WINDOWS\System32\VCCLSID.exe <Not Verified; S!Ri; >
2008-07-28 21:22:12 86528 --a------ C:\WINDOWS\System32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-07-28 21:22:12 82944 --a------ C:\WINDOWS\System32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-07-28 21:22:11 288417 --a------ C:\WINDOWS\System32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-07-28 21:22:11 51200 --a------ C:\WINDOWS\System32\dumphive.exe
2008-07-27 23:47:14 0 d-------- C:\Program Files\Trend Micro
2008-07-27 23:15:36 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP


-- Find3M Report ---------------------------------------------------------------

2008-07-29 18:44:16 0 d-------- C:\Program Files\Common Files
2008-07-28 21:56:28 0 d-------- C:\Program Files\WildTangent
2008-07-28 21:52:56 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-28 21:52:33 0 d-------- C:\Program Files\NewSoft
2008-07-28 21:50:43 0 d-------- C:\Documents and Settings\Owner.YOUR-KYBTG65GXE.000\Application Data\Musicmatch
2008-07-28 21:50:41 0 d-------- C:\Program Files\MUSICMATCH
2008-07-28 21:48:04 0 d-------- C:\Program Files\Microsoft Money
2008-07-28 21:41:57 0 d-------- C:\Program Files\Common Files\aolshare
2008-07-28 21:31:21 0 d-------- C:\Program Files\Viewpoint
2008-06-24 12:26:30 0 d-------- C:\Program Files\McAfee
2008-06-23 14:31:07 0 d-------- C:\Program Files\Common Files\McAfee
2008-06-02 22:36:44 0 d-------- C:\Program Files\LimeWire
2008-05-31 21:40:26 9604 --a------ C:\WINDOWS\mozver.dat
2008-05-31 21:33:33 0 d-------- C:\Program Files\Common Files\xing shared
2008-05-31 21:33:26 0 d-------- C:\Program Files\Common Files\Real
2008-05-31 21:33:18 1770 --a------ C:\WINDOWS\nsreg.dat
2008-05-31 20:33:26 0 d-------- C:\Documents and Settings\Owner.YOUR-KYBTG65GXE.000\Application Data\Real
2008-05-31 20:31:44 0 d-------- C:\Program Files\Common Files\csshare


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BlockTracker"="c:\hp\bin\BlockTracker.exe" []
"NvCplDaemon"="NvQTwk" []
"nwiz"="nwiz.exe" [09/30/2002 11:39 PM C:\WINDOWS\system32\nwiz.exe]
"HostManager"="C:\Program Files\Common Files\AOL\1139186156\ee\AOLSoftware.exe" [09/25/2006 04:52 PM]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 09:16 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [05/31/2008 09:32 PM]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [11/01/2007 06:12 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIEW"="nview.dll,nViewLoadHook" []
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Comcast\COMCAS~1\data\xtras\mssysmgr.exe" []
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" []
"Aim6"="" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\Documents and Settings\Owner.YOUR-KYBTG65GXE.000\Start Menu\Programs\Startup\
AOL OpenRide.lnk - C:\Program Files\Common Files\AOL\Launch\aollaunch.exe [9/25/2006 4:52:49 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [12/3/2002 4:58:20 PM]
NkvMon.exe.lnk - C:\Program Files\Nikon\NkView6\NkvMon.exe [10/11/2003 8:19:17 AM]
officejet 6100.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe [12/3/2002 4:23:30 PM]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [9/20/2002 7:20:02 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\86942b4f-d046-4526-8f8c-669ad3dd860b]
C:\WINDOWS\System32\dccnncr.exe



-- End of Deckard's System Scanner: finished at 2008-07-30 09:18:47 ------------

Attached Files


Edited by mbrikha, 30 July 2008 - 08:58 AM.

  • 0

#25
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Lets do this.. Please disable your McAfee antivirus and McAfee firewall prior to our fix.. Please visit HERE if you do not know how..





Please re-open HijackThis and click on Do a system scan only. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: (no name) - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)


Now close all windows other than HijackThis, then click Fix checked. Close HijackThis.







Lets run F-Secure online scan for Viruses, Spyware and RootKits:
  • Scroll to the bottom of the page and click the Start scanning button. A window will pop up.
  • Allow the Active X control to be installed on your computer, then click the Accept button
  • Click Full System Scan and allow the components to download and the scan to complete.
  • If malware is found, check Submit samples to F-Secure then select Automatic cleaning
  • When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
  • Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post
If Automatic cleaning with Submit samples hangs, click Cancel, then New Scan
  • When the cleaning option is presented, Uncheck Submit samples to F-Secure
  • Click Automatic cleaning
  • When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
  • Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post
Notes:
  • This scan will only work with Internet Explorer
  • You must have administrator rights to run this scan
  • This scan can take several hours, so please be patient



How is your computer now?
  • 0

Advertisements


#26
mbrikha

mbrikha

    Member

  • Topic Starter
  • Member
  • PipPip
  • 47 posts
Scanning Report
Wednesday, July 30, 2008 21:24:11 - 00:32:59
Computer name: YOUR-KYBTG65GXE
Scanning type: Scan system for malware, rootkits
Target: C:\ D:\


--------------------------------------------------------------------------------

Result: 19 malware found
AdWare.Win32.180Solutions (spyware)
System
AdWare.Win32.Hotbar (spyware)
System
AdWare.Win32.UrlSpy (spyware)
System
AdWare.Win32.WeirWeb (spyware)
System
Hoax.Win32.Renos (virus)
System
Hoax.Win32.Renos.vaoz (virus)
C:\WINDOWS\SYSTEM32\IEDFIX.C.EXE
C:\WINDOWS\SYSTEM32\IEDFIX.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\SMITFRAUDFIX\IEDFIX.C.EXE (Submitted)
C:\PROGRAM FILES\MOZILLA FIREFOX\SMITFRAUDFIX\IEDFIX.EXE (Submitted)
C:\DOCUMENTS AND SETTINGS\OWNER.YOUR-KYBTG65GXE.000\DESKTOP\SMITFRAUDFIX\IEDFIX.C.EXE
C:\DOCUMENTS AND SETTINGS\OWNER.YOUR-KYBTG65GXE.000\DESKTOP\SMITFRAUDFIX\IEDFIX.EXE
RiskTool.Win32.Reboot (spyware)
System
Trojan-Clicker.JS.Linker (virus)
System
Trojan-Clicker.JS.Linker.j (virus)
C:\WINDOWS\TRUFKZ.HTML
Trojan.Win32.Agent (virus)
System
Trojan.Win32.Pakes (virus)
C:\DOCUMENTS AND SETTINGS\GUEST.YOUR-KYBTG65GXE\LOCAL SETTINGS\TEMP\~APROPOS0\ACE.DLL (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\GUEST.YOUR-KYBTG65GXE\LOCAL SETTINGS\TEMP\~APROPOS0\ATLA.DLL (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\GUEST.YOUR-KYBTG65GXE\LOCAL SETTINGS\TEMP\~APROPOS0\LIBEXPAT.DLL (Renamed & Submitted)
W32/Malware (virus)
C:\CHSI\SETUP\REMOVE\REGTWEAK.EXE (Submitted)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 54610
System: 5586
Not scanned: 99
Actions:
Disinfected: 0
Renamed: 3
Deleted: 0
None: 16
Submitted: 6
Files not scanned:
x?(lāAGEFILE.SYS
C:\WINDOWS\TEMP\MCAFEE_F55OZKSCFZVBMWY
C:\WINDOWS\TEMP\MCMSC_BEHTMJC8W1VNMTM
C:\WINDOWS\TEMP\MCMSC_FBV2TF6KLHJMWOH
C:\WINDOWS\TEMP\MCMSC_JQUUQB8ZZ9CWIQ5
C:\WINDOWS\TEMP\MCMSC_OENTCIJZMYLO0UP
C:\WINDOWS\SYSTEM32\1802.DLL
C:\WINDOWS\SYSTEM32\AUTO_UPDATE_UNINSTALL.EXE
C:\WINDOWS\SYSTEM32\DELFIN.DLL
C:\WINDOWS\SYSTEM32\GOLDNEW2B.DLL
C:\WINDOWS\SYSTEM32\MIDAD.DLL
C:\WINDOWS\SYSTEM32\MSREV23.DLL
C:\WINDOWS\SYSTEM32\MSREV43.DLL
C:\WINDOWS\SYSTEM32\POP5.DLL
C:\WINDOWS\SYSTEM32\TVNEW.DLL
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\WINDOWS\$NTUNINSTALLQ828026$\MSDXM.OCX
C:\WINDOWS\$NTUNINSTALLQ828026$\WMP.DLL
C:\WINDOWS\$NTUNINSTALLKB839645$\FLDRCLNR.DLL
C:\WINDOWS\$NTUNINSTALLKB839645$\SHELL32.DLL
C:\WINDOWS\$NTUNINSTALLKB839645$\SHLWAPI.DLL
C:\WINDOWS\$NTUNINSTALLKB839645$\SXS.DLL
C:\WINDOWS\$NTUNINSTALLKB839645$\XPSP2RES.DLL
C:\WINDOWS\$NTUNINSTALLKB837001$\DAO360.DLL
C:\WINDOWS\$NTUNINSTALLKB837001$\EXPSRV.DLL
C:\WINDOWS\$NTUNINSTALLKB837001$\MSEXCH40.DLL
C:\WINDOWS\$NTUNINSTALLKB837001$\MSEXCL40.DLL
C:\WINDOWS\$NTUNINSTALLKB837001$\MSJET40.DLL
C:\WINDOWS\$NTUNINSTALLKB837001$\MSJETOL1.DLL
C:\WINDOWS\$NTUNINSTALLKB837001$\MSJETOLEDB40.DLL
C:\WINDOWS\$NTUNINSTALLKB837001$\MSJINT40.DLL
C:\WINDOWS\$NTUNINSTALLKB837001$\MSJTER40.DLL
C:\WINDOWS\$NTUNINSTALLKB837001$\MSJTES40.DLL
C:\WINDOWS\$NTUNINSTALLKB837001$\MSLTUS40.DLL
C:\WINDOWS\$NTUNINSTALLKB837001$\MSPBDE40.DLL
C:\WINDOWS\$NTUNINSTALLKB837001$\MSRD2X40.DLL
C:\WINDOWS\$NTUNINSTALLKB837001$\MSRD3X40.DLL
C:\WINDOWS\$NTUNINSTALLKB837001$\MSREPL40.DLL
C:\WINDOWS\$NTUNINSTALLKB837001$\MSTEXT40.DLL
C:\WINDOWS\$NTUNINSTALLKB837001$\MSWDAT10.DLL
C:\WINDOWS\$NTUNINSTALLKB837001$\MSWSTR10.DLL
C:\WINDOWS\$NTUNINSTALLKB837001$\MSXBDE40.DLL
C:\WINDOWS\$NTUNINSTALLKB837001$\VBAJET32.DLL
C:\WINDOWS\$NTUNINSTALLKB835732$\CALLCONT.DLL
C:\WINDOWS\$NTUNINSTALLKB835732$\GDI32.DLL
C:\WINDOWS\$NTUNINSTALLKB835732$\H323.TSP
C:\WINDOWS\$NTUNINSTALLKB835732$\H323MSP.DLL
C:\WINDOWS\$NTUNINSTALLKB835732$\HELPCTR.EXE
C:\WINDOWS\$NTUNINSTALLKB835732$\IPNATHLP.DLL
C:\WINDOWS\$NTUNINSTALLKB835732$\LSASRV.DLL
C:\WINDOWS\$NTUNINSTALLKB835732$\MF3216.DLL
C:\WINDOWS\$NTUNINSTALLKB835732$\MSASN1.DLL
C:\WINDOWS\$NTUNINSTALLKB835732$\MSGINA.DLL
C:\WINDOWS\$NTUNINSTALLKB835732$\MST120.DLL
C:\WINDOWS\$NTUNINSTALLKB835732$\NETAPI32.DLL
C:\WINDOWS\$NTUNINSTALLKB835732$\NMCOM.DLL
C:\WINDOWS\$NTUNINSTALLKB835732$\RTCDLL.DLL
C:\WINDOWS\$NTUNINSTALLKB835732$\SCHANNEL.DLL
C:\WINDOWS\$NTUNINSTALLKB828741$\CATSRV.DLL
C:\WINDOWS\$NTUNINSTALLKB828741$\CATSRVUT.DLL
C:\WINDOWS\$NTUNINSTALLKB828741$\CLBCATEX.DLL
C:\WINDOWS\$NTUNINSTALLKB828741$\CLBCATQ.DLL
C:\WINDOWS\$NTUNINSTALLKB828741$\COLBACT.DLL
C:\WINDOWS\$NTUNINSTALLKB828741$\COMADMIN.DLL
C:\WINDOWS\$NTUNINSTALLKB828741$\COMREPL.EXE
C:\WINDOWS\$NTUNINSTALLKB828741$\COMSVCS.DLL
C:\WINDOWS\$NTUNINSTALLKB828741$\COMUID.DLL
C:\WINDOWS\$NTUNINSTALLKB828741$\ES.DLL
C:\WINDOWS\$NTUNINSTALLKB828741$\MIGREGDB.EXE
C:\WINDOWS\$NTUNINSTALLKB828741$\MSDTCPRX.DLL
C:\WINDOWS\$NTUNINSTALLKB828741$\MSDTCTM.DLL
C:\WINDOWS\$NTUNINSTALLKB828741$\MSDTCUIU.DLL
C:\WINDOWS\$NTUNINSTALLKB828741$\MTXCLU.DLL
C:\WINDOWS\$NTUNINSTALLKB828741$\MTXOCI.DLL
C:\WINDOWS\$NTUNINSTALLKB828741$\OLE32.DLL
C:\WINDOWS\$NTUNINSTALLKB828741$\RPCRT4.DLL
C:\WINDOWS\$NTUNINSTALLKB828741$\RPCSS.DLL
C:\WINDOWS\$NTUNINSTALLKB828741$\TXFLOG.DLL
C:\WINDOWS\$NTUNINSTALLKB828035$\MSGSVC.DLL
C:\WINDOWS\$NTUNINST?큁

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure USS: 2.30.0
F-Secure Hydra: 2.8.8110, 2008-07-31
F-Secure AVP: 7.0.171, 2008-07-31
F-Secure Pegasus: 1.20.0, 2008-04-14
F-Secure Blacklight: 1.0.68
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use Advanced heuristics

--------------------------------------------------------------------------------

Copyright © 1998-2007 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.
  • 0

#27
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
[*]Let the Unregister Dll's and Ocx's remain ticked and Zip Files After Moves remain unticked..
[*]Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

[kill explorer]
C:\WINDOWS\SYSTEM32\1802.DLL
C:\WINDOWS\SYSTEM32\AUTO_UPDATE_UNINSTALL.EXE
C:\WINDOWS\SYSTEM32\DELFIN.DLL
C:\WINDOWS\SYSTEM32\GOLDNEW2B.DLL
C:\WINDOWS\SYSTEM32\MIDAD.DLL
C:\WINDOWS\SYSTEM32\MSREV23.DLL
C:\WINDOWS\SYSTEM32\MSREV43.DLL
C:\WINDOWS\SYSTEM32\POP5.DLL
C:\WINDOWS\SYSTEM32\TVNEW.DLL 
C:\WINDOWS\TRUFKZ.HTML 
EmptyTemp
purity
[start explorer]

[*] Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
[*]Click the red Moveit! button.
[*]A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
[*]Close OTMoveIt2
[/list]If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



Please also include a fresh DSS log in your next reply..
  • 0

#28
mbrikha

mbrikha

    Member

  • Topic Starter
  • Member
  • PipPip
  • 47 posts
Explorer killed successfully
LoadLibrary failed for C:\WINDOWS\SYSTEM32\1802.DLL
C:\WINDOWS\SYSTEM32\1802.DLL NOT unregistered.
File move failed. C:\WINDOWS\SYSTEM32\1802.DLL scheduled to be moved on reboot.
File move failed. C:\WINDOWS\SYSTEM32\AUTO_UPDATE_UNINSTALL.EXE scheduled to be moved on reboot.
LoadLibrary failed for C:\WINDOWS\SYSTEM32\DELFIN.DLL
C:\WINDOWS\SYSTEM32\DELFIN.DLL NOT unregistered.
File move failed. C:\WINDOWS\SYSTEM32\DELFIN.DLL scheduled to be moved on reboot.
LoadLibrary failed for C:\WINDOWS\SYSTEM32\GOLDNEW2B.DLL
C:\WINDOWS\SYSTEM32\GOLDNEW2B.DLL NOT unregistered.
File move failed. C:\WINDOWS\SYSTEM32\GOLDNEW2B.DLL scheduled to be moved on reboot.
LoadLibrary failed for C:\WINDOWS\SYSTEM32\MIDAD.DLL
C:\WINDOWS\SYSTEM32\MIDAD.DLL NOT unregistered.
File move failed. C:\WINDOWS\SYSTEM32\MIDAD.DLL scheduled to be moved on reboot.
LoadLibrary failed for C:\WINDOWS\SYSTEM32\MSREV23.DLL
C:\WINDOWS\SYSTEM32\MSREV23.DLL NOT unregistered.
File move failed. C:\WINDOWS\SYSTEM32\MSREV23.DLL scheduled to be moved on reboot.
LoadLibrary failed for C:\WINDOWS\SYSTEM32\MSREV43.DLL
C:\WINDOWS\SYSTEM32\MSREV43.DLL NOT unregistered.
File move failed. C:\WINDOWS\SYSTEM32\MSREV43.DLL scheduled to be moved on reboot.
LoadLibrary failed for C:\WINDOWS\SYSTEM32\POP5.DLL
C:\WINDOWS\SYSTEM32\POP5.DLL NOT unregistered.
File move failed. C:\WINDOWS\SYSTEM32\POP5.DLL scheduled to be moved on reboot.
LoadLibrary failed for C:\WINDOWS\SYSTEM32\TVNEW.DLL
C:\WINDOWS\SYSTEM32\TVNEW.DLL NOT unregistered.
File move failed. C:\WINDOWS\SYSTEM32\TVNEW.DLL scheduled to be moved on reboot.
File/Folder C:\WINDOWS\TRUFKZ.HTML not found.
< EmptyTemp >
File delete failed. C:\DOCUME~1\OWNERY~1.000\LOCALS~1\Temp\9.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcafee_o7F14sNODr5z4S0 scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcmsc_55yqizE2TRJr0GD scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcmsc_hleBl8qy0fdYD0W scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcmsc_Oy9QjzEy9tM0Z0l scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcmsc_s1VLEl6uqO9FdaO scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
< purity >
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07312008_113322

Files moved on Reboot...
LoadLibrary failed for C:\WINDOWS\SYSTEM32\1802.DLL
C:\WINDOWS\SYSTEM32\1802.DLL NOT unregistered.
File move failed. C:\WINDOWS\SYSTEM32\1802.DLL scheduled to be moved on reboot.
File move failed. C:\WINDOWS\SYSTEM32\AUTO_UPDATE_UNINSTALL.EXE scheduled to be moved on reboot.
LoadLibrary failed for C:\WINDOWS\SYSTEM32\DELFIN.DLL
C:\WINDOWS\SYSTEM32\DELFIN.DLL NOT unregistered.
File move failed. C:\WINDOWS\SYSTEM32\DELFIN.DLL scheduled to be moved on reboot.
LoadLibrary failed for C:\WINDOWS\SYSTEM32\GOLDNEW2B.DLL
C:\WINDOWS\SYSTEM32\GOLDNEW2B.DLL NOT unregistered.
File move failed. C:\WINDOWS\SYSTEM32\GOLDNEW2B.DLL scheduled to be moved on reboot.
LoadLibrary failed for C:\WINDOWS\SYSTEM32\MIDAD.DLL
C:\WINDOWS\SYSTEM32\MIDAD.DLL NOT unregistered.
File move failed. C:\WINDOWS\SYSTEM32\MIDAD.DLL scheduled to be moved on reboot.
LoadLibrary failed for C:\WINDOWS\SYSTEM32\MSREV23.DLL
C:\WINDOWS\SYSTEM32\MSREV23.DLL NOT unregistered.
File move failed. C:\WINDOWS\SYSTEM32\MSREV23.DLL scheduled to be moved on reboot.
LoadLibrary failed for C:\WINDOWS\SYSTEM32\MSREV43.DLL
C:\WINDOWS\SYSTEM32\MSREV43.DLL NOT unregistered.
File move failed. C:\WINDOWS\SYSTEM32\MSREV43.DLL scheduled to be moved on reboot.
LoadLibrary failed for C:\WINDOWS\SYSTEM32\POP5.DLL
C:\WINDOWS\SYSTEM32\POP5.DLL NOT unregistered.
File move failed. C:\WINDOWS\SYSTEM32\POP5.DLL scheduled to be moved on reboot.
LoadLibrary failed for C:\WINDOWS\SYSTEM32\TVNEW.DLL
C:\WINDOWS\SYSTEM32\TVNEW.DLL NOT unregistered.
File move failed. C:\WINDOWS\SYSTEM32\TVNEW.DLL scheduled to be moved on reboot.
File C:\DOCUME~1\OWNERY~1.000\LOCALS~1\Temp\9.tmp not found!
File C:\WINDOWS\temp\mcafee_o7F14sNODr5z4S0 not found!
File C:\WINDOWS\temp\mcmsc_55yqizE2TRJr0GD not found!
File C:\WINDOWS\temp\mcmsc_hleBl8qy0fdYD0W not found!
File C:\WINDOWS\temp\mcmsc_Oy9QjzEy9tM0Z0l not found!
File C:\WINDOWS\temp\mcmsc_s1VLEl6uqO9FdaO not found!
  • 0

#29
mbrikha

mbrikha

    Member

  • Topic Starter
  • Member
  • PipPip
  • 47 posts
Deckard's System Scanner v20071014.68
Run by Owner on 2008-07-31 11:42:47
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 504 MiB (512 MiB recommended).


-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:43:01 AM, on 7/31/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\1139186156\ee\AOLSoftware.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
c:\program files\common files\aol\1139186156\ee\AOLOpenRide.exe
C:\Program Files\Common Files\AOL\1139186156\ee\aolsoftware.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\msiexec.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner.YOUR-KYBTG65GXE.000\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [BlockTracker] c:\hp\bin\BlockTracker.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1139186156\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Comcast\COMCAS~1\data\xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: AOL OpenRide.lnk = C:\Program Files\Common Files\AOL\Launch\aollaunch.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...96/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) -
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go...y/OTOYAX29b.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,26/mcgdmgr.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O24 - Desktop Component 0: (no name) - http://i21.photobuck...Grl90/black.jpg

--
End of file - 7199 bytes

-- Files created between 2008-06-30 and 2008-07-31 -----------------------------

2008-07-30 21:20:58 0 d-------- C:\fsaua.data
2008-07-29 19:27:28 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-29 19:27:22 0 d-------- C:\WINDOWS\System32\Kaspersky Lab
2008-07-29 13:11:23 0 d-------- C:\Documents and Settings\Owner.YOUR-KYBTG65GXE.000\Application Data\Malwarebytes
2008-07-29 13:11:18 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-29 13:11:17 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-28 21:44:27 0 d-------- C:\Documents and Settings\Owner.YOUR-KYBTG65GXE.000\Application Data\Comcast
2008-07-28 21:23:41 3022 --a------ C:\WINDOWS\System32\tmp.reg
2008-07-28 21:22:44 53248 --a------ C:\WINDOWS\System32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-07-28 21:22:13 81920 --a------ C:\WINDOWS\System32\404Fix.exe <Not Verified; S!Ri.URZ; 404Fix>
2008-07-28 21:22:12 25600 --a------ C:\WINDOWS\System32\WS2Fix.exe
2008-07-28 21:22:12 289144 --a------ C:\WINDOWS\System32\VCCLSID.exe <Not Verified; S!Ri; >
2008-07-28 21:22:12 86528 --a------ C:\WINDOWS\System32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-07-28 21:22:11 288417 --a------ C:\WINDOWS\System32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-07-28 21:22:11 51200 --a------ C:\WINDOWS\System32\dumphive.exe
2008-07-27 23:47:14 0 d-------- C:\Program Files\Trend Micro
2008-07-27 23:15:36 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP


-- Find3M Report ---------------------------------------------------------------

2008-07-31 00:31:06 0 d-------- C:\Program Files\hbinst
2008-07-29 18:44:16 0 d-------- C:\Program Files\Common Files
2008-07-28 21:56:28 0 d-------- C:\Program Files\WildTangent
2008-07-28 21:52:56 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-28 21:52:33 0 d-------- C:\Program Files\NewSoft
2008-07-28 21:50:43 0 d-------- C:\Documents and Settings\Owner.YOUR-KYBTG65GXE.000\Application Data\Musicmatch
2008-07-28 21:50:41 0 d-------- C:\Program Files\MUSICMATCH
2008-07-28 21:48:04 0 d-------- C:\Program Files\Microsoft Money
2008-07-28 21:41:57 0 d-------- C:\Program Files\Common Files\aolshare
2008-07-28 21:31:21 0 d-------- C:\Program Files\Viewpoint
2008-06-24 12:26:30 0 d-------- C:\Program Files\McAfee
2008-06-23 14:31:07 0 d-------- C:\Program Files\Common Files\McAfee
2008-06-02 22:36:44 0 d-------- C:\Program Files\LimeWire
2008-05-31 21:40:26 9604 --a------ C:\WINDOWS\mozver.dat
2008-05-31 21:33:33 0 d-------- C:\Program Files\Common Files\xing shared
2008-05-31 21:33:26 0 d-------- C:\Program Files\Common Files\Real
2008-05-31 21:33:18 1770 --a------ C:\WINDOWS\nsreg.dat
2008-05-31 20:33:26 0 d-------- C:\Documents and Settings\Owner.YOUR-KYBTG65GXE.000\Application Data\Real
2008-05-31 20:31:44 0 d-------- C:\Program Files\Common Files\csshare


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BlockTracker"="c:\hp\bin\BlockTracker.exe" []
"NvCplDaemon"="NvQTwk" []
"nwiz"="nwiz.exe" [09/30/2002 11:39 PM C:\WINDOWS\system32\nwiz.exe]
"HostManager"="C:\Program Files\Common Files\AOL\1139186156\ee\AOLSoftware.exe" [09/25/2006 04:52 PM]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 09:16 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [05/31/2008 09:32 PM]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [11/01/2007 06:12 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIEW"="nview.dll,nViewLoadHook" []
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Comcast\COMCAS~1\data\xtras\mssysmgr.exe" []
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" []
"Aim6"="" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\Documents and Settings\Owner.YOUR-KYBTG65GXE.000\Start Menu\Programs\Startup\
AOL OpenRide.lnk - C:\Program Files\Common Files\AOL\Launch\aollaunch.exe [9/25/2006 4:52:49 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [12/3/2002 4:58:20 PM]
NkvMon.exe.lnk - C:\Program Files\Nikon\NkView6\NkvMon.exe [10/11/2003 8:19:17 AM]
officejet 6100.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe [12/3/2002 4:23:30 PM]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [9/20/2002 7:20:02 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\86942b4f-d046-4526-8f8c-669ad3dd860b]
C:\WINDOWS\System32\dccnncr.exe



-- End of Deckard's System Scanner: finished at 2008-07-31 11:44:17 ------------
  • 0

#30
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
1. Please download The Avenger by Swandog46 to your Desktop.
  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Begin copying here:
Files to delete:
C:\WINDOWS\SYSTEM32\1802.DLL
C:\WINDOWS\SYSTEM32\AUTO_UPDATE_UNINSTALL.EXE
C:\WINDOWS\SYSTEM32\DELFIN.DLL
C:\WINDOWS\SYSTEM32\GOLDNEW2B.DLL
C:\WINDOWS\SYSTEM32\MIDAD.DLL
C:\WINDOWS\SYSTEM32\MSREV23.DLL
C:\WINDOWS\SYSTEM32\MSREV43.DLL
C:\WINDOWS\SYSTEM32\POP5.DLL
C:\WINDOWS\SYSTEM32\TVNEW.DLL
C:\WINDOWS\TRUFKZ.HTML

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
  • Right click on the window under Input script here:, and select Paste.
  • You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh DSS log .
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP