Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

help wanted ran all type of malware but unable remove the bagel [RESOL

Started by maverickk , Aug 08 2008 01:22 PM

This topic is locked

#1
maverickk

Posted 08 August 2008 - 01:22 PM

New Member

Member
7 posts

when i run malwarebytes i got the following log file
Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mule_st_key (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Welcome\Application Data\m (Trojan.Agent) -> Delete on reboot.

Files Infected:
C:\Documents and Settings\Welcome\Application Data\m\list.oct (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wintems.exe (Trojan.Spammer) -> Delete on reboot.
C:\Documents and Settings\Welcome\Application Data\m\flec006.exe (Trojan.Agent) -> Delete on reboot.
but nothing happend after re-boot

and the escan says
the system is infect with bagel virus and says that the following files are infected
1.mkdlec.exe
2.soras.sys
3.flec006.exe

every time i run, i am unable to run any updates, download from rapidshare, run any downloaded programs when the downloaded programs run its says its not a win32 application. please help me out

this is the log file got from Deckard's System Scanner on 2008-08-09 00:19:53
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
13: 2008-08-08 18:49:56 UTC - RP231 - Deckard's System Scanner Restore Point
12: 2008-08-08 18:37:40 UTC - RP230 - Printer Driver Nitro PDF Driver 5 Installed
11: 2008-08-08 18:37:17 UTC - RP229 - Printer Driver Nitro PDF Driver 5 Installed
10: 2008-08-08 18:36:55 UTC - RP228 - Printer Driver Nitro PDF Driver 5 Installed
9: 2008-08-06 15:41:44 UTC - RP227 - System Checkpoint

-- First Restore Point --
1: 2008-08-03 09:10:41 UTC - RP219 - Printer Driver Nitro PDF Driver 5 Installed

Backed up registry hives.
Performed disk cleanup.

System Drive C: has 0.81 GiB (less than 15%) free.

-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-08-09 00:24:00
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\eScan\Vista\avpmapp.exe
C:\Program Files\eScan\TRAYSSER.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Common Files\MicroWorld\Agent\MWASER.EXE
C:\Program Files\eScan\CONSCTL.EXE
C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\DAP\DAP.exe
C:\Program Files\eScan\TRAYICOS.EXE
C:\Program Files\Common Files\MicroWorld\Agent\MWAGENT.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Tally\tallylicserver.exe
C:\Tally\tally72.exe
C:\Documents and Settings\Welcome\Application Data\m\flec006.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\eScan\Vista\escanmon.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Welcome\My Documents\My Completed Downloads\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {61D176B3-4AE0-4521-9107-741BF4E34403} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [S3Trayp] S3trayp.exe
O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe 1
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKLM\..\Run: [Nitro PDF Printer Monitor] "C:\Program Files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe"
O4 - HKLM\..\Run: [eScan Updater] C:\PROGRA~1\eScan\TRAYICOS.EXE /App
O4 - HKLM\..\Run: [MailScan Dispatcher] "C:\PROGRA~1\eScan\LAUNCH.EXE" /startup
O4 - HKLM\..\Run: [mwavscan_autoscan] "C:\PROGRA~1\eScan\mwavscan.com" /s /AUTORUNBOOT
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - (no file)
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: C:\WINDOWS\system32\nwprovau.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://download.micr.../OGAControl.cab
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.micr...veX/MSDcode.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://download.micr...heckControl.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} (Microsoft Genuine Advantage Self Support Tool) - http://download.micr...helpcontrol.cab
O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object) - http://www.zapak.com...nx.1.0.0.60.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h20264.www2.h...nosticsxp2k.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} () - http://www.eset.eu/b...lineScanner.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase5036.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1211991369343
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2....re/HPDEXAXO.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {D410AFBD-4E26-4D5F-840F-0412D6F6BB8D} (CPlayFirstSandScriptControl Object) - http://www.zapak.com...pt.1.0.0.21.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.aka...vex-2.2.1.6.cab
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{474274AF-BF53-407F-941A-A876A80E07FD}: NameServer = 61.1.96.69,61.1.96.71
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{FF87A27A-7802-49B4-A223-9638F62C7727}: NameServer = 61.1.96.69,61.1.96.71
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG8\avgwdsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: eScan Monitor Service - MicroWorld Technologies Inc. - C:\Program Files\eScan\Vista\avpmapp.exe
O23 - Service: eScan Server-Updater (eScan-trayicos) - MicroWorld Technologies Inc. - C:\Program Files\eScan\TRAYSSER.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: MWAgent - MicroWorld Technologies Inc. - C:\Program Files\Common Files\MicroWorld\Agent\MWASER.EXE
O23 - Service: NBService - Unknown owner - C:\Program Files\Nero\Nero 7\Nero
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Tally License Server (NT) (Tally License Server) - Unknown owner - C:\Tally\tallylicserver.exe
O24 - Desktop Component 0: - http://l.yimg.com/us...ailcommonlib.js

--
End of file - 12065 bytes

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - AutoCADScriptFile - shell\open\command - "C:\WINDOWS\notepad.exe" "%1"

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 srosa (Megadrv3) - c:\windows\system32\drivers\srosa.sys
R2 CdaC15BA - c:\windows\system32\drivers\cdac15ba.sys <Not Verified; Macrovision Europe Ltd; Security Windows NT>
R3 ProcObsrves (Process Creation Monitor) - c:\program files\escan\procobsrves.sys <Not Verified; MicroWorld Technologies Inc.; eScan/eConceal>

S3 slnt (Silan SC92031 PCI Fast Ethernet Adapter) - c:\windows\system32\drivers\slnt.sys <Not Verified; Silan Micro-Electronics Inc.; Silan Micro-Electronics Inc.>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 C-DillaCdaC11BA - c:\windows\system32\drivers\cdac11ba.exe <Not Verified; Macrovision; SafeCast Windows NT>
R2 eScan Monitor Service - c:\progra~1\escan\vista\avpmapp.exe <Not Verified; MicroWorld Technologies Inc.; eScan For Windows>
R2 eScan-trayicos (eScan Server-Updater) - c:\progra~1\escan\traysser.exe <Not Verified; MicroWorld Technologies Inc.; eScan for Windows>
R2 MWAgent - c:\program files\common files\microworld\agent\mwaser.exe <Not Verified; MicroWorld Technologies Inc.; eScan for Windows>
R2 Tally License Server (Tally License Server (NT)) - c:\tally\tallylicserver.exe -s

S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe

-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: System Interrupt Controller
Device ID: PCI\VEN_1106&DEV_5364&SUBSYS_00000000&REV_00\3&2411E6FE&0&05
Manufacturer:
Name: System Interrupt Controller
PNP Device ID: PCI\VEN_1106&DEV_5364&SUBSYS_00000000&REV_00\3&2411E6FE&0&05
Service:

-- Scheduled Tasks -------------------------------------------------------------

2008-08-03 20:00:02 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2008-06-18 00:12:58 346 --a------ C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1204915249.job

-- Files created between 2008-07-09 and 2008-08-09 -----------------------------

2008-08-08 23:36:41 0 d-------- C:\Program Files\Trend Micro
2008-08-08 22:50:56 0 d-------- C:\327882R2FWJFW
2008-08-08 22:49:31 0 d-------- C:\Combo-Fix
2008-08-08 22:45:56 68349 --a------ C:\WINDOWS\system32\mdelk.exe
2008-08-08 22:37:47 21312 --a------ C:\WINDOWS\choice.exe
2008-08-08 22:37:26 0 d-------- C:\ie-spyad
2008-08-08 22:24:15 0 dr-h----- C:\Documents and Settings\Welcome\Recent
2008-08-07 23:34:14 0 d-------- C:\Documents and Settings\Welcome\Application Data\Malwarebytes
2008-08-07 23:34:10 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-07 23:34:10 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-03 21:33:45 0 d-------- C:\Program Files\CDisplay
2008-08-03 14:45:16 0 d-------- C:\WINDOWS\LastGood.Tmp
2008-08-03 14:26:02 0 d-------- C:\PUB
2008-08-03 14:24:50 136730 --a------ C:\WINDOWS\winsbak2.reg
2008-08-03 14:24:50 14936 --a------ C:\WINDOWS\winsbak.reg
2008-08-03 14:24:49 0 d-------- C:\Documents and Settings\remoteservice\Templates
2008-08-03 14:24:49 0 d-------- C:\Documents and Settings\remoteservice\Start Menu
2008-08-03 14:24:49 0 d-------- C:\Documents and Settings\remoteservice\Favorites
2008-08-03 14:24:49 0 d-------- C:\Documents and Settings\remoteservice\Documents
2008-08-03 14:24:49 0 d-------- C:\Documents and Settings\remoteservice\Desktop
2008-08-03 14:24:49 0 d-------- C:\Documents and Settings\remoteservice\Application Data
2008-08-03 14:24:49 0 d-------- C:\Documents and Settings\LocalService\Templates
2008-08-03 14:24:49 0 d-------- C:\Documents and Settings\LocalService\Start Menu
2008-08-03 14:24:49 0 d-------- C:\Documents and Settings\LocalService\Favorites
2008-08-03 14:24:49 0 d-------- C:\Documents and Settings\LocalService\Documents
2008-08-03 14:24:49 0 d-------- C:\Documents and Settings\LocalService\Desktop
2008-08-03 14:24:48 0 d-------- C:\Documents and Settings\NetworkService\Desktop
2008-08-03 14:24:47 0 d-------- C:\Program Files\Common Files\MicroWorld
2008-08-03 14:24:20 49152 --a------ C:\WINDOWS\killproc.exe <Not Verified; MicroWorld Technologies Inc.; eScan/MailScan/ X-Spam/eConceal>
2008-08-03 14:24:14 509952 --a------ C:\WINDOWS\system32\eInstall.exe <Not Verified; MicroWorld Technologies Inc.; eScan for Windows>
2008-08-03 14:24:13 155648 --a------ C:\WINDOWS\system32\mwnsp.dll <Not Verified; MicroWorld Technologies Inc.; MicroWorld Internet Traffic Scanner>
2008-08-03 14:24:13 1540096 --a------ C:\WINDOWS\system32\contfilt.dll <Not Verified; MicroWorld Technologies Inc.; eScan/WebScan for Windows>
2008-08-03 14:24:12 130560 --a------ C:\WINDOWS\system32\ZIPDLL.DLL <Not Verified; ; BCB/Delphi Zip>
2008-08-03 14:24:12 125440 --a------ C:\WINDOWS\system32\UNZDLL.DLL <Not Verified; ; BCB/Delphi UnZip>
2008-08-03 14:24:12 8464 --a------ C:\WINDOWS\system32\sporder.dll <Not Verified; Microsoft Corporation; Microsoft® Windows ® 2000 Operating System>
2008-08-03 14:24:12 425984 --a------ C:\WINDOWS\system32\mwtsp.dll <Not Verified; MicroWorld Technologies Inc.; MicroWorld Internet Traffic Scanner>
2008-08-03 14:24:12 32768 --a------ C:\WINDOWS\system32\esmxlog.dll
2008-08-03 14:24:12 8192 --a------ C:\WINDOWS\sporder.exe <Not Verified; Microsoft Corporation; Microsoft® Windows NT® Operating System>
2008-08-03 14:24:12 8464 --a------ C:\WINDOWS\sporder.dll <Not Verified; Microsoft Corporation; Microsoft® Windows ® 2000 Operating System>
2008-08-03 14:24:12 97280 --a------ C:\WINDOWS\inst_tspx.exe <Not Verified; MicroWorld Technologies Inc.; eScan/MailScan/eConceal/X-Spam>
2008-08-03 14:24:12 57344 --a------ C:\WINDOWS\inst_tsp.exe <Not Verified; MicroWorld Technologies Inc.; eScan/MailScan/eConceal/X-Spam>
2008-08-03 14:24:10 0 d-------- C:\WINDOWS\system32\FLCSS.EXE
2008-08-03 14:24:10 0 d-------- C:\WINDOWS\system32\ES_SETUP
2008-08-03 14:24:10 0 d-------- C:\Program Files\eScan
2008-08-03 14:24:10 0 d-------- C:\AVPDOS
2008-07-26 00:10:24 0 d-------- C:\Program Files\mIRC
2008-07-18 23:15:52 0 d-------- C:\Documents and Settings\Welcome\.housecall6.6
2008-07-16 00:39:27 0 d-------- C:\Documents and Settings\Welcome\Application Data\Nitro PDF
2008-07-16 00:37:45 0 d-------- C:\Program Files\Nitro PDF
2008-07-16 00:37:45 0 d-------- C:\Program Files\Common Files\Nitro PDF
2008-07-16 00:37:45 0 d-------- C:\Program Files\Common Files\BCL Technologies
2008-07-16 00:37:45 0 d-------- C:\Documents and Settings\All Users\Application Data\Nitro PDF
2008-07-15 22:56:44 0 d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-15 22:56:20 50688 --a------ C:\WINDOWS\system32\wbhelp2.dll <Not Verified; Stardock.Net, Inc; WindowBlinds for Win32 x86 machines>
2008-07-15 22:56:17 0 d-------- C:\Program Files\DAP
2008-07-15 21:46:11 0 d-------- C:\pdfedit2
2008-07-15 21:41:14 0 d-------- C:\pdfedit
2008-07-12 23:39:16 30720 --a------ C:\WINDOWS\system32\rrr.EXE <Not Verified; Microsoft Corporation; Microsoft® Win32 SDK>
2008-07-12 22:28:11 0 d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-07-12 22:22:52 0 d-------- C:\temp
2008-07-12 21:31:58 0 d-------- C:\WINDOWS\system32\Adobe
2008-07-11 21:55:58 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-11 21:55:55 0 d-------- C:\WINDOWS\system32\Kaspersky Lab

-- Find3M Report ---------------------------------------------------------------

2008-07-26 00:19:16 90876 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-07-05 23:07:24 0 d-------- C:\Program Files\Common Files\Ahead
2008-06-23 23:54:38 0 d-------- C:\Program Files\TheLearningPit
2008-06-19 23:37:22 0 d-------- C:\Program Files\Ahead
2008-06-19 22:40:52 1220 --a------ C:\WINDOWS\system32\yybdgMoq.ini2
2008-05-22 21:26:04 0 --a------ C:\WINDOWS\nsreg.dat
2008-05-12 15:23:04 664 --a------ C:\WINDOWS\system32\d3d9caps.dat

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{61D176B3-4AE0-4521-9107-741BF4E34403}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [09/21/2006 04:36 PM C:\WINDOWS\system32\VTTimer.exe]
"S3Trayp"="S3trayp.exe" [02/06/2007 07:30 AM C:\WINDOWS\system32\S3Trayp.exe]
"HDAudDeck"="C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe" [05/11/2007 03:47 PM]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [11/02/2004 08:24 PM]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [01/02/2007 02:52 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [01/31/2008 11:13 PM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [05/24/2008 10:00 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [03/01/2007 03:57 PM]
"SecurDisc"="C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe" [05/15/2007 03:55 PM]
"InCD"="C:\Program Files\Nero\Nero 7\InCD\InCD.exe" [05/15/2007 03:55 PM]
"DownloadAccelerator"="C:\Program Files\DAP\DAP.exe" [07/15/2008 10:56 PM]
"Nitro PDF Printer Monitor"="C:\Program Files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe" [07/10/2008 01:59 PM]
"eScan Updater"="C:\PROGRA~1\eScan\TRAYICOS.exe" [07/11/2008 04:35 PM]
"MailScan Dispatcher"="C:\PROGRA~1\eScan\LAUNCH.exe" [07/16/2008 04:10 PM]
"mwavscan_autoscan"="C:\PROGRA~1\eScan\mwavscan.com /s /AUTORUNBOOT" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 09:54 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [02/28/2006 12:00 PM]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [08/30/2007 05:43 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [5/13/2008 11:54:58 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ClearRecentDocsOnExit"=1 (0x1)
"NoRecentDocsMenu"=1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwprovau C:\WINDOWS\system32\qoMgdbyy

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4ade6824-b6e7-11dc-8001-00e0206049c4}]
AutoRun\command- I:\
explore\Command- I:\RECYCLER\autorun.exe -ExploreCurDir
open\Command- I:\RECYCLER\autorun.exe -OpenCurDir

-- End of Deckard's System Scanner: finished at 2008-08-09 00:24:49 ------------

Attached Files

main.txt 25.91KB 174 downloads

#2
Essexboy

Posted 08 August 2008 - 01:37 PM

GeekU Moderator

Retired Staff
69,964 posts

Yep you have bagel so lets try to remove it for you. Please read the following carefully before downloading and running any programme

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

If you are using Firefox, make sure that your download settings are as follows:
- Tools->Options->Main tab
- Set to "Always ask me where to Save the files".
During the download, rename Combofix to Combo-Fix as follows:
It is important you rename Combofix during the download, but not after.
Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  
  -----------------------------------------------------------
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on combo-Fix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

#3
maverickk

Posted 11 August 2008 - 10:43 AM

New Member

Topic Starter
Member
7 posts

Hi
past two days i am trying to download combofix but i am not able to downoad either the downloaded file stops abruptly or the net dissconects , if downloaded when trying to run it says not valid win32 application..please help me

#4
Essexboy

Posted 11 August 2008 - 12:13 PM

GeekU Moderator

Retired Staff
69,964 posts

Hi again - it seems that some variants are now targetting CF so please download and run Bagel fix

This will produce a log at C:\Bagled.txt could you post this

#5
Essexboy

Posted 16 August 2008 - 03:36 AM

GeekU Moderator

Retired Staff
69,964 posts

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.

#6
admin

Posted 18 August 2008 - 12:36 PM

Founder Geek

Community Leader
24,639 posts

Reopened at the request of the topic starter.

#7
maverickk

Posted 18 August 2008 - 12:49 PM

New Member

Topic Starter
Member
7 posts

hi Essexboy
i am attaching the beagled.txt and combofix.txt as said by you.. since my internet connection was down for some period due to bad waether i was not able to post you .

Attached Files

Bagled.txt 62bytes 128 downloads
ComboFix.txt 55.73KB 148 downloads

#8
Essexboy

Posted 18 August 2008 - 01:04 PM

GeekU Moderator

Retired Staff
69,964 posts

No problems on that. I hope the weather is a bit better now

Looks like the dreaded bagle has gone. I would now like to do a deep search to ensure that it hasn't left anything behind. How is your computer behaving now ?

Download OTScanit to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

Close ALL OTHER PROGRAMS.
Open the OTScanit folder and double-click on OTScanit.exe to start the program.
Check the box that says Scan All User Accounts
Check the Radio buttons for Files/Folders Created Within 90 Days and Files/Folders Modified Within 90 Days
Under Additional Scans check the following:
- Reg - BotCheck
- File - Additional Folder Scans
- File - Purity Scan
Now click the Run Scan button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

To attach a file, do the following:

Click Add Reply
Under the reply panel is the Attachments Panel
Browse for the attachment file you want to upload, then click the green Upload button
Once it has uploaded, click the Manage Current Attachments drop down box
Click on to insert the attachment into your post

#9
maverickk

Posted 18 August 2008 - 01:29 PM

New Member

Topic Starter
Member
7 posts

The weather is getting better...

i am attaching the txt file what i got by running the OTscanit

Attached Files

OTScanIt.Txt 333.15KB 111 downloads

Edited by maverickk, 18 August 2008 - 01:37 PM.

#10
Essexboy

Posted 18 August 2008 - 01:38 PM

GeekU Moderator

Retired Staff
69,964 posts

For some reason I can't download it. Could you upload the file here http://www.mediafire.com/ and post the sharing link

#11
Essexboy

Posted 18 August 2008 - 01:39 PM

GeekU Moderator

Retired Staff
69,964 posts

Ignore the above Got it now

#12
Essexboy

Posted 18 August 2008 - 01:48 PM

GeekU Moderator

Retired Staff
69,964 posts

That looks much better now

Start OTScanit. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Files/Folders - Created Within 90 days]
NY -> 23990098.$$$ -> %SystemDrive%\23990098.$$$
[Empty Temp Folders]
[Start Explorer]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new Hijackthis log.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

FINALLY

One more sweep with MBAM

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Logs required : OTScanit report, MBAM and a new Hijackthis log... Plus how is your computer now ?

#13
maverickk

Posted 18 August 2008 - 02:49 PM

New Member

Topic Starter
Member
7 posts

hi Essexboy

here is the log file of the three ... the prob is i tried doownload servcie pack 3 from Microsoft site the browser becomes non responsive program ,,,, how to update my windows ,,, if this happends

******HJT Log File ***********************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:10:52 AM, on 8/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\PROGRA~1\eScan\VISTA\avpmapp.exe
C:\PROGRA~1\eScan\TRAYSSER.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\PROGRA~1\eScan\consctl.exe
C:\Program Files\Common Files\MicroWorld\Agent\MWASER.EXE
C:\Program Files\Common Files\MicroWorld\Agent\MWAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Tally\tallylicserver.exe
C:\Tally\Tally72.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\S3trayp.exe
C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\DAP\DAP.EXE
C:\Program Files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe
C:\PROGRA~1\eScan\TRAYICOS.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\eScan\Vista\eScanMon.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
D:\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [S3Trayp] S3trayp.exe
O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe 1
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKLM\..\Run: [Nitro PDF Printer Monitor] "C:\Program Files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe"
O4 - HKLM\..\Run: [eScan Updater] C:\PROGRA~1\eScan\TRAYICOS.EXE /App
O4 - HKLM\..\Run: [MailScan Dispatcher] "C:\PROGRA~1\eScan\LAUNCH.EXE" /startup
O4 - HKLM\..\RunOnce: [OTScanIt] "C:\ost\OTScanIt\OTScanIt.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h20264.www2.h...nosticsxp2k.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/b...lineScanner.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1211991369343
O17 - HKLM\System\CCS\Services\Tcpip\..\{474274AF-BF53-407F-941A-A876A80E07FD}: NameServer = 61.1.96.69,61.1.96.71
O17 - HKLM\System\CCS\Services\Tcpip\..\{FF87A27A-7802-49B4-A223-9638F62C7727}: NameServer = 61.1.96.69,61.1.96.71
O17 - HKLM\System\CS1\Services\Tcpip\..\{474274AF-BF53-407F-941A-A876A80E07FD}: NameServer = 61.1.96.69,61.1.96.71
O17 - HKLM\System\CS2\Services\Tcpip\..\{474274AF-BF53-407F-941A-A876A80E07FD}: NameServer = 61.1.96.69,61.1.96.71
O17 - HKLM\System\CS3\Services\Tcpip\..\{474274AF-BF53-407F-941A-A876A80E07FD}: NameServer = 61.1.96.69,61.1.96.71
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: eScan Monitor Service - MicroWorld Technologies Inc. - C:\PROGRA~1\eScan\VISTA\avpmapp.exe
O23 - Service: eScan Server-Updater (eScan-trayicos) - MicroWorld Technologies Inc. - C:\PROGRA~1\eScan\TRAYSSER.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: MWAgent - MicroWorld Technologies Inc. - C:\Program Files\Common Files\MicroWorld\Agent\MWASER.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Tally License Server (NT) (Tally License Server) - Unknown owner - C:\Tally\tallylicserver.exe
O24 - Desktop Component 0: (no name) - http://l.yimg.com/us...ailcommonlib.js

--
End of file - 9277 bytes

Attached Files

OTScanIt.Txt 255.9KB 122 downloads
mbam_log_08_19_2008__02_05_31_.txt 833bytes 116 downloads

Edited by maverickk, 18 August 2008 - 02:51 PM.

#14
Essexboy

Posted 18 August 2008 - 03:16 PM

GeekU Moderator

Retired Staff
69,964 posts

Nicely done maverickk

You now look clean
Reference SP3 have you tried downloading the standalone installer from here http://www.microsoft...;displaylang=en you can change the language on the site to your choice

Let me know if that works. Meanwhile

Now the best part of the day ----- Your log now appears clean

Download and run this small programme and hit the cleanup button. It will remove all the programmes we have used plus itself

Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:

Select Start > All Programs > Accessories > System tools > System Restore.
On the dialogue box that appears select Create a Restore Point
Click NEXT
Enter a name e.g. Clean
Click CREATE

You now have a clean restore point, to get rid of the bad ones:

Select Start > All Programs > Accessories > System tools > Disk Cleanup.
In the Drop down box that appears select your main drive e.g. C
Click OK
The System will do some calculation and the display a dialogue box with TABS
Select the More Options Tab.
At the bottom will be a system restore box with a CLEANUP button click this
Accept the Warning and select OK again, the program will close and you are done

Now that you are clean, to help protect your computer in the future I recommend that you get the following free program:

SpywareBlaster to help prevent spyware from installing in the first place.
SuperAntispyware Run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit

Secunia Software inspector To check your programme update status
Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe

#15
maverickk

Posted 21 August 2008 - 03:28 AM

New Member

Topic Starter
Member
7 posts

hi Essexboy,

Thanx for your timely help...i downloaded all you said but i am unable download the windows updates..i have asked them to provide with SP3 CD i hope this would solve the other problems...

cheers...