Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

desktop virus spyware[RESOLVED]


  • This topic is locked This topic is locked

#16
mnadeem

mnadeem

    Member

  • Topic Starter
  • Member
  • PipPip
  • 98 posts
second what anti virus software should i load , tryed norton fail also fail trend micro some problem installation
  • 0

Advertisements


#17
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Can you please perform my steps?
I didn't ask you to install an antivirus now, I asked you to delete all those files manually and post a new fresh findit's-log.

We'll talk about an antivirus a bit later, first clean you up!!
And no, apparently no software can clean that up for your automatically, because I already asked you before to run adaware SE and ewido and those files weren't deleted by them (if you ran those programs ofcourse), so delete all those files manually I asked you before.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
O2 - BHO: (no name) - {B9BB810E-3736-4F12-A78E-227C6D963E19} - C:\WINDOWS\System32\dpucdll.dll (file missing)
O9 - Extra button: IE Password - {C40E0AA1-4EC1-455C-BA2B-79C336F89462} - C:\WINDOWS\system32\IEPassword.dll
O16 - DPF: {94118C19-B178-4E43-BBE8-0EFDBB391BDB} - http://www.sponsorad...sWebTelecom.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundlewar...veX/DS3/DS3.cab


* Click on Fix Checked when finished and exit HijackThis.

So, I want:

1. A fresh findit's-log

2. A fresh hijackthislog

3. I don't want you to perform any other steps besides that -- don't install things!

  • 0

#18
mnadeem

mnadeem

    Member

  • Topic Starter
  • Member
  • PipPip
  • 98 posts
here is the two lg you requierd
Logfile of HijackThis v1.99.1
Scan saved at 11:32:22 PM, on 5/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SAMSUNG\FW LiveUpdate\Liveupdate.exe
C:\WINDOWS\System32\mqsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avant Browser\avant.exe
C:\WINDOWS\SYSTEM32\notepad.exe
C:\Documents and Settings\fnadeem\Desktop\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_BAND_SEARCHBAR_HTML
R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
O2 - BHO: 12Ghosts Popup-Killer - {00000000-0007-5041-4354-0020e48020af} - C:\Program Files\12Ghosts\12popup.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\de\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\ycomp5_5_7_0.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\de\msntb.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O3 - Toolbar: 12-Popup - {00000000-0008-5041-4354-0020e48020af} - C:\Program Files\12Ghosts\12popup.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Name of App] C:\Program Files\SAMSUNG\FW LiveUpdate\Liveupdate.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Allow popups from this web page - C:\Program Files\GIANT Company Software inc\PopUp Inspector\allowsite.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O8 - Extra context menu item: Search Using Copernic Agent - res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
O8 - Extra context menu item: Stop popups from this web page - C:\Program Files\GIANT Company Software inc\PopUp Inspector\denysite.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: (no name) - {0BCBCDD8-E5D9-417D-A752-C2DA929A21BF} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
O9 - Extra 'Tools' menuitem: Track Page Using Copernic Agent - {0BCBCDD8-E5D9-417D-A752-C2DA929A21BF} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Hotmail - {4154081F-5411-4ce6-98A1-19DA0D11645E} - (no file)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RF Toolbar &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: PopUp Inspector - {D216B74A-9A2F-4025-9690-86780AA75F6E} - C:\Program Files\GIANT Company Software inc\PopUp Inspector\PopUpInspector.exe (HKCU)
O9 - Extra 'Tools' menuitem: PopUp Inspector - {D216B74A-9A2F-4025-9690-86780AA75F6E} - C:\Program Files\GIANT Company Software inc\PopUp Inspector\PopUpInspector.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.c...ex/tdserver.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.../kavwebscan.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....sa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www.ibm.com/...ad/IbmEgath.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelg...in/cortvrml.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.lizardtec...tall/isetup.cab
O16 - DPF: {94118C19-B178-4E43-BBE8-0EFDBB391BDB} - http://www.sponsorad...sWebTelecom.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....sa/SymAData.cab
O16 - DPF: {E6A3C1E2-F792-483E-9133-596215172BE9} (AcceptLang Class) - http://runonce.msn.c...tacceptlang.cab
O16 - DPF: {EF58E341-49C3-4156-A3C4-5FFCA7C1EAB7} (EURAS_Portal.Gateway) - http://www.euras.com...ivex2/euras.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{EF29FF8C-B1EA-4A05-B79B-91C0465D8EE9}: NameServer = 209.47.15.118,64.157.143.38,192.168.121.252,192.168.121.253
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

second

Microsoft Windows XP [Version 5.1.2600]
The current date is: Mon 05/16/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»

* aurora C:\WINDOWS\XVUWDBD.EXE

»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first

* UPX! C:\WINDOWS\System32\AHAW.EXE
* UPX! C:\WINDOWS\System32\INIT32M.EXE
* UPX! C:\WINDOWS\System32\SETUP_~1.EXE
* UPX! C:\WINDOWS\System32\SQMFXAAA.EXE
* UPX! C:\WINDOWS\System32\TASKMG.EXE
* UPX! C:\WINDOWS\System32\THIN-9~2.EXE
* UPX! C:\WINDOWS\System\UPDINS~1.EXE
* UPX! C:\WINDOWS\ANIQUEO.EXE
* UPX! C:\WINDOWS\CELEBR~1.EXE
* UPX! C:\WINDOWS\DWBREA~1.EXE
* UPX! C:\WINDOWS\HHSSJPR.EXE
* UPX! C:\WINDOWS\MSBB.EXE
* UPX! C:\WINDOWS\VMOBYK~1.EXE
* UPX! C:\WINDOWS\XNNJFX.EXE

»»»»» lagitamate file's can/will show in this section.

* UPX! C:\WINDOWS\System32\AVISYNTH.DLL
* UPX! C:\WINDOWS\System32\DEVIL.DLL
* UPX! C:\WINDOWS\System32\IEPASS~1.DLL
* UPX! C:\WINDOWS\System32\MACDEC.DLL
* UPX! C:\WINDOWS\System32\SRPCSR~1.DLL
* UPX! C:\WINDOWS\System32\TXFDB32.DLL
»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
* buddy C:\WINDOWS\VMOBYK~1.EXE

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

* SAHAgent C:\WINDOWS\System32\ABASA5~1.EXE
* SAHAgent C:\WINDOWS\System32\AP9H4QMO.EXE
* SAHAgent C:\WINDOWS\System32\BLN02NQV.EXE
* SAHAgent C:\WINDOWS\System32\GAH95ON6.EXE
* SAHAgent C:\WINDOWS\System32\HOCHKA~1.EXE
* SAHAgent C:\WINDOWS\System32\Q17I9A4J.EXE
* SAHAgent C:\WINDOWS\U6F6UF~1.EXE
* SAHAgent C:\WINDOWS\System32\70TOVMTO.INI
* SAHAgent C:\WINDOWS\System32\A95KFRHE.INI
* SAHAgent C:\WINDOWS\System32\ABASA5~1.INI
* SAHAgent C:\WINDOWS\System32\AP9H4QMO.INI
* SAHAgent C:\WINDOWS\System32\BLN02NQV.INI
* SAHAgent C:\WINDOWS\System32\GAH95ON6.INI
* SAHAgent C:\WINDOWS\System32\HOCHKA~1.INI
* SAHAgent C:\WINDOWS\System32\Q17I9A4J.INI
* SAHAgent C:\WINDOWS\System32\U6F6UF~1.INI
»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* _rtneg3 C:\WINDOWS\System32\NSF2AA.DLL
* _rtneg3 C:\WINDOWS\System32\NSOC.DLL
* _rtneg3 C:\WINDOWS\System32\NSP21C.DLL
* _rtneg3 C:\WINDOWS\System32\NSP29B.DLL
* _rtneg3 C:\WINDOWS\System32\NSP58.DLL
* _rtneg3 C:\WINDOWS\System32\NSQ243.DLL
* _rtneg3 C:\WINDOWS\System32\NST30.DLL
* _rtneg3 C:\WINDOWS\System32\NSU23E.DLL
* _rtneg3 C:\WINDOWS\System32\NSV246.DLL
* _rtneg3 C:\WINDOWS\System32\NSY10C.DLL
* _rtneg3 C:\WINDOWS\System32\RTNEG3.DLL

»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Volume in drive C is WINXPSPI
Volume Serial Number is B05F-E6B5

Directory of C:\WINDOWS\SYSTEM32

04/13/2005 06:52 PM <DIR> cache32_rtneg3
0 File(s) 0 bytes
1 Dir(s) 22,293,159,936 bytes free
»»»»» Checking for SAHAgent ico files.
Volume in drive C is WINXPSPI
Volume Serial Number is B05F-E6B5

Directory of C:\WINDOWS\system32

03/18/2005 04:59 PM 2,998 bball.ico
01/28/2005 05:43 PM 2,526 bikini31.ico
04/14/2005 12:00 AM 3,262 bingo_big2.ico
11/15/2004 12:02 AM 3,262 body2.ico
01/02/2005 04:01 PM 3,262 body3331.ico
02/22/2005 02:11 AM 2,998 bomb1.ico
12/15/2004 02:40 PM 3,262 bubbles-ke2.ico
12/14/2004 07:56 PM 3,262 bubbles-ki.ico
03/16/2005 11:14 PM 3,262 conver radio 32x32-21.ico
11/20/2004 08:28 PM 3,262 creditcard21.ico
12/17/2004 07:40 PM 3,262 creditcard321.ico
02/22/2005 02:30 PM 3,262 creditcard32123123123.ico
04/15/2005 05:42 PM 3,262 creditcard32123123123asdsa.ico
10/08/2004 12:11 AM 4,286 dating1.ico
01/12/2005 11:40 PM 4,286 datingpof1.ico
04/13/2005 11:45 PM 3,262 dice2.ico
11/16/2004 08:00 PM 1,078 disk01.ico
10/10/2004 12:38 AM 4,286 driving4dollars.ico
03/26/2005 08:33 PM 3,262 eye41.ico
12/12/2004 07:44 PM 4,286 greenmovie.ico
12/15/2004 02:40 PM 4,286 greenmovie2.ico
03/07/2005 01:46 AM 4,286 greenmovie2313.ico
03/15/2005 03:31 PM 4,286 greenmovie2313asa.ico
04/13/2005 06:51 PM 4,286 greenmovie2313asaadsasfad.ico
04/15/2005 05:42 PM 4,286 greenmovie2313asaadsasfad112341231adsfa.ico
04/13/2005 11:45 PM 3,262 hotbod123121.ico
02/22/2005 02:10 AM 2,526 ibm laptop1.ico
03/07/2005 01:47 AM 2,526 ibm laptop21.ico
03/14/2005 03:21 PM 2,526 ibm laptop3.ico
02/22/2005 02:30 PM 2,526 ibmlaptop1.ico
03/29/2005 06:44 PM 2,526 ibmlaptop12312a.ico
06/21/2001 04:54 AM 2,238 iepassword.ico
06/19/2001 02:35 PM 2,238 iepasswordgray.ico
02/24/2005 08:33 PM 3,262 imacg51.ico
12/09/2004 04:17 PM 4,286 internet popup blocker1.ico
02/23/2005 02:03 PM 3,262 kas pink123.ico
02/24/2005 08:33 PM 3,262 kas pink1231.ico
03/07/2005 01:46 AM 3,262 kas pink1233.ico
03/18/2005 04:59 PM 3,262 kas pink1233a1.ico
04/13/2005 06:51 PM 3,262 kas pink1233aadsfa1.ico
04/14/2005 12:00 AM 3,262 kas pink1233aadsfa12.ico
02/28/2005 10:39 PM 3,262 kas4b.ico
03/15/2005 11:32 PM 3,262 kas4c1.ico
02/12/2005 01:49 PM 2,526 kasant1.ico
11/03/2004 01:07 PM 4,286 kevid1.ico
12/08/2004 08:05 AM 4,286 kevid231.ico
02/19/2005 10:07 PM 4,286 kevid231231.ico
04/07/2005 10:47 AM 4,286 kevid231231aa.ico
10/07/2004 05:34 PM 4,286 kill all spyware11.ico
12/09/2004 04:17 PM 4,286 kill all spyware212345.ico
02/22/2005 02:11 AM 4,286 kill all spyware212412431.ico
03/10/2005 03:28 PM 4,286 kill all spyware2124124311.ico
10/10/2004 12:38 AM 2,526 kill all spyware31.ico
02/09/2005 02:32 PM 4,286 kill all spyware32a1.ico
03/03/2005 07:48 PM 4,286 kill all spyware33a1.ico
04/13/2005 11:45 PM 3,262 kill all spyware41.ico
03/15/2005 12:38 PM 3,262 kill all spyware451.ico
03/18/2005 12:52 AM 4,286 kill all spywareadsfadsf1.ico
12/09/2004 04:17 PM 3,262 kill evidence 3.ico
01/29/2005 05:31 AM 2,526 kill internet popups12.ico
11/12/2004 01:50 AM 4,286 kill internet popups51.ico
12/17/2004 07:40 PM 3,262 killallspyware00.ico
01/02/2005 03:59 PM 3,262 killinternetpops32.ico
02/19/2005 10:07 PM 3,262 killinternetpops32121.ico
12/25/2004 12:10 AM 3,262 killinternetpopups-33.ico
03/29/2005 06:44 PM 3,262 killinternetpopups-33123213.ico
03/03/2005 08:52 PM 3,262 kspy1.ico
01/19/2005 01:55 AM 4,286 kxp41231.ico
01/12/2005 07:11 PM 2,526 laptop41.ico
04/13/2005 11:45 PM 1,078 mac02.ico
03/26/2005 08:33 PM 4,286 moviescirc2.ico
04/13/2005 11:45 PM 4,286 moviesorangecirc1.ico
03/15/2005 03:31 PM 4,286 mp3 players4sale1.ico
03/26/2005 08:33 PM 4,286 mp3 players4salea.ico
04/15/2005 05:42 PM 4,286 mp3red51aads.ico
04/13/2005 06:51 PM 4,286 mp3red51aads1.ico
02/23/2005 02:02 PM 2,238 plasma screen1.ico
04/13/2005 11:45 PM 3,262 poker112.ico
03/15/2005 12:35 PM 4,286 pop up blaster.ico
02/22/2005 02:11 AM 4,286 pop up blaster1.ico
04/15/2005 05:42 PM 4,286 pop up blaster123213.ico
04/05/2005 08:46 AM 4,286 pop up blaster1232131.ico
01/12/2005 11:40 PM 16,614 popupblocker231.ico
01/03/2005 02:36 AM 4,286 popupkiller1231231.ico
01/23/2005 02:45 PM 4,286 popupkiller123123a.ico
04/14/2005 12:00 AM 3,262 popupkiller2asdf1.ico
04/15/2005 05:42 PM 2,238 red_kas.ico
04/05/2005 08:46 AM 2,238 red_kas1.ico
02/24/2005 08:33 PM 2,238 safe1.ico
01/29/2005 06:48 PM 19,942 securefavorites.ico
01/12/2005 07:11 PM 3,262 spamnotifyiconbox324.ico
01/22/2003 05:49 AM 2,238 SPCF.ICO
01/22/2003 05:49 AM 2,238 SPMS.ICO
01/22/2003 05:49 AM 2,238 SPSDMMC.ICO
01/22/2003 05:49 AM 2,238 SPSM.ICO
10/23/2004 09:41 AM 4,286 stop popups231.ico
02/05/2005 07:00 PM 2,526 superbowl1.ico
01/29/2005 06:48 PM 4,286 usagold312.ico
02/04/2005 11:33 AM 3,262 usaplat123123.ico
04/13/2005 11:45 PM 3,262 usaplat1231231231.ico
12/12/2004 07:44 PM 4,286 usaplatinum.ico
01/18/2005 01:26 PM 4,286 usaplatinum12.ico
01/29/2005 06:48 PM 4,286 usaplatinum12342342341.ico
03/06/2005 09:55 PM 4,286 usaplatinum2.ico
10/23/2004 09:41 AM 4,286 usaplatinum51.ico
01/08/2005 11:04 AM 4,286 usaplatinum609.ico
11/20/2004 08:28 PM 4,286 usaplatinum61.ico
12/17/2004 07:39 PM 3,262 usplat151.ico
01/23/2005 02:45 PM 3,262 usplat15112.ico
04/13/2005 11:45 PM 3,262 vh e2.ico
03/10/2005 03:28 PM 3,262 vh e23.ico
04/15/2005 05:42 PM 3,262 vh e233.ico
04/13/2005 06:51 PM 3,262 vh e2331.ico
04/14/2005 12:04 AM 19,942 virus hunter yeah1.ico
12/08/2004 12:28 AM 19,942 virushunter1.ico
10/30/2004 09:05 AM 19,942 virushunter21.ico
01/29/2005 06:48 PM 19,942 virushunter231.ico
01/02/2005 03:59 PM 19,942 virushunter31.ico
10/23/2004 09:41 AM 19,942 wmkiller2.ico
12/17/2004 07:40 PM 3,262 xmas.ico
12/17/2004 01:34 AM 3,262 xox23_icon.ico
01/11/2005 06:40 PM 3,262 yuk or yum 32.ico
01/06/2005 03:33 AM 3,262 yuk or yum 41.ico
01/18/2005 01:26 PM 3,262 yuk or yum 6a1.ico
12/09/2004 10:06 PM 3,262 yuk or yum 7.ico
02/22/2005 02:30 PM 3,262 yuk or yum 7adsfas1.ico
01/19/2005 01:55 AM 3,262 yuk or yum 8a1.ico
12/08/2004 08:04 AM 3,262 yuk or yum.ico
01/23/2005 02:45 PM 5,182 yuk or yum1a.ico
129 File(s) 574,654 bytes
0 Dir(s) 22,293,147,648 bytes free

»»»»»»»»»»»»»»»»»»»»»»»».

HKEY_CURRENT_USER\Software\aurora\AUI3d5OfSInst
HKEY_CURRENT_USER\Software\aurora\AUC3n5trMsgSDisp
HKEY_CURRENT_USER\Software\aurora\AUT3o5pListSPos
HKEY_CURRENT_USER\Software\aurora\AUs3t5icky1S
HKEY_CURRENT_USER\Software\aurora\AUs3t5icky2S
HKEY_CURRENT_USER\Software\aurora\AUs3t5icky3S
HKEY_CURRENT_USER\Software\aurora\AUs3t5icky4S
HKEY_CURRENT_USER\Software\aurora\AUC1o3d5eOfSFinalAd
HKEY_CURRENT_USER\Software\aurora\AUT3i5m7eOfSFinalAd
HKEY_CURRENT_USER\Software\aurora\AUD3s5tSSEnd
HKEY_CURRENT_USER\Software\aurora\AU3N5a7tionSCode
HKEY_CURRENT_USER\Software\aurora\AUP3D5om
HKEY_CURRENT_USER\Software\aurora\AUT3h5rshSCheckSIn
HKEY_CURRENT_USER\Software\aurora\AUT3h5rshSMots
HKEY_CURRENT_USER\Software\aurora\AUM3o5deSSync
HKEY_CURRENT_USER\Software\aurora\AUI3n5ProgSCab
HKEY_CURRENT_USER\Software\aurora\AUI3n5ProgSEx
HKEY_CURRENT_USER\Software\aurora\AUI3n5ProgSLstest
HKEY_CURRENT_USER\Software\aurora\AUC3n5tFyl
HKEY_CURRENT_USER\Software\aurora\AUB3D5om
HKEY_CURRENT_USER\Software\aurora\AUE3v5nt
HKEY_CURRENT_USER\Software\aurora\AUT3h5rshSBath
HKEY_CURRENT_USER\Software\aurora\AUT3h5rshSysSInf
HKEY_CURRENT_USER\Software\aurora\AUL3n5Title
HKEY_CURRENT_USER\Software\aurora\AUC3u5rrentSMode
HKEY_CURRENT_USER\Software\aurora\AUI3g5noreS
HKEY_CURRENT_USER\Software\Bolger\BLI9d1OfSInst
HKEY_CURRENT_USER\Software\Bolger\BLC9n1trMsgSDisp
HKEY_CURRENT_USER\Software\Bolger\BLT9o1pListSPos
HKEY_CURRENT_USER\Software\Bolger\BLs9t1icky1S
HKEY_CURRENT_USER\Software\Bolger\BLs9t1icky2S
HKEY_CURRENT_USER\Software\Bolger\BLs9t1icky3S
HKEY_CURRENT_USER\Software\Bolger\BLs9t1icky4S
HKEY_CURRENT_USER\Software\Bolger\BLC1o9d1eOfSFinalAd
HKEY_CURRENT_USER\Software\Bolger\BLT9i1m4eOfSFinalAd
HKEY_CURRENT_USER\Software\Bolger\BLD9s1tSSEnd
HKEY_CURRENT_USER\Software\Bolger\BL9N1a4tionSCode
HKEY_CURRENT_USER\Software\Bolger\BLP9D1om
HKEY_CURRENT_USER\Software\Bolger\BLT9h1rshSCheckSIn
HKEY_CURRENT_USER\Software\Bolger\BLT9h1rshSMots
HKEY_CURRENT_USER\Software\Bolger\BLM9o1deSSync
HKEY_CURRENT_USER\Software\Bolger\BLI9n1ProgSCab
HKEY_CURRENT_USER\Software\Bolger\BLI9n1ProgSEx
HKEY_CURRENT_USER\Software\Bolger\BLI9n1ProgSLstest
HKEY_CURRENT_USER\Software\Bolger\BLL9a1stMotsSDay
HKEY_CURRENT_USER\Software\Bolger\BLL9a1stSSChckin
HKEY_CURRENT_USER\Software\Bolger\BLC9n1tFyl
HKEY_CLASSES_ROOT\BolgerDll.BolgerDllObj\
HKEY_CLASSES_ROOT\BolgerDll.BolgerDllObj\CLSID\
HKEY_CLASSES_ROOT\BolgerDll.BolgerDllObj\CurVer\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon\Driver
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\ZepMon\Driver
  • 0

#19
mnadeem

mnadeem

    Member

  • Topic Starter
  • Member
  • PipPip
  • 98 posts
hi should i remove all what you have earlier said , then it will take some time . second i do not know if i delete the write file ,,, please advise before i preform
second i have not tell that in this pc thay are two user ,,, have to all this in second user also ?
becouse i have yet not open second user

Edited by mnadeem, 16 May 2005 - 03:45 PM.

  • 0

#20
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
You haven't deleted the files manually I asked you previously?
Any reason? What happened? Why didn't you delete them?

I'll need a new findit's-log after you delete those files:

I'm going to quote a previous post:

Print next out or save it in notepad because you still have a lot to delete.

Delete in your C:\Windows-folder next:

XVUWDBD.EXE
ANIQUEO.EXE
CELEBR~1.EXE
DWBREA~1.EXE
HHSSJPR.EXE
MSBB.EXE
NAIL.EXE
XNNJFX.EXE
VMOBYK~1.EXE

Delete in your C:\Windows\system32-folder next:

AHAW.EXE
INIT32M.EXE
SETUP_~1.EXE
SQMFXAAA.EXE
TASKMG.EXE <== don't delete taskmgr.exe!!!
THIN-9~2.EXE
UPDINS~1.EXE
ABASA5~1.EXE
AP9H4QMO.EXE
BLN02NQV.EXE
GAH95ON6.EXE
HOCHKA~1.EXE
Q17I9A4J.EXE
U6F6UF~1.EXE
70TOVMTO.INI
A95KFRHE.INI
ABASA5~1.INI
AP9H4QMO.INI
BLN02NQV.INI
GAH95ON6.INI
HOCHKA~1.INI
Q17I9A4J.INI
U6F6UF~1.INI
NSF2AA.DLL
NSOC.DLL
NSP21C.DLL
NSP29B.DLL
NSP58.DLL
NSQ243.DLL
NST30.DLL
NSU23E.DLL
NSV246.DLL
NSY10C.DLL
RTNEG3.DLL
TXFDB32.DLL

bball.ico
bikini31.ico
bingo_big2.ico
body2.ico
body3331.ico
bomb1.ico
bubbles-ke2.ico
bubbles-ki.ico
conver radio 32x32-21.ico
creditcard21.ico
creditcard321.ico
creditcard32123123123.ico
creditcard32123123123asdsa.ico
dating1.ico
datingpof1.ico
dice2.ico
disk01.ico
driving4dollars.ico
eye41.ico
greenmovie.ico
greenmovie2.ico
greenmovie2313.ico
greenmovie2313asa.ico
greenmovie2313asaadsasfad.ico
greenmovie2313asaadsasfad112341231adsfa.ico
hotbod123121.ico
ibm laptop1.ico
ibm laptop21.ico
ibm laptop3.ico
ibmlaptop1.ico
ibmlaptop12312a.ico
iepassword.ico
iepasswordgray.ico
imacg51.ico
internet popup blocker1.ico
kas pink123.ico
kas pink1231.ico
kas pink1233.ico
kas pink1233a1.ico
kas pink1233aadsfa1.ico
kas pink1233aadsfa12.ico
kas4b.ico
kas4c1.ico
kasant1.ico
kevid1.ico
kevid231.ico
kevid231231.ico
kevid231231aa.ico
kill all spyware11.ico
kill all spyware212345.ico
kill all spyware212412431.ico
kill all spyware2124124311.ico
kill all spyware31.ico
kill all spyware32a1.ico
kill all spyware33a1.ico
kill all spyware41.ico
kill all spyware451.ico
kill all spywareadsfadsf1.ico
kill evidence 3.ico
kill internet popups12.ico
kill internet popups51.ico
killallspyware00.ico
killinternetpops32.ico
killinternetpops32121.ico
killinternetpopups-33.ico
killinternetpopups-33123213.ico
kspy1.ico
kxp41231.ico
laptop41.ico
mac02.ico
moviescirc2.ico
moviesorangecirc1.ico
mp3 players4sale1.ico
mp3 players4salea.ico
mp3red51aads.ico
mp3red51aads1.ico
plasma screen1.ico
poker112.ico
pop up blaster.ico
pop up blaster1.ico
pop up blaster123213.ico
pop up blaster1232131.ico
popupblocker231.ico
popupkiller1231231.ico
popupkiller123123a.ico
popupkiller2asdf1.ico
red_kas.ico
red_kas1.ico
safe1.ico
securefavorites.ico
spamnotifyiconbox324.ico
stop popups231.ico
superbowl1.ico
usagold312.ico
usaplat123123.ico
usaplat1231231231.ico
usaplatinum.ico
usaplatinum12.ico
usaplatinum12342342341.ico
usaplatinum2.ico
usaplatinum51.ico
usaplatinum609.ico
usaplatinum61.ico
usplat151.ico
usplat15112.ico
vh e2.ico
vh e23.ico
vh e233.ico
vh e2331.ico
virus hunter yeah1.ico
virushunter1.ico
virushunter21.ico
virushunter231.ico
virushunter31.ico
wmkiller2.ico
xmas.ico
xox23_icon.ico
yuk or yum 32.ico
yuk or yum 41.ico
yuk or yum 6a1.ico
yuk or yum 7.ico
yuk or yum 7adsfas1.ico
yuk or yum 8a1.ico
yuk or yum.ico
yuk or yum1a.ico
cache32_rtneg3 <== folder

If you're having problems with deleting them, try this in safe mode.


So when done this then post a new findit's-log -- otherwise this wont make any sense. :tazz:
  • 0

#21
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP

second i do not know if i delete the write file


Read very carefully my post above.
I think I'm clear in there what files to delete -- there are a lot.
Just look in those folders I ask you and delete those files manually, that means, rightclick on the files I tell you to delete in the above post and choose for delete.

Yes, it will take some time to delete them all -- but you are responsible for installing/downloading them yourself while visiting cracksites and other illegal sites, so now you have to take consequences of it. I'm pretty sure you will stay away from those sites now :tazz:

Edited by miekiemoes, 16 May 2005 - 03:51 PM.

  • 0

#22
mnadeem

mnadeem

    Member

  • Topic Starter
  • Member
  • PipPip
  • 98 posts
ok hi
in safe mode or in nomal here then proceading with your adv
  • 0

#23
mnadeem

mnadeem

    Member

  • Topic Starter
  • Member
  • PipPip
  • 98 posts
thanks ok hi
i have seen in safe mode
  • 0

#24
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Yes, it's better to perform it in safe mode, so that's why it is better to print this out and save it in notepad, because this page wont be available in safe mode, because you don't have an internetconnection.
And it is really important that you only delete those files I ask you to delete

Don't perform any other things I don't ask you -- just deleting the files and posting a new findit's-log afterwards when done :tazz:
  • 0

#25
mnadeem

mnadeem

    Member

  • Topic Starter
  • Member
  • PipPip
  • 98 posts
hi again new log
Logfile of HijackThis v1.99.1
Scan saved at 1:26:03 AM, on 5/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\Program Files\SAMSUNG\FW LiveUpdate\Liveupdate.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\SYSTEM32\notepad.exe
C:\Documents and Settings\fnadeem\Desktop\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_BAND_SEARCHBAR_HTML
R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
O2 - BHO: 12Ghosts Popup-Killer - {00000000-0007-5041-4354-0020e48020af} - C:\Program Files\12Ghosts\12popup.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\de\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\ycomp5_5_7_0.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\de\msntb.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O3 - Toolbar: 12-Popup - {00000000-0008-5041-4354-0020e48020af} - C:\Program Files\12Ghosts\12popup.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Name of App] C:\Program Files\SAMSUNG\FW LiveUpdate\Liveupdate.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: Allow popups from this web page - C:\Program Files\GIANT Company Software inc\PopUp Inspector\allowsite.htm
O8 - Extra context menu item: Search Using Copernic Agent - res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
O8 - Extra context menu item: Stop popups from this web page - C:\Program Files\GIANT Company Software inc\PopUp Inspector\denysite.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: (no name) - {0BCBCDD8-E5D9-417D-A752-C2DA929A21BF} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
O9 - Extra 'Tools' menuitem: Track Page Using Copernic Agent - {0BCBCDD8-E5D9-417D-A752-C2DA929A21BF} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Hotmail - {4154081F-5411-4ce6-98A1-19DA0D11645E} - (no file)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RF Toolbar &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: PopUp Inspector - {D216B74A-9A2F-4025-9690-86780AA75F6E} - C:\Program Files\GIANT Company Software inc\PopUp Inspector\PopUpInspector.exe (HKCU)
O9 - Extra 'Tools' menuitem: PopUp Inspector - {D216B74A-9A2F-4025-9690-86780AA75F6E} - C:\Program Files\GIANT Company Software inc\PopUp Inspector\PopUpInspector.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.c...ex/tdserver.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.../kavwebscan.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....sa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www.ibm.com/...ad/IbmEgath.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelg...in/cortvrml.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.lizardtec...tall/isetup.cab
O16 - DPF: {94118C19-B178-4E43-BBE8-0EFDBB391BDB} - http://www.sponsorad...sWebTelecom.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....sa/SymAData.cab
O16 - DPF: {E6A3C1E2-F792-483E-9133-596215172BE9} (AcceptLang Class) - http://runonce.msn.c...tacceptlang.cab
O16 - DPF: {EF58E341-49C3-4156-A3C4-5FFCA7C1EAB7} (EURAS_Portal.Gateway) - http://www.euras.com...ivex2/euras.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{EF29FF8C-B1EA-4A05-B79B-91C0465D8EE9}: NameServer = 209.47.15.118,64.157.143.38,192.168.121.252,192.168.121.253
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe


Microsoft Windows XP [Version 5.1.2600]
The current date is: Tue 05/17/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first

* UPX! C:\WINDOWS\System32\TASKMG.EXE
* UPX! C:\WINDOWS\System\UPDINS~1.EXE

»»»»» lagitamate file's can/will show in this section.

* UPX! C:\WINDOWS\System32\AVISYNTH.DLL
* UPX! C:\WINDOWS\System32\DEVIL.DLL
* UPX! C:\WINDOWS\System32\IEPASS~1.DLL
* UPX! C:\WINDOWS\System32\MACDEC.DLL
* UPX! C:\WINDOWS\System32\SRPCSR~1.DLL
»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

* SAHAgent C:\WINDOWS\U6F6UF~1.EXE
* SAHAgent C:\WINDOWS\System32\A95KFRHE.INI
»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Volume in drive C is WINXPSPI
Volume Serial Number is B05F-E6B5

Directory of C:\WINDOWS\SYSTEM32

»»»»» Checking for SAHAgent ico files.
Volume in drive C is WINXPSPI
Volume Serial Number is B05F-E6B5

Directory of C:\WINDOWS\system32

01/22/2003 05:49 AM 2,238 SPCF.ICO
01/22/2003 05:49 AM 2,238 SPMS.ICO
01/22/2003 05:49 AM 2,238 SPSDMMC.ICO
01/22/2003 05:49 AM 2,238 SPSM.ICO
4 File(s) 8,952 bytes
0 Dir(s) 22,293,913,600 bytes free

»»»»»»»»»»»»»»»»»»»»»»»».

HKEY_CURRENT_USER\Software\aurora\AUI3d5OfSInst
HKEY_CURRENT_USER\Software\aurora\AUC3n5trMsgSDisp
HKEY_CURRENT_USER\Software\aurora\AUT3o5pListSPos
HKEY_CURRENT_USER\Software\aurora\AUs3t5icky1S
HKEY_CURRENT_USER\Software\aurora\AUs3t5icky2S
HKEY_CURRENT_USER\Software\aurora\AUs3t5icky3S
HKEY_CURRENT_USER\Software\aurora\AUs3t5icky4S
HKEY_CURRENT_USER\Software\aurora\AUC1o3d5eOfSFinalAd
HKEY_CURRENT_USER\Software\aurora\AUT3i5m7eOfSFinalAd
HKEY_CURRENT_USER\Software\aurora\AUD3s5tSSEnd
HKEY_CURRENT_USER\Software\aurora\AU3N5a7tionSCode
HKEY_CURRENT_USER\Software\aurora\AUP3D5om
HKEY_CURRENT_USER\Software\aurora\AUT3h5rshSCheckSIn
HKEY_CURRENT_USER\Software\aurora\AUT3h5rshSMots
HKEY_CURRENT_USER\Software\aurora\AUM3o5deSSync
HKEY_CURRENT_USER\Software\aurora\AUI3n5ProgSCab
HKEY_CURRENT_USER\Software\aurora\AUI3n5ProgSEx
HKEY_CURRENT_USER\Software\aurora\AUI3n5ProgSLstest
HKEY_CURRENT_USER\Software\aurora\AUC3n5tFyl
HKEY_CURRENT_USER\Software\aurora\AUB3D5om
HKEY_CURRENT_USER\Software\aurora\AUE3v5nt
HKEY_CURRENT_USER\Software\aurora\AUT3h5rshSBath
HKEY_CURRENT_USER\Software\aurora\AUT3h5rshSysSInf
HKEY_CURRENT_USER\Software\aurora\AUL3n5Title
HKEY_CURRENT_USER\Software\aurora\AUC3u5rrentSMode
HKEY_CURRENT_USER\Software\aurora\AUI3g5noreS
HKEY_CURRENT_USER\Software\Bolger\BLI9d1OfSInst
HKEY_CURRENT_USER\Software\Bolger\BLC9n1trMsgSDisp
HKEY_CURRENT_USER\Software\Bolger\BLT9o1pListSPos
HKEY_CURRENT_USER\Software\Bolger\BLs9t1icky1S
HKEY_CURRENT_USER\Software\Bolger\BLs9t1icky2S
HKEY_CURRENT_USER\Software\Bolger\BLs9t1icky3S
HKEY_CURRENT_USER\Software\Bolger\BLs9t1icky4S
HKEY_CURRENT_USER\Software\Bolger\BLC1o9d1eOfSFinalAd
HKEY_CURRENT_USER\Software\Bolger\BLT9i1m4eOfSFinalAd
HKEY_CURRENT_USER\Software\Bolger\BLD9s1tSSEnd
HKEY_CURRENT_USER\Software\Bolger\BL9N1a4tionSCode
HKEY_CURRENT_USER\Software\Bolger\BLP9D1om
HKEY_CURRENT_USER\Software\Bolger\BLT9h1rshSCheckSIn
HKEY_CURRENT_USER\Software\Bolger\BLT9h1rshSMots
HKEY_CURRENT_USER\Software\Bolger\BLM9o1deSSync
HKEY_CURRENT_USER\Software\Bolger\BLI9n1ProgSCab
HKEY_CURRENT_USER\Software\Bolger\BLI9n1ProgSEx
HKEY_CURRENT_USER\Software\Bolger\BLI9n1ProgSLstest
HKEY_CURRENT_USER\Software\Bolger\BLL9a1stMotsSDay
HKEY_CURRENT_USER\Software\Bolger\BLL9a1stSSChckin
HKEY_CURRENT_USER\Software\Bolger\BLC9n1tFyl
HKEY_CLASSES_ROOT\BolgerDll.BolgerDllObj\
HKEY_CLASSES_ROOT\BolgerDll.BolgerDllObj\CLSID\
HKEY_CLASSES_ROOT\BolgerDll.BolgerDllObj\CurVer\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon\Driver
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\ZepMon\Driver
  • 0

Advertisements


#26
mnadeem

mnadeem

    Member

  • Topic Starter
  • Member
  • PipPip
  • 98 posts
hi dir
can i go in second user have to look for my email .. or wait till all is ok . :tazz:
  • 0

#27
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP

can i go in second user have to look for my email .. or wait till all is ok


Yes, take a look in your email. :tazz:
  • 0

#28
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Great Job!!

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelg...in/cortvrml.cab
O16 - DPF: {94118C19-B178-4E43-BBE8-0EFDBB391BDB} - http://www.sponsorad...sWebTelecom.cab


* Click on Fix Checked when finished and exit HijackThis.

Delete next files again manually:

C:\WINDOWS\System32\TASKMG.EXE <== please don't delete taskmgr.exe, the one you have to delete is without the r in it!
C:\WINDOWS\System\UPDINS~1.EXE
C:\WINDOWS\U6F6UF~1.EXE
C:\WINDOWS\System32\A95KFRHE.INI

Where you see the ~1 in it, that means that there are more letters after that word in it, but starts with those letters.
Try to delete them in normal mode, normally that must work -- if you have problems with deletin them, try it in safe mode.

About next ones:
I want you to let them scan online again on http://virusscan.jotti.org/
(you have done this before)

C:\WINDOWS\System32\IEPASS~1.DLL
C:\WINDOWS\System32\MACDEC.DLL
C:\WINDOWS\System32\SRPCSR~1.DLL

Post the results in your next reply. So I need 3 different results from the 3 different files above.

Edited by miekiemoes, 16 May 2005 - 05:47 PM.

  • 0

#29
mnadeem

mnadeem

    Member

  • Topic Starter
  • Member
  • PipPip
  • 98 posts
ok
going in second user , see what happend , becouse after this i have not been there . becouse mt outlook is there perform not here .. :tazz:
as i want to go there sudnly your new meesge see , will go later ;)

Edited by mnadeem, 16 May 2005 - 05:50 PM.

  • 0

#30
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Please perform my steps first and when you computer is clean again, we'll take care of your outlook.

Oh, by the way, you may already install an antivirus and firewall:

AVG, Bitdefender OR Avast are good FREE antivirus.
Never install more than one antivirusscanner or firewall on your system! Several together can give problems and decreases the reliability of it seriously!

Edit: I just went through your thread again and I see you had bullguard and TrendMicro before.
I can't see them in your log now -- did you uninstall them? Or did you fix O23-lines in your hijackthislog I didn't asked you to?
Well, I suggest in here you uninstall Trendmicro and Bullguard, REBOOT afterwards and install one of those antivirus I mentioned here above.

Edited by miekiemoes, 16 May 2005 - 06:08 PM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP