Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Can't run Hijack This & other recommended software

Started by felipao , Sep 14 2006 04:37 PM

  • Please log in to reply

#16
felipao
Posted 21 September 2006 - 12:39 AM

felipao

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
OMG this thing is super smart!
When I came back to my computer explorer.exe was gone again.
I Reboted on safe mode to run ewido, as per your instructions, but It was blocked again :whistling:

I then reboted on normal mode and ran Hijackthis. following is the log.

Logfile of HijackThis v1.99.1
Scan saved at 11:38:35 PM, on 20/09/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\wincomm.exe
C:\WINNT\system32\Explorer.exe
C:\WINNT\system32\taskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Felipe .GLOBAL\Desktop\ole\his.exe

F2 - REG:system.ini: Shell=Explorer.exe wincomm.exe
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,wincomm.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PVModule] C:\PROGRA~1\PRINTV~1\pvmodule.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [Windows Explorer] C:\WINNT\system32\explorer.exe
O4 - HKLM\..\Run: [Microsoft Internet Explorer] C:\WINNT\system32\iexplore.exe
O4 - HKLM\..\Run: [Spooler SubSystem App] C:\WINNT\system32\spoolsvc.exe
O4 - HKLM\..\Run: [Microsoft Windows Communicator for NT/XP] wincomm.exe
O4 - HKCU\..\Run: [Microsoft Windows Communicator for NT/XP] wincomm.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1127002788515
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Windows Genuine Advantage Registration Service (net32a) - Unknown owner - C:\WINNT\system32\net32a.exe (file missing)
O23 - Service: Microsoft Windows Internet Connections Manager (net32b) - Unknown owner - C:\WINNT\system32\net32b.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINNT\akkpsat.exe (file missing)

edit: Few typos corrected

Edited by felipao, 21 September 2006 - 11:52 AM.

  • 0

Advertisements

#17
loophole
Posted 21 September 2006 - 06:11 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi

Dont give up on me. I must be missing something or I need a bigger hammer.


I need you to reboot into safemode and get me a new Winpfind log and combofix log.


Also click file new task and type services.msc

Disable the following 3 services

Windows Genuine Advantage Registration Service
Microsoft Windows Internet Connections Manager
Windows Overlay Components

Edited by loophole, 21 September 2006 - 06:11 PM.

  • 0

#18
felipao
Posted 22 September 2006 - 11:08 AM

felipao

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Don't get me wrong Loophole, I wont give up unless you do. I am still confident we will fix the problem. :whistling:

Anyway, I left WinPFind running the whole night but I lost the log this morning so I am running it again. Did you want me to disable the services before or after the scan? I was not able to disable them because i dont know the path for services.msc and when I typed it on the new task window it wasnt found.

I will probably have both logs later on today when I get home. Please let me know if it is ok to generate the log without the services being disabled.

Cheers
Felipe
  • 0

#19
felipao
Posted 22 September 2006 - 06:06 PM

felipao

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Ok. after running WinpFind and Combofix my explorer came back and I was able to disable the three services.

Something wired happening right now is that a black windows pop up (look like a dos prompt window) called C:\acer.exe. Everytime this window come there is also an error message asking to cancel or ignore it.

Anyway, following are the logs:

Winpfind:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows sometimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Logfile created on: 22/09/2006 8:19:00 AM
WinPFind v1.5.0 Folder = C:\WinPFind\
Microsoft Windows 2000 Service Pack 4 (Version = 5.0.2195)
Internet Explorer (Version = 6.0.2800.1106)

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
UPX! 18/09/2006 3:04:58 AM 430592 C:\912_121.exe ()
UPX! 04/04/2006 10:44:00 PM 691450012 C:\NeroTemp.nrg ()
FSG! 04/04/2006 10:44:00 PM 691450012 C:\NeroTemp.nrg ()
PEC2 04/04/2006 10:44:00 PM 691450012 C:\NeroTemp.nrg ()
WSUD 04/04/2006 10:44:00 PM 691450012 C:\NeroTemp.nrg ()

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
PTech 12/12/1989 10:10:10 AM RHS 406864 C:\WINNT\akkpsatA.exe (System Service)
aspack 13/03/2005 3:23:18 PM 145408 C:\WINNT\CustoMess_Uninstall.exe (blobz.net)

Checking %System% folder...
aspack 18/03/2005 5:19:58 PM 2337488 C:\WINNT\SYSTEM32\d3dx9_25.dll (Microsoft Corporation)
PEC2 09/08/2005 3:14:00 PM 692736 C:\WINNT\SYSTEM32\DivX.dll (DivXNetworks)
PECompact2 09/08/2005 3:14:00 PM 692736 C:\WINNT\SYSTEM32\DivX.dll (DivXNetworks)
WinShutDown 19/09/2006 8:42:52 AM R S 237092 C:\WINNT\SYSTEM32\dtquery.dll ()
ad-w-a-r-e.com 19/09/2006 8:42:52 AM R S 237092 C:\WINNT\SYSTEM32\dtquery.dll ()
WinShutDown 18/09/2006 9:22:50 PM R S 237092 C:\WINNT\SYSTEM32\f22mlcf11f2.dll ()
ad-w-a-r-e.com 18/09/2006 9:22:50 PM R S 237092 C:\WINNT\SYSTEM32\f22mlcf11f2.dll ()
WinShutDown 15/09/2006 12:54:00 AM R S 234174 C:\WINNT\SYSTEM32\iGshlpr.dll ()
PTech 12/07/2005 6:04:22 PM 520456 C:\WINNT\SYSTEM32\LegitCheckControl.dll (Microsoft® Corporation)
WSUD 19/06/2003 12:05:04 PM 1011764 C:\WINNT\SYSTEM32\mfc42u.dll (Microsoft Corporation)
PECompact2 06/04/2006 12:48:38 PM 5143456 C:\WINNT\SYSTEM32\MRT.exe (Microsoft Corporation)
aspack 06/04/2006 12:48:38 PM 5143456 C:\WINNT\SYSTEM32\MRT.exe (Microsoft Corporation)
Umonitor 12/01/2005 12:39:46 PM 531216 C:\WINNT\SYSTEM32\RASDLG.DLL (Microsoft Corporation)
WinShutDown 18/09/2006 9:54:56 PM R S 237092 C:\WINNT\SYSTEM32\rmclib.dll ()
ad-w-a-r-e.com 18/09/2006 9:54:56 PM R S 237092 C:\WINNT\SYSTEM32\rmclib.dll ()
WinShutDown 18/09/2006 9:56:56 PM R S 237092 C:\WINNT\SYSTEM32\s4pu0e79eh.dll ()
ad-w-a-r-e.com 18/09/2006 9:56:56 PM R S 237092 C:\WINNT\SYSTEM32\s4pu0e79eh.dll ()
WinShutDown 18/09/2006 9:41:24 PM R S 237092 C:\WINNT\SYSTEM32\u0ru0a99ed.dll ()
ad-w-a-r-e.com 18/09/2006 9:41:24 PM R S 237092 C:\WINNT\SYSTEM32\u0ru0a99ed.dll ()
winsync 08/05/2001 5:00:00 AM 1309184 C:\WINNT\SYSTEM32\wbdbase.deu ()

Checking %System%\Drivers folder and sub-folders...
UPX! 08/08/2006 5:59:30 PM 777472 C:\WINNT\SYSTEM32\drivers\avg7core.sys (GRISOFT, s.r.o.)
FSG! 08/08/2006 5:59:30 PM 777472 C:\WINNT\SYSTEM32\drivers\avg7core.sys (GRISOFT, s.r.o.)
PEC2 08/08/2006 5:59:30 PM 777472 C:\WINNT\SYSTEM32\drivers\avg7core.sys (GRISOFT, s.r.o.)
aspack 08/08/2006 5:59:30 PM 777472 C:\WINNT\SYSTEM32\drivers\avg7core.sys (GRISOFT, s.r.o.)

Items found in C:\WINNT\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
18/09/2006 3:03:54 AM H 54156 C:\WINNT\QTFont.qfn ()
20/09/2006 11:22:22 PM H 376062 C:\WINNT\ShellIconCache ()
21/09/2006 7:57:14 AM S 64 C:\WINNT\CSC\00000001 ()
21/09/2006 7:55:24 AM S 64 C:\WINNT\CSC\00000002 ()
20/09/2006 11:13:54 PM S 64 C:\WINNT\CSC\csc1.tmp ()
19/09/2006 8:42:52 AM R S 237092 C:\WINNT\system32\dtquery.dll ()
18/09/2006 9:22:50 PM R S 237092 C:\WINNT\system32\f22mlcf11f2.dll ()
18/09/2006 9:31:24 PM H 108032 C:\WINNT\system32\fawlixo.exe ()
18/09/2006 9:51:34 PM H 97544 C:\WINNT\system32\fmbqus.exe ()
15/09/2006 12:54:00 AM R S 234174 C:\WINNT\system32\iGshlpr.dll ()
20/09/2006 9:33:16 PM HS 23238 C:\WINNT\system32\net32b.exe ()
18/09/2006 9:54:56 PM R S 237092 C:\WINNT\system32\rmclib.dll ()
18/09/2006 9:56:56 PM R S 237092 C:\WINNT\system32\s4pu0e79eh.dll ()
18/09/2006 9:41:24 PM R S 237092 C:\WINNT\system32\u0ru0a99ed.dll ()
20/09/2006 11:44:44 PM H 1024 C:\WINNT\system32\config\default.LOG ()
21/09/2006 6:56:32 PM H 1024 C:\WINNT\system32\config\SAM.LOG ()
21/09/2006 6:54:38 PM H 1024 C:\WINNT\system32\config\SECURITY.LOG ()
22/09/2006 8:18:50 AM H 1024 C:\WINNT\system32\config\software.LOG ()
21/09/2006 7:57:16 AM H 6 C:\WINNT\Tasks\SA.DAT ()

Checking for CPL files...
08/05/2001 5:00:00 AM 67344 C:\WINNT\SYSTEM32\access.cpl (Microsoft Corporation)
19/06/2003 12:05:04 PM 301328 C:\WINNT\SYSTEM32\appwiz.cpl (Microsoft Corporation)
19/06/2003 12:05:04 PM 237328 C:\WINNT\SYSTEM32\DESK.CPL (Microsoft Corporation)
08/05/2001 5:00:00 AM 128272 C:\WINNT\SYSTEM32\hdwwiz.cpl (Microsoft Corporation)
29/08/2002 7:14:40 AM 292352 C:\WINNT\SYSTEM32\inetcpl.cpl (Microsoft Corporation)
08/05/2001 5:00:00 AM 118032 C:\WINNT\SYSTEM32\intl.cpl (Microsoft Corporation)
08/05/2001 5:00:00 AM 36112 C:\WINNT\SYSTEM32\irprops.cpl (Microsoft Corporation)
30/10/2001 8:10:00 AM 326144 C:\WINNT\SYSTEM32\joy.cpl (Microsoft Corporation)
26/07/2006 3:03:14 AM 49265 C:\WINNT\SYSTEM32\jpicpl32.cpl (Sun Microsystems, Inc.)
08/05/2001 5:00:00 AM 122128 C:\WINNT\SYSTEM32\main.cpl (Microsoft Corporation)
08/05/2001 5:00:00 AM 303888 C:\WINNT\SYSTEM32\mmsys.cpl (Microsoft Corporation)
08/05/2001 5:00:00 AM 17168 C:\WINNT\SYSTEM32\ncpa.cpl (Microsoft Corporation)
08/05/2001 5:00:00 AM 41232 C:\WINNT\SYSTEM32\nwc.cpl (Microsoft Corporation)
27/03/2001 12:14:00 PM 41232 C:\WINNT\SYSTEM32\odbccp32.cpl (Microsoft Corporation)
19/06/2003 12:05:04 PM 90896 C:\WINNT\SYSTEM32\powercfg.cpl (Microsoft Corporation)
19/06/2003 12:05:04 PM 83216 C:\WINNT\SYSTEM32\sticpl.cpl (Microsoft Corporation)
19/06/2003 12:05:04 PM 125712 C:\WINNT\SYSTEM32\SYSDM.CPL (Microsoft Corporation)
08/05/2001 5:00:00 AM 5904 C:\WINNT\SYSTEM32\telephon.cpl (Microsoft Corporation)
08/05/2001 5:00:00 AM 61200 C:\WINNT\SYSTEM32\timedate.cpl (Microsoft Corporation)
26/05/2005 4:16:30 AM 174360 C:\WINNT\SYSTEM32\wuaucpl.cpl (Microsoft Corporation)
29/08/2002 7:14:40 AM 292352 C:\WINNT\SYSTEM32\dllcache\inetcpl.cpl (Microsoft Corporation)
23/09/1999 6:44:36 PM 94208 C:\WINNT\SYSTEM32\dllcache\mwcpa32.cpl (IBM Corporation)
08/05/2001 5:00:00 AM 41232 C:\WINNT\SYSTEM32\dllcache\nwc.cpl (Microsoft Corporation)
27/03/2001 12:14:00 PM 41232 C:\WINNT\SYSTEM32\dllcache\odbccp32.cpl (Microsoft Corporation)
26/05/2005 4:16:30 AM 174360 C:\WINNT\SYSTEM32\dllcache\wuaucpl.cpl (Microsoft Corporation)

Checking for Downloaded Program Files...
{02BCC737-B171-4746-94C9-0D8A0B2C0089} - Microsoft Office Template and Media Control - CodeBase = http://office.micros...tes/ieawsdc.cab
{4F1E5B1A-2A80-42CA-8532-2D05CB959537} - MSN Photo Upload Tool - CodeBase = http://spaces.msn.co...ad/MsnPUpld.cab
{6414512B-B978-451D-A0D8-FCFDF33E833C} - WUWebControl Class - CodeBase = http://update.micros...b?1127002788515
{8AD9C840-044E-11D1-B3E9-00805F499D93} - Java Plug-in 1.5.0_08 - CodeBase = http://java.sun.com/...indows-i586.cab
{9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - ActiveScan Installer Class - CodeBase = http://acs.pandasoft...free/asinst.cab
{9F1C11AA-197B-4942-BA54-47A8489BB47F} - Update Class - CodeBase = http://v4.windowsupd...8972.8273032407
{B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - MsnMessengerSetupDownloadControl Class - CodeBase = http://messenger.msn...pDownloader.cab
{CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} - Java Plug-in 1.5.0_01 - CodeBase = http://java.sun.com/...indows-i586.cab
{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - Java Plug-in 1.5.0_04 - CodeBase = http://java.sun.com/...indows-i586.cab
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - Java Plug-in 1.5.0_06 - CodeBase = http://java.sun.com/...indows-i586.cab
{CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - Java Plug-in 1.5.0_08 - CodeBase = http://java.sun.com/...indows-i586.cab
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - Java Plug-in 1.5.0_08 - CodeBase = http://java.sun.com/...indows-i586.cab
{D27CDB6E-AE6D-11CF-96B8-444553540000} - Shockwave Flash Object - CodeBase = http://fpdownload.ma...ash/swflash.cab
DirectAnimation Java Classes - - CodeBase = file://C:\WINNT\Java\classes\dajava.cab
Microsoft XML Parser for Java - - CodeBase = file://C:\WINNT\Java\classes\xmldso.cab

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
15/04/2006 5:10:02 PM 799 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk ()
15/04/2006 5:10:02 PM 1568 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk ()

Checking files in %ALLUSERSPROFILE%\Application Data folder...
01/04/2006 3:56:56 PM 1359 C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache ()

Checking files in %USERPROFILE%\Startup folder...
15/09/2006 8:07:42 PM 551 C:\Documents and Settings\Felipe .GLOBAL\Start Menu\Programs\Startup\Webshots.lnk ()

Checking files in %USERPROFILE%\Application Data folder...
11/07/2006 11:31:58 PM 9363 C:\Documents and Settings\Felipe .GLOBAL\Application Data\Comma Separated Values (Windows).EML ()
18/07/2006 8:12:34 PM 122 C:\Documents and Settings\Felipe .GLOBAL\Application Data\iScrobbler.ini ()

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

>>> Internet Explorer Settings <<<


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
\\Start Page - http://www.microsoft...p...ER}&ar=home
\\Default_Page_URL - http://www.microsoft...p...&ar=msnhome
\\Default_Search_URL - http://www.microsoft...amp;ar=iesearch
\\Local Page - %SystemRoot%\system32\blank.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
\\Start Page - about:blank
\\Local Page - C:\WINNT\System32\blank.htm

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
\\CustomizeSearch - http://ie.search.msn...st/srchcust.htm
\\SearchAssistant - http://ie.search.msn...st/srchasst.htm


[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
\\{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Microsoft Url Search Hook = %SystemRoot%\system32\shdocvw.dll (Microsoft Corporation)

>>> BHO's <<<
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
\{CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - ToolBar888 = C:\Program Files\ToolBar888\MyToolBar.dll ()

>>> Internet Explorer Bars, Toolbars and Extensions <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
\{4D5C8C25-D075-11d0-B416-00C04FB90376} - &Tip of the Day = %SystemRoot%\system32\shdocvw.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
\{32683183-48a0-441b-a342-7c2a440a9478} - Media Band = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1} - File and Folders Search ActiveX Control = C:\WINNT\system32\shell32.dll (Microsoft Corporation)
\{EFA24E62-B078-11D0-89E4-00C04FC9E26E} - History Band = %SystemRoot%\system32\shdocvw.dll (Microsoft Corporation)
\{EFA24E64-B078-11D0-89E4-00C04FC9E26E} - Explorer Band = %SystemRoot%\system32\shdocvw.dll (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
\\{CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - ToolBar888 = C:\Program Files\ToolBar888\MyToolBar.dll ()

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
\ShellBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
\ShellBrowser\\{0E5CBF21-D15F-11D0-8301-00AA005B4383} - &Links = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
\WebBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
\WebBrowser\\{0E5CBF21-D15F-11D0-8301-00AA005B4383} - &Links = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
\WebBrowser\\{2E608F70-C430-4BC5-96F6-608E02EBA5B2} - = ()

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\CmdMapping]
\\NEXTID - 8195
\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - 8193 = Sun Java Console

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - MenuText: Sun Java Console = C:\Program Files\Java\jre1.5.0_08\bin\npjpi150_08.dll (Sun Microsystems, Inc.)
\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - MenuText: Sun Java Console = C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll (Sun Microsystems, Inc.)(HKCU CLSID)

>>> Approved Shell Extensions (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
\\{42071714-76d4-11d1-8b24-00a0c9068ff3} - Display Panning CPL Extension = deskpan.dll ()
\\{764BF0E1-F219-11ce-972D-00AA00A14F56} - Shell extensions for file compression = ()
\\{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} - Encryption Context Menu = ()
\\{88895560-9AA2-1069-930E-00AA0030EBC8} - HyperTerminal Icon Ext = C:\WINNT\System32\hticons.dll (Hilgraeve, Inc.)
\\{E0D79304-84BE-11CE-9641-444553540000} - WinZip = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc.)
\\{E0D79305-84BE-11CE-9641-444553540000} - WinZip = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc.)
\\{E0D79306-84BE-11CE-9641-444553540000} - WinZip = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc.)
\\{E0D79307-84BE-11CE-9641-444553540000} - WinZip = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc.)
\\{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} - Shell Extensions for RealOne Player = C:\Program Files\Real\RealPlayer\rpshell.dll (RealNetworks, Inc.)
\\{B41DB860-8EE4-11D2-9906-E49FADC173CA} - WinRAR shell extension = C:\Program Files\WinRAR\rarext.dll ()
\\{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} - AVG7 Shell Extension = C:\Program Files\Grisoft\AVG Free\avgse.dll (GRISOFT, s.r.o.)
\\{9F97547E-460A-42C5-AE0C-81C61FFAEBC3} - AVG7 Find Extension = C:\Program Files\Grisoft\AVG Free\avgse.dll (GRISOFT, s.r.o.)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
\\{BDEADF00-C265-11d0-BCED-00A0C90AB50F} - = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL ()


>>> Context Menu Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers]
\AVG7 Shell Extension - {9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll (GRISOFT, s.r.o.)
\ewido anti-spyware - {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll (Anti-Malware Development a.s.)
\WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll ()
\WinZip - {E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc.)

[HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers]

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers]
\ewido anti-spyware - {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll (Anti-Malware Development a.s.)
\WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll ()
\WinZip - {E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc.)

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\BackGround\shellex\ContextMenuHandlers]

[HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers]
\AVG7 Shell Extension - {9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll (GRISOFT, s.r.o.)
\WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll ()
\WinZip - {E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc.)

>>> Column Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]

>>> Registry Run Keys <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Synchronization Manager - C:\WINNT\SYSTEM32\mobsync.exe (Microsoft Corporation)
LoadQM - C:\WINNT\loadqm.exe (Microsoft Corporation)
NeroCheck - C:\WINNT\system32\NeroCheck.exe (Ahead Software Gmbh)
IntelliType - C:\Program Files\Microsoft Hardware\Keyboard\type32.exe (Microsoft Corporation)
ATIModeChange - C:\WINNT\SYSTEM32\Ati2mdxx.exe (ATI Technologies, Inc.)
SunJavaUpdateSched - C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe (Sun Microsystems, Inc.)
Google Desktop Search - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe ()
ATIPTA - C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe (ATI Technologies, Inc.)
AVG7_CC - C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe (GRISOFT, s.r.o.)
iTunesHelper - C:\Program Files\iTunes\iTunesHelper.exe (Apple Computer, Inc.)
QuickTime Task - C:\Program Files\QuickTime\qttask.exe (Apple Computer, Inc.)
WinampAgent - C:\Program Files\Winamp\winampa.exe ()
RemoteControl - C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe (Cyberlink Corp.)
PVModule - C:\PROGRA~1\PRINTV~1\pvmodule.exe ()
RegistryMechanic - Reg Data missing or invalid ()
!ewido - C:\Program Files\ewido anti-spyware 4.0\ewido.exe (Anti-Malware Development a.s.)
Windows Explorer - C:\WINNT\system32\explorer.exe ()
Microsoft Internet Explorer - C:\WINNT\system32\iexplore.exe ()
Spooler SubSystem App - C:\WINNT\system32\spoolsvc.exe ()
Microsoft Windows Communicator for NT/XP - C:\WINNT\SYSTEM32\wincomm.exe ()

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Start WingMan Profiler - Reg Data missing or invalid ()
Microsoft Windows Communicator for NT/XP - C:\WINNT\SYSTEM32\wincomm.exe ()

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

>>> Startup Links <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Common Startup]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Startup]
C:\Documents and Settings\Felipe .GLOBAL\Start Menu\Programs\Startup\Webshots.lnk - C:\Program Files\Webshots\Launcher.exe ()

>>> MSConfig Disabled Items <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[All Users Startup Folder Disabled Items]

[Current User Startup Folder Disabled Items]

>>> User Agent Post Platform <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

>>> AppInit Dll's <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs]
C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL = ()

>>> Image File Execution Options <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
\Your Image File Name Here without a path - Debugger = ntsd -d

>>> Shell Service Object Delay Load <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
\\Network.ConnectionTray - {7007ACCF-3202-11D1-AAD2-00805FC1270E} = C:\WINNT\system32\NETSHELL.dll (Microsoft Corporation)
\\WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll (Microsoft Corporation)
\\SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} = stobject.dll (Microsoft Corporation)

>>> Shell Execute Hooks <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} - URL Exec Hook = shell32.dll (Microsoft Corporation)
\\{57B86673-276A-48B2-BAE7-C6DBB3020EB8} - CShellExecuteHookImpl Object = C:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll (Anti-Malware Development a.s.)

>>> Shared Task Scheduler <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]

>>> Winlogon <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
\\UserInit = C:\WINNT\system32\userinit.exe,wincomm.exe
\\Shell = Explorer.exe wincomm.exe
\\System =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
\crypt32chain - crypt32.dll = (Microsoft Corporation)
\cryptnet - cryptnet.dll = (Microsoft Corporation)
\cscdll - cscdll.dll = (Microsoft Corporation)
\sclgntfy - sclgntfy.dll = (Microsoft Corporation)
\SensLogn - WlNotify.dll = (Microsoft Corporation)
\wzcnotif - wzcdlg.dll = (Microsoft Corporation)

>>> DNS Name Servers <<<
{C6984616-148F-4080-89D7-92BF5CD7B627} - (NVIDIA nForce MCP Networking Controller)

>>> All Winsock2 Catalogs <<<
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries]
\000000000001\\LibraryPath - %SystemRoot%\System32\rnr20.dll (Microsoft Corporation)
\000000000002\\LibraryPath - %SystemRoot%\System32\winrnr.dll (Microsoft Corporation)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries]
\000000000001\\PackedCatalogItem - %SystemRoot%\system32\msafd.dll (Microsoft Corporation)
\000000000002\\PackedCatalogItem - %SystemRoot%\system32\msafd.dll (Microsoft Corporation)
\000000000003\\PackedCatalogItem - %SystemRoot%\system32\msafd.dll (Microsoft Corporation)
\000000000004\\PackedCatalogItem - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation)
\000000000005\\PackedCatalogItem - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation)
\000000000006\\PackedCatalogItem - %SystemRoot%\system32\msafd.dll (Microsoft Corporation)
\000000000007\\PackedCatalogItem - %SystemRoot%\system32\msafd.dll (Microsoft Corporation)
\000000000008\\PackedCatalogItem - %SystemRoot%\system32\msafd.dll (Microsoft Corporation)
\000000000009\\PackedCatalogItem - %SystemRoot%\system32\msafd.dll (Microsoft Corporation)
\000000000010\\PackedCatalogItem - %SystemRoot%\system32\msafd.dll (Microsoft Corporation)
\000000000011\\PackedCatalogItem - %SystemRoot%\system32\msafd.dll (Microsoft Corporation)

>>> Protocol Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler]
\ipp - ()
\msdaipp - ()
\vnd.ms.radio - C:\WINNT\System32\msdxm.ocx ()

>>> Protocol Filters (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter]

>>> Selected AddOn's <<<


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Combofix:

Felipe - Fri 22/09/2006 16:54:38.42 Service Pack 4
ComboFix 06.09.20 - Running from: "C:\Documents and Settings\Felipe .GLOBAL\Desktop\clean"

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINNT\system32\dtquery.dll
C:\WINNT\system32\f22mlcf11f2.dll
C:\WINNT\system32\iGshlpr.dll
C:\WINNT\system32\rmclib.dll
C:\WINNT\system32\s4pu0e79eh.dll
C:\WINNT\system32\u0ru0a99ed.dll


Granting sedebugprivilege to Administrators ... successful


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINNT\system32\winservnt32.exe
C:\winservnt32.exe
C:\Program Files\ToolBar888
C:\Program Files\Common Files\{3C9CAC2C-072D-1033-1128-030312220002}


((((((((((((((((((((((((((((((( Files Created from 2006-08-22 to 2006-09-22 ))))))))))))))))))))))))))))))))))


2006-09-20 23:44 188,928 --a------ C:\WINNT\system32\32205_netapi.exe
2006-09-20 23:41 188,928 --a------ C:\WINNT\system32\62006_netapi.exe
2006-09-20 23:41 188,928 --a------ C:\wincomm.exe
2006-09-20 23:21 188,928 --a------ C:\WINNT\system32\04706_netapi.exe
2006-09-20 23:11 227,840 --a------ C:\WINNT\system32\setup_26854.exe
2006-09-20 23:11 120,320 --a------ C:\WINNT\system32\12671_netapi.exe
2006-09-20 23:09 0 --a------ C:\WINNT\system32\67420_netapi.exe
2006-09-20 23:09 0 --a------ C:\WINNT\system32\37838_netapi.exe
2006-09-20 23:08 0 --a------ C:\WINNT\system32\20273_netapi.exe
2006-09-20 22:25 120,320 --a------ C:\WINNT\system32\78316_netapi.exe
2006-09-20 22:25 120,320 --a------ C:\bootini.exe
2006-09-20 21:33 23,238 --ahs---- C:\WINNT\system32\net32b.exe
2006-09-19 23:08 0 --a------ C:\WINNT\system32\74686_netapi.exe
2006-09-19 22:59 0 --a------ C:\WINNT\system32\71584_netapi.exe
2006-09-19 22:15 127 --a------ C:\WINNT\system32\sjgcg.bat
2006-09-19 21:59 126 --a------ C:\WINNT\system32\fyqh.bat
2006-09-18 21:51 97,544 --ah----- C:\WINNT\system32\fmbqus.exe
2006-09-18 21:48 0 --a------ C:\WINNT\system32\12738_netapi.exe
2006-09-18 21:46 66 --a------ C:\steal.exe
2006-09-18 21:46 24,576 --a------ C:\dr.exe
2006-09-18 21:45 188,928 --a------ C:\WINNT\system32\10775_netapi.exe
2006-09-18 21:31 108,032 --ah----- C:\WINNT\system32\fawlixo.exe
2006-09-18 21:25 20,480 --a------ C:\acer.exe
2006-09-18 20:54 188,928 --a------ C:\WINNT\system32\44132_netapi.exe
2006-09-18 03:05 53,120 --a------ C:\WINNT\srvzcymemb.exe
2006-09-18 03:05 406,864 -r-hs---- C:\WINNT\akkpsatA.exe
2006-09-18 03:05 215,308 --a------ C:\WINNT\srvdesrxnu.exe
2006-09-18 03:04 430,592 --a------ C:\912_121.exe
2006-09-17 21:31 170,836 --a------ C:\abcd.exe
2006-09-17 19:34 578,560 --a------ C:\Installer4.exe
2006-09-17 19:33 138,862 --a------ C:\acer32.exe
2006-09-17 19:29 188,928 --a------ C:\WINNT\system32\55175_netapi.exe
2006-09-13 20:49 194,048 --a------ C:\WINNT\system32\54887_netapi.exe
2006-09-12 21:17 1,386,496 --a------ C:\WINNT\system32\msvbvm60.dll
2006-09-12 20:23 831,760 --a------ C:\WINNT\system32\mswdat10.dll
2006-09-12 20:23 614,672 --a------ C:\WINNT\system32\mswstr10.dll
2006-09-12 20:23 6,416 -ra------ C:\WINNT\system32\hccoin.dll
2006-09-12 20:23 53,520 --a------ C:\WINNT\system32\msjter40.dll
2006-09-12 20:23 512,272 --a------ C:\WINNT\system32\msexch40.dll
2006-09-12 20:23 422,160 --a------ C:\WINNT\system32\msrd2x40.dll
2006-09-12 20:23 380,957 --a------ C:\WINNT\system32\expsrv.dll
2006-09-12 20:23 315,664 --a------ C:\WINNT\system32\msrd3x40.dll
2006-09-12 20:23 213,264 --a------ C:\WINNT\system32\msltus40.dll
2006-09-12 20:23 151,824 --a------ C:\WINNT\system32\msjint40.dll
2006-09-12 20:22 30,749 --a------ C:\WINNT\system32\vbajet32.dll
2006-09-12 20:02 176,128 --a------ C:\WINNT\system32\nvuaudio.exe
2006-09-12 19:54 6,928 --a------ C:\WINNT\system32\schmupd.exe
2006-09-12 02:15 0 --a------ C:\WINNT\system32\41221_netapi.exe
2006-09-12 02:07 0 --a------ C:\WINNT\system32\31184_netapi.exe
2006-09-11 19:21 216,064 --------- C:\WINNT\system32\WinzAPI32.exe
2006-09-11 11:58 0 --a------ C:\WINNT\system32\37481_netapi.exe
2006-09-11 11:52 45,083 --a------ C:\WINNT\system32\ondsregl.exe
2006-09-11 11:26 770,048 --a------ C:\[email protected]
2006-09-11 11:17 194,048 --a------ C:\WINNT\system32\83652_netapi.exe
2006-09-11 10:56 770,048 --a------ C:\xpsp2.exe
2006-09-11 10:53 770,048 --a------ C:\[email protected]
2006-09-11 10:48 188,928 --a------ C:\WINNT\system32\45388_netapi.exe
2006-09-11 10:47 836 --a------ C:\WINNT\system32\winpfg32.sys
2006-09-11 06:18 188,928 --a------ C:\WINNT\system32\01164_netapi.exe
2006-09-11 00:23 18,192 --a------ C:\WINNT\system32\hid.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-09-22 16:55 -------- d-a------ C:\Program Files\Common Files
2006-09-20 18:25 -------- d-a------ C:\Program Files\ewido anti-spyware 4.0
2006-09-18 19:29 -------- d-------- C:\Program Files\Mozilla Thunderbird
2006-09-13 23:36 -------- d-------- C:\Program Files\Winamp
2006-09-13 23:36 -------- d-------- C:\Program Files\Webshots
2006-09-13 23:36 -------- d-------- C:\Program Files\Internet Explorer
2006-09-13 23:35 -------- d-------- C:\Program Files\PrintView
2006-09-13 23:35 -------- d-------- C:\Program Files\iTunes
2006-09-13 23:24 -------- d-------- C:\Program Files\CleanUp!
2006-09-12 21:17 -------- d-------- C:\Program Files\Registry Mechanic
2006-09-12 19:51 -------- d-------- C:\Program Files\Mozilla Firefox
2006-09-12 02:19 -------- d-------- C:\Program Files\Last.fm Player
2006-09-11 10:46 33856 --a------ C:\WINNT\system32\drivers\oreans32.sys
2006-09-11 02:01 -------- d-------- C:\Program Files\eMule
2006-09-01 02:10 -------- d-------- C:\Program Files\Easy DVD Player
2006-08-24 17:45 -------- d-a------ C:\Documents and Settings\Felipe .GLOBAL\Application Data\SopCast
2006-08-22 22:44 -------- d-------- C:\Program Files\Java
2006-08-13 23:50 -------- d-------- C:\Program Files\Guild Wars
2006-08-13 13:13 -------- d-------- C:\Program Files\Soulseek-Test
2006-08-08 23:19 -------- d-------- C:\Documents and Settings\Felipe .GLOBAL\Application Data\CyberLink
2006-08-08 17:59 777472 --a------ C:\WINNT\system32\drivers\avg7core.sys
2006-08-08 17:59 27904 --a------ C:\WINNT\system32\drivers\avg7rsxp.sys
2006-08-08 17:59 26912 --a------ C:\WINNT\system32\drivers\avg7rsnt.sys
2006-08-01 01:39 -------- d-------- C:\Program Files\mIRC
2006-07-26 23:43 -------- d-------- C:\Program Files\EndlessOnline
2006-07-26 17:57 -------- d-------- C:\Program Files\Common Files\xing shared
2006-07-26 17:57 -------- d-------- C:\Program Files\Common Files\Real
2006-07-18 20:12 122 --a------ C:\Documents and Settings\Felipe .GLOBAL\Application Data\iScrobbler.ini
2006-07-11 23:31 9363 --a------ C:\Documents and Settings\Felipe .GLOBAL\Application Data\Comma Separated Values (Windows).EML


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Start WingMan Profiler"=""
"Microsoft Windows Communicator for NT/XP"="wincomm.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"LoadQM"="loadqm.exe"
"NeroCheck"="C:\\WINNT\\system32\\\\NeroCheck.exe"
"IntelliType"="\"C:\\Program Files\\Microsoft Hardware\\Keyboard\\type32.exe\""
"ATIModeChange"="Ati2mdxx.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_08\\bin\\jusched.exe\""
"Google Desktop Search"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"PVModule"="C:\\PROGRA~1\\PRINTV~1\\pvmodule.exe"
"RegistryMechanic"=""
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"
"Windows Explorer"="C:\\WINNT\\system32\\explorer.exe"
"Microsoft Internet Explorer"="C:\\WINNT\\system32\\iexplore.exe"
"Spooler SubSystem App"="C:\\WINNT\\system32\\spoolsvc.exe"
"Microsoft Windows Communicator for NT/XP"="wincomm.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000003
"Settings"=dword:00000001
"GeneralFlags"=dword:00000003

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="file:///D:/My%20Pictures/ana%20fotos%202/setembro/101MSDCF/DSC02717.JPG"
"SubscribedURL"="file:///D:/My%20Pictures/ana%20fotos%202/setembro/101MSDCF/DSC02717.JPG"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,cc,00,00,00,60,00,00,00,34,03,00,00,00,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,50,05,00,00,62,01,00,00,80,02,00,00,e0,01,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,c8,00,00,00,2f,00,00,00,a8,00,00,00,9e,00,\
00,00,01,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,c8,00,00,00,ed,00,00,00,a8,00,00,00,9e,00,00,00,ea,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,00
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,50,05,00,00,1f,00,00,00,20,01,00,00,23,01,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
"Microsoft Windows Communicator for NT/XP"="wincomm.exe"
"Ms Java for Windows NT"="MS32.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000000
"CDRAutoRun"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Network.ConnectionTray"="{7007ACCF-3202-11D1-AAD2-00805FC1270E}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Completion time: Fri 2006-09-22 16:57:30.60
ComboFix.txt
ComboFix2.txt
ComboFix3.txt


Cheers
Felipe
  • 0

#20
loophole
Posted 22 September 2006 - 07:05 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi Felipao :whistling:

Ok lets give it a go. If you can open and run ewido after this go ahead and do it ( normal or safe mode) and save the log But do post the avenger log first so I can review it The avenger report will be somewhat large because some of those files are probably gone

Thanks

Please run a scan with HijackThis and check the following lines for removal:

F2 - REG:system.ini: Shell=Explorer.exe wincomm.exe
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,wincomm.exe
O4 - HKCU\..\Run: [Microsoft Windows Communicator for NT/XP] wincomm.exe

Now close ALL other open windows except for HijackThis and hit FIX CHECKED. Exit HijackThis.


1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Registry values to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | Microsoft Internet Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | Spooler SubSystem App
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | Microsoft Windows Communicator for NT/XP
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | Microsoft Internet Explorer

Drivers to unload:
oreans32
Files to delete:
C:\WINNT\system32\32205_netapi.exe
C:\WINNT\system32\62006_netapi.exe
C:\wincomm.exe
C:\WINNT\system32\04706_netapi.exe
C:\WINNT\system32\setup_26854.exe
C:\WINNT\system32\12671_netapi.exe
C:\WINNT\system32\67420_netapi.exe
C:\WINNT\system32\37838_netapi.exe
C:\WINNT\system32\20273_netapi.exe
C:\WINNT\system32\78316_netapi.exe
C:\WINNT\system32\explorer.exe
C:\WINNT\system32\iexplore.exe
C:\WINNT\system32\spooIsv.exe
C:\bootini.exe
C:\WINNT\system32\mguard.exe
C:\WINNT\system32\net32b.exe
C:\WINNT\system32\74686_netapi.exe
C:\WINNT\system32\71584_netapi.exe
C:\WINNT\system32\sjgcg.bat
C:\WINNT\system32\fyqh.bat
C:\WINNT\system32\fmbqus.exe
C:\WINNT\system32\12738_netapi.exe
C:\steal.exe
C:\dr.exe
C:\WINNT\system32\10775_netapi.exe
C:\WINNT\system32\fawlixo.exe
C:\acer.exe
C:\WINNT\system32\44132_netapi.exe
C:\WINNT\srvzcymemb.exe
C:\WINNT\srvdesrxnu.exe
C:\912_121.exe
C:\abcd.exe
C:\Installer4.exe
C:\acer32.exe
C:\WINNT\system32\55175_netapi.exe
C:\WINNT\system32\54887_netapi.exe
C:\WINNT\system32\41221_netapi.exe
C:\WINNT\system32\31184_netapi.exe
C:\WINNT\system32\WinzAPI32.exe
C:\WINNT\system32\37481_netapi.exe
C:\WINNT\system32\ondsregl.exe
C:\[email protected]
C:\WINNT\system32\83652_netapi.exe
C:\[email protected]
C:\WINNT\system32\45388_netapi.exe
C:\WINNT\system32\winpfg32.sys
C:\WINNT\system32\01164_netapi.exe
C:\xpsp2.exe
C:\WINNT\system32\fawlixo.exe
C:\WINNT\system32\fmbqus.exe
C:\WINNT\system32\rmclib.dll
C:\WINNT\akkpsatA.exe
C:\WINNT\CustoMess_Uninstall.exe


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply

Edited by loophole, 22 September 2006 - 08:10 PM.

  • 0

#21
felipao
Posted 22 September 2006 - 07:53 PM

felipao

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Hello!! :blink:
Thanks again for your time... I only have bad news today.
ewido still closes after a split of second or dont open at all.
Avenger reboted my comp. but it created a blank log :whistling:
Here is the fresh hijack log:



Logfile of HijackThis v1.99.1
Scan saved at 6:58:45 PM, on 22/09/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\mguard.exe
C:\WINNT\Explorer.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\PRINTV~1\pvmodule.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\WINNT\system32\wincomm.exe
C:\WINNT\system32\spooIsv.exe
C:\WINNT\system32\cmd.exe
C:\Documents and Settings\Felipe .GLOBAL\Desktop\avenger.exe
c:\mguard.exe
C:\WINNT\system32\FTP.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Felipe .GLOBAL\Desktop\ole\his.exe

F2 - REG:system.ini: Shell=Explorer.exe wincomm.exe
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,wincomm.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PVModule] C:\PROGRA~1\PRINTV~1\pvmodule.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [Windows Explorer] C:\WINNT\system32\explorer.exe
O4 - HKLM\..\Run: [Microsoft Internet Explorer] C:\WINNT\system32\iexplore.exe
O4 - HKLM\..\Run: [Spooler SubSystem App] C:\WINNT\system32\spooIsv.exe
O4 - HKLM\..\Run: [Microsoft Windows Communicator for NT/XP] wincomm.exe
O4 - HKLM\..\Run: [Ms Java for Windows NT] mguard.exe
O4 - HKLM\..\Run: [levmbnok] C:\slvpvevx.bat
O4 - HKCU\..\Run: [Ms Java for Windows NT] mguard.exe
O4 - HKCU\..\Run: [Microsoft Windows Communicator for NT/XP] wincomm.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1127002788515
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

Edited by felipao, 22 September 2006 - 08:00 PM.

  • 0

#22
loophole
Posted 22 September 2006 - 08:15 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Try the process again please, including the Hijack fixes. It appears avenger didnt run correctly and it should have.
  • 0

#23
felipao
Posted 22 September 2006 - 08:26 PM

felipao

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
I tried the process again but had the same problem. I then reboted on safemode and did the hijack fix there. I also ran avenger from safemode and added the script you gave me. It them reboted on normal mode and... Voila! It worked. See logs below. You're awsome dude! :whistling:

Avenger:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\kvfhpvnf

*******************

Script file located at: \??\C:\ctkiicfb.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver oreans32 unloaded successfully.
File C:\WINNT\system32\32205_netapi.exe deleted successfully.
File C:\WINNT\system32\62006_netapi.exe deleted successfully.
File C:\wincomm.exe deleted successfully.
File C:\WINNT\system32\04706_netapi.exe deleted successfully.
File C:\WINNT\system32\setup_26854.exe deleted successfully.
File C:\WINNT\system32\12671_netapi.exe deleted successfully.
File C:\WINNT\system32\67420_netapi.exe deleted successfully.
File C:\WINNT\system32\37838_netapi.exe deleted successfully.
File C:\WINNT\system32\20273_netapi.exe deleted successfully.
File C:\WINNT\system32\78316_netapi.exe deleted successfully.
File C:\bootini.exe deleted successfully.
File C:\WINNT\system32\net32b.exe deleted successfully.
File C:\WINNT\system32\74686_netapi.exe deleted successfully.
File C:\WINNT\system32\71584_netapi.exe deleted successfully.
File C:\WINNT\system32\sjgcg.bat deleted successfully.
File C:\WINNT\system32\fyqh.bat deleted successfully.
File C:\WINNT\system32\fmbqus.exe deleted successfully.
File C:\WINNT\system32\12738_netapi.exe deleted successfully.
File C:\steal.exe deleted successfully.
File C:\dr.exe deleted successfully.
File C:\WINNT\system32\10775_netapi.exe deleted successfully.
File C:\WINNT\system32\fawlixo.exe deleted successfully.
File C:\acer.exe deleted successfully.
File C:\WINNT\system32\44132_netapi.exe deleted successfully.
File C:\WINNT\srvzcymemb.exe deleted successfully.
File C:\WINNT\srvdesrxnu.exe deleted successfully.
File C:\912_121.exe deleted successfully.
File C:\abcd.exe deleted successfully.
File C:\Installer4.exe deleted successfully.
File C:\acer32.exe deleted successfully.
File C:\WINNT\system32\55175_netapi.exe deleted successfully.
File C:\WINNT\system32\54887_netapi.exe deleted successfully.
File C:\WINNT\system32\41221_netapi.exe deleted successfully.
File C:\WINNT\system32\31184_netapi.exe deleted successfully.
File C:\WINNT\system32\WinzAPI32.exe deleted successfully.
File C:\WINNT\system32\37481_netapi.exe deleted successfully.
File C:\WINNT\system32\ondsregl.exe deleted successfully.
File C:\[email protected] deleted successfully.
File C:\WINNT\system32\83652_netapi.exe deleted successfully.
File C:\[email protected] deleted successfully.
File C:\WINNT\system32\45388_netapi.exe deleted successfully.
File C:\WINNT\system32\winpfg32.sys deleted successfully.
File C:\WINNT\system32\01164_netapi.exe deleted successfully.
File C:\xpsp2.exe deleted successfully.


File C:\WINNT\system32\fawlixo.exe not found!
Deletion of file C:\WINNT\system32\fawlixo.exe failed!

Could not process line:
C:\WINNT\system32\fawlixo.exe
Status: 0xc0000034



File C:\WINNT\system32\fmbqus.exe not found!
Deletion of file C:\WINNT\system32\fmbqus.exe failed!

Could not process line:
C:\WINNT\system32\fmbqus.exe
Status: 0xc0000034



File C:\WINNT\system32\rmclib.dll not found!
Deletion of file C:\WINNT\system32\rmclib.dll failed!

Could not process line:
C:\WINNT\system32\rmclib.dll
Status: 0xc0000034

File C:\WINNT\akkpsatA.exe deleted successfully.
File C:\WINNT\CustoMess_Uninstall.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Microsoft Internet Explorer deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Spooler SubSystem App deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Microsoft Windows Communicator for NT/XP deleted successfully.


Could not delete registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Microsoft Internet Explorer
Deletion of registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Microsoft Internet Explorer failed!
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.

Hijack:

Logfile of HijackThis v1.99.1
Scan saved at 7:49:12 PM, on 22/09/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\mguard.exe
C:\WINNT\Explorer.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\PRINTV~1\pvmodule.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Felipe .GLOBAL\Desktop\ole\his.exe

F2 - REG:system.ini: Shell=Explorer.exe mguard.exe
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,mguard.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PVModule] C:\PROGRA~1\PRINTV~1\pvmodule.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [Windows Explorer] C:\WINNT\system32\explorer.exe
O4 - HKLM\..\Run: [Ms Java for Windows NT] mguard.exe
O4 - HKLM\..\Run: [levmbnok] C:\slvpvevx.bat
O4 - HKCU\..\Run: [Ms Java for Windows NT] mguard.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1127002788515
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

Edited by felipao, 22 September 2006 - 08:47 PM.

  • 0

#24
loophole
Posted 22 September 2006 - 08:47 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Boot to safe mode

Scan with hijack and fix these entries

F2 - REG:system.ini: Shell=Explorer.exe mguard.exe
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,mguard.exe
O4 - HKCU\..\Run: [Ms Java for Windows NT] mguard.exe




Run avenger again using the script below

Files to delete:
C:\WINNT\system32\mguard.exe
C:\WINNT\system32\explorer.exe
C:\mguard.exe
Registry values to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | Ms Java for Windows NT
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | Windows Explorer



Post a new avenger and hijack log please

Edited by loophole, 22 September 2006 - 08:58 PM.

  • 0

#25
felipao
Posted 22 September 2006 - 08:50 PM

felipao

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
yes its working.
The hijack log from my previous post is from a minute ago.
What do you mean by regroup?

Edited by felipao, 22 September 2006 - 08:50 PM.

  • 0

Advertisements

#26
loophole
Posted 22 September 2006 - 08:57 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
We cross posted...twice lol.. look up for new instructions :whistling:

Edited by loophole, 22 September 2006 - 08:59 PM.

  • 0

#27
felipao
Posted 22 September 2006 - 09:01 PM

felipao

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
LOL :blink:

Ok, off I go. whish me luck! :whistling:
  • 0

#28
felipao
Posted 22 September 2006 - 09:27 PM

felipao

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Ewido and AVG are working again. I am gonna run ewido as per your instructions. Meanwhile I am posting the requested logs.

Avenger:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\kkwhmbnd

*******************

Script file located at: \??\C:\WINNT\system32\dodhocbc.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINNT\system32\mguard.exe deleted successfully.


File C:\WINNT\system32\explorer.exe not found!
Deletion of file C:\WINNT\system32\explorer.exe failed!

Could not process line:
C:\WINNT\system32\explorer.exe
Status: 0xc0000034

File C:\mguard.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Ms Java for Windows NT deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Windows Explorer deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


Hijack:

Logfile of HijackThis v1.99.1
Scan saved at 8:27:56 PM, on 22/09/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\PRINTV~1\pvmodule.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINNT\system32\winamp.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Felipe .GLOBAL\Desktop\ole\his.exe

O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PVModule] C:\PROGRA~1\PRINTV~1\pvmodule.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [levmbnok] C:\slvpvevx.bat
O4 - HKLM\..\Run: [Winamp Agent] C:\WINNT\system32\winamp.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1127002788515
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
  • 0

#29
loophole
Posted 22 September 2006 - 09:36 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
That hijack log is .... clean :whistling: Can you run ewido yet? If so please run it and save the report for me to view, Also I would love to have another combofix log. I am starting to thik we are crippling this beast :blink:

Edit I need to read better, glad ewido is working again

Edited by loophole, 22 September 2006 - 09:40 PM.

  • 0

#30
felipao
Posted 22 September 2006 - 09:45 PM

felipao

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
ok, I forgot to mention before but i am getting sometimes a wired shutdown. A small window pops up saying that the system is sutting down and for me to save all my work. I am just mentioning that because it just happend when I was running ewido. When it happend only 86 problems were found and the scan was still at the beginning...

Anyway, I am super glad my hijack log is clean! I am now reboting on safemode to run ewido. I will be posting the report as soon as it is ready.

Thanks again.

Felipe (aka felipao)

Edited by felipao, 22 September 2006 - 09:46 PM.

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP