Jump to content
Sign in to follow this  
ThUnDeR

Having a problem with win32.trojandownloader.zlob

Recommended Posts

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:31:29 PM, on 11/19/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Executive Software\Diskeeper\DkService.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\Fonts\svchost.exe

C:\WINDOWS\mrofinu1188.exe

C:\Program Files\AIM\aim.exe

C:\WINDOWS\Fonts\svchost.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Steam\Steam.exe

C:\Program Files\Insider\Insider.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\b148.exe

C:\Program Files\QdrPack\QdrPack9.exe

C:\Documents and Settings\Ahmad\Desktop\HiJackThis.exe

 

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\wqxmflum.dll

O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe

O4 - HKLM\..\Run: [a4c6cf8e] rundll32.exe "C:\WINDOWS\system32\ohkvfqhg.dll",b

O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1188.exe 61A847B5BBF72813339330466188719AB689201522886B092CBD44BD8689220221DD3257

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [WinAble] C:\Program Files\WinAble\winable.exe

O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe

O4 - HKCU\..\Run: [steam] "C:\Program Files\Steam\Steam.exe" -silent

O4 - HKCU\..\Run: [insider] C:\Program Files\Insider\Insider.exe

O4 - HKCU\..\Run: [QdrPack9] "C:\Program Files\QdrPack\QdrPack9.exe"

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Prayer Times.lnk = C:\HAD\PTW.EXE

O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm

O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm

O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: WUSB54Gv42SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

 

--

End of file - 6111 bytes

 

i exited out of counterstrike: source and whamo, i am somehow infected. I've tried disabling system restore, and then going into safe mode trying to clean everything out... but I go to reboot, and its back again on startup. Kinda frustrated by this.

Share this post


Link to post
Share on other sites

Please print or copy these instructions to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

 

It's IMPORTANT to carry out the instructions in the sequence listed below.

 

 

Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

 

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\wqxmflum.dll

O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe

O4 - HKLM\..\Run: [a4c6cf8e] rundll32.exe "C:\WINDOWS\system32\ohkvfqhg.dll",b

O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1188.exe 61A847B5BBF72813339330466188719AB689201522886B092CBD44BD8689220221DD3257

O4 - HKCU\..\Run: [WinAble] C:\Program Files\WinAble\winable.exe

O4 - HKCU\..\Run: [insider] C:\Program Files\Insider\Insider.exe

O4 - HKCU\..\Run: [QdrPack9] "C:\Program Files\QdrPack\QdrPack9.exe"

 

 

 

 

 

NEXT

 

Please download OTMoveIt by OldTimer:

  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose "Copy"):

     

    C:\WINDOWS\Fonts\svchost.exe

    C:\WINDOWS\mrofinu1188.exe

    C:\Program Files\QdrPack\QdrPack9.exe

    C:\Program Files\QdrPack

    C:\WINDOWS\b148.exe

    C:\WINDOWS\system32\wqxmflum.dll

    C:\WINDOWS\system32\ohkvfqhg.dll

    C:\Program Files\WinAble\winable.exe

    C:\Program Files\WinAble

    C:\Program Files\Insider\Insider.exe

    C:\Program Files\Insider\UnInstall.exe

  • Return to OTMoveIt, right-click on the "Paste List of Files/Folders to be Moved" window and choose "Paste".
  • Click the red "MoveIt!" button.
  • Close OTMoveIt.
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose "Yes".

 

Please post the log from OTMoveIt, located here:

 

C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

 

Where mmddyyyy_hhmmss is the date of the tool run.

 

 

NEXT

 

Please download VundoFix.exe to your desktop

  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

 

 

 

 

NEXT

 

 

SDBot fix

Download SDFix or from Here and save it to your Desktop

Double click SDFix.exe and it will extract the files to %systemdrive%

(Drive that contains the Windows Directory, typically C:\SDFix)

 

Please then reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt

    (Report.txt will also be copied to Clipboard ready for posting back on the forum).

  • Finally paste the contents of the SDFix Report.txt back on the forum with a new HijackThis log
=====================================================================

 

NEXT

 

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.

[*]Close all applications and windows.

[*]Double-click on dss.exe to run it, and follow the prompts.

[*]When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized

 

Use Save As to save both Notepad files to your Desktop and post them in your next reply.

Note:A copy of these files can be found in you root drive, usually C:\Deckard\System Scanner\

 

Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.

 

[*]Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of extra.txt here in your next reply.

Note: You may need to do this in two separate post.

 

What DSS will do:

  • create a new System Restore point in Windows XP and Vista.
  • clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
  • check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

 

 

In your next reply post:

OTMoveIt log

C:\vundofix.txt

SDFix Report.txt

DSS main.txt

 

You'll have to make multiple post to get all the logs posted.

Share this post


Link to post
Share on other sites

After doing the above fixes, we need to get your Java updated.

 

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please follow these steps to remove older version Java components and update.

  • Download the latest version of Java Runtime Environment (JRE) 6 Update 3
  • Scroll to Java Runtime Environment (JRE) 6 Update 3 and click on the download button
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.

    Go to Start > Control Panel double-click on the Software icon > add/remove programs.

    Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )

    It should have this icon next to it: Posted Image

    Select it and click Remove.

  • Close any programs you may have running - especially your web browser.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.
================================================================

Clearing Java Cache

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)Posted Image

  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets

      Trace and Log Files

  • Click OK on Delete Temporary Files Window

    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

Share this post


Link to post
Share on other sites

C:\WINDOWS\Fonts\svchost.exe moved successfully.

File/Folder C:\WINDOWS\mrofinu1188.exe not found.

File/Folder C:\Program Files\QdrPack\QdrPack9.exe not found.

File/Folder C:\Program Files\QdrPack not found.

C:\WINDOWS\b148.exe moved successfully.

File/Folder C:\WINDOWS\system32\wqxmflum.dll not found.

File/Folder C:\WINDOWS\system32\ohkvfqhg.dll not found.

File/Folder C:\Program Files\WinAble\winable.exe not found.

File/Folder C:\Program Files\WinAble not found.

C:\Program Files\Insider\Insider.exe moved successfully.

File/Folder C:\Program Files\Insider\UnInstall.exe not found.

 

Created on 11/21/2007 11:30:01

 

 

VundoFix V6.6.2

 

Checking Java version...

 

Java version is 1.5.0.6

Old versions of java are exploitable and should be removed.

 

Scan started at 7:02:09 AM 11/20/2007

 

Listing files found while scanning....

 

C:\windows\system32\efiaxqgt.dll

C:\WINDOWS\system32\wqxmflum.dll

C:\windows\system32\wqxmflum.dllbox

 

Beginning removal...

 

Attempting to delete C:\windows\system32\efiaxqgt.dll

C:\windows\system32\efiaxqgt.dll Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\wqxmflum.dll

C:\WINDOWS\system32\wqxmflum.dll Has been deleted!

 

Attempting to delete C:\windows\system32\wqxmflum.dllbox

C:\windows\system32\wqxmflum.dllbox Has been deleted!

 

Performing Repairs to the registry.

Done!

 

VundoFix V6.6.2

 

Checking Java version...

 

Java version is 1.5.0.6

Old versions of java are exploitable and should be removed.

 

Scan started at 7:26:33 AM 11/20/2007

 

Listing files found while scanning....

 

No infected files were found.

 

 

VundoFix V6.6.2

 

Checking Java version...

 

Java version is 1.5.0.6

Old versions of java are exploitable and should be removed.

 

Scan started at 11:42:08 PM 11/20/2007

 

Listing files found while scanning....

 

C:\windows\system32\cppzuaod.dll

C:\windows\system32\cppzuaod.dllbox

C:\windows\system32\hvpftrut.dll

 

Beginning removal...

 

Attempting to delete C:\windows\system32\cppzuaod.dll

C:\windows\system32\cppzuaod.dll Could not be deleted.

 

Attempting to delete C:\windows\system32\cppzuaod.dllbox

C:\windows\system32\cppzuaod.dllbox Has been deleted!

 

Attempting to delete C:\windows\system32\hvpftrut.dll

C:\windows\system32\hvpftrut.dll Has been deleted!

 

Performing Repairs to the registry.

Done!

 

Beginning removal...

 

Attempting to delete C:\windows\system32\cppzuaod.dll

C:\windows\system32\cppzuaod.dll Has been deleted!

 

Performing Repairs to the registry.

Done!

 

VundoFix V6.6.2

 

Checking Java version...

 

Java version is 1.5.0.6

Old versions of java are exploitable and should be removed.

 

Scan started at 11:14:20 AM 11/21/2007

 

Listing files found while scanning....

 

No infected files were found.

 

 

VundoFix V6.6.2

 

Checking Java version...

 

Java version is 1.5.0.6

Old versions of java are exploitable and should be removed.

 

Scan started at 11:32:40 AM 11/21/2007

 

Listing files found while scanning....

 

C:\windows\system32\fymsrkwy.dll

C:\windows\system32\fymsrkwy.dllbox

C:\windows\system32\injnuxjt.dll

 

Beginning removal...

 

Attempting to delete C:\windows\system32\fymsrkwy.dll

C:\windows\system32\fymsrkwy.dll Could not be deleted.

 

Attempting to delete C:\windows\system32\fymsrkwy.dllbox

C:\windows\system32\fymsrkwy.dllbox Has been deleted!

 

Attempting to delete C:\windows\system32\injnuxjt.dll

C:\windows\system32\injnuxjt.dll Has been deleted!

 

Performing Repairs to the registry.

Done!

 

Beginning removal...

 

Attempting to delete C:\windows\system32\fymsrkwy.dll

C:\windows\system32\fymsrkwy.dll Has been deleted!

 

Performing Repairs to the registry.

Done!

Share this post


Link to post
Share on other sites

SDFix: Version 1.115

 

Run by Ahmad on Wed 11/21/2007 at 11:58 AM

 

Microsoft Windows XP [Version 5.1.2600]

 

Running From: C:\SDFIX

 

Safe Mode:

Checking Services:

 

 

Restoring Windows Registry Values

Restoring Windows Default Hosts File

 

Rebooting...

 

 

Normal Mode:

Checking Files:

 

Trojan Files Found:

 

C:\X.DAT - Deleted

C:\Z.DAT - Deleted

C:\Documents and Settings\Ahmad\x.dat - Deleted

C:\Documents and Settings\Ahmad\z.dat - Deleted

C:\DOCUME~1\Ahmad\LOCALS~1\Temp\removalfile.bat - Deleted

C:\n.bat - Deleted

C:\WINDOWS\b111.exe - Deleted

C:\WINDOWS\b128.exe - Deleted

C:\WINDOWS\b147.exe - Deleted

C:\WINDOWS\Fonts\Crack.exe - Deleted

C:\WINDOWS\Fonts\*.zip - 1 File(s) 637,943 bytes - Deleted

C:\WINDOWS\Fonts\'\*.zip - 579 File(s) 369,369,576 bytes - Deleted

 

x.dat and z.dat data copied to \SDFix\Data.txt

 

 

Folder C:\Program Files\InetGet2 - Removed

Folder C:\Program Files\Insider - Removed

Folder C:\Program Files\Temporary - Removed

Folder C:\WINDOWS\Fonts\' - Removed

 

Removing Temp Files...

 

ADS Check:

 

C:\WINDOWS

No streams found.

 

C:\WINDOWS\system32

No streams found.

 

C:\WINDOWS\system32\svchost.exe

No streams found.

 

C:\WINDOWS\system32\ntoskrnl.exe

No streams found.

 

 

 

Final Check:

 

catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-11-21 12:08:00

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden services & system hive ...

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40]

"khjeh"=hex:20,02,00,00,6f,d7,bc,ce,37,aa,d4,8f,f3,c4,37,a4,ee,e0,a5,0a,da,..

"hj34z0"=hex:3e,45,ea,e0,4c,98,21,d0,aa,bc,b2,7e,4b,6a,af,da,d9,11,ed,a7,f9,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf41]

"khjeh"=hex:20,02,00,00,6f,d7,bc,ce,d5,7f,42,c5,f3,c4,37,a4,ee,e0,a5,0a,da,..

"hj34z0"=hex:3e,45,ea,e0,4c,98,21,d0,aa,bc,b2,7e,4b,6a,af,da,d9,11,ed,a7,36,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf42]

"khjeh"=hex:20,02,00,00,6f,d7,bc,ce,9a,9f,61,14,f3,c4,37,a4,95,f1,a5,0a,d9,..

"hj34z0"=hex:19,44,ea,e0,5c,99,21,d0,aa,bc,b2,7e,4b,6a,af,da,d9,11,ed,a7,4d,..

"hj34z1"=hex:ad,44,ea,e0,24,99,21,d0,ab,bc,b3,7e,4a,6a,af,da,d9,11,ed,a7,e0,..

"hj34z2"=hex:ad,44,ea,e0,24,99,21,d0,ab,bc,b3,7e,4a,6a,af,da,d9,11,ed,a7,e0,..

"hj34z3"=hex:ad,44,ea,e0,24,99,21,d0,ab,bc,b3,7e,4a,6a,af,da,d9,11,ed,a7,e0,..

"hj34z4"=hex:ad,44,ea,e0,24,99,21,d0,ab,bc,b3,7e,4a,6a,af,da,d9,11,ed,a7,e0,..

 

scanning hidden registry entries ...

 

scanning hidden files ...

 

C:\WINDOWS\system32\CatRoot2\edbtmp.log

C:\WINDOWS\LastGood

C:\WINDOWS\LastGood\INF

C:\WINDOWS\LastGood\INF\oem37.inf 0 bytes

C:\WINDOWS\LastGood\INF\oem37.PNF 0 bytes

 

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 5

 

 

Remaining Services:

------------------

 

 

 

Authorized Application Key Export:

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"

"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"

"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"

"C:\\Program Files\\Steam\\SteamApps\\gbpackersfan2005\\counter-strike source\\hl2.exe"="C:\\Program Files\\Steam\\SteamApps\\gbpackersfan2005\\counter-strike source\\hl2.exe:*:Enabled:hl2"

"C:\\Program Files\\Xfire\\Xfire.exe"="C:\\Program Files\\Xfire\\Xfire.exe:*:Enabled:Xfire"

"C:\\Program Files\\BearShare\\BearShare.exe"="C:\\Program Files\\BearShare\\BearShare.exe:*:Enabled:BearShare"

"C:\\Program Files\\mIRC\\mirc.exe"="C:\\Program Files\\mIRC\\mirc.exe:*:Enabled:mIRC"

"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"

"C:\\Program Files\\BitComet\\BitComet.exe"="C:\\Program Files\\BitComet\\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client"

"C:\\Program Files\\TrackMania Nations ESWC\\TmNationsESWC.exe"="C:\\Program Files\\TrackMania Nations ESWC\\TmNationsESWC.exe:*:Enabled:TmNationsESWC"

"C:\\Program Files\\VentSrv\\ventrilo_srv.exe"="C:\\Program Files\\VentSrv\\ventrilo_srv.exe:*:Enabled:ventrilo_srv"

"C:\\Program Files\\Steam\\SteamApps\\gbpackersfan2005\\half-life 2\\hl2.exe"="C:\\Program Files\\Steam\\SteamApps\\gbpackersfan2005\\half-life 2\\hl2.exe:*:Enabled:hl2"

"C:\\Program Files\\Steam\\SteamApps\\gbpackersfan2005\\half-life 2 deathmatch\\hl2.exe"="C:\\Program Files\\Steam\\SteamApps\\gbpackersfan2005\\half-life 2 deathmatch\\hl2.exe:*:Enabled:hl2"

"C:\\Program Files\\America's Army\\System\\ArmyOps.exe"="C:\\Program Files\\America's Army\\System\\ArmyOps.exe:*:Enabled:ArmyOps"

"C:\\Documents and Settings\\Younes\\Desktop\\New Folder\\iTunes.exe"="C:\\Documents and Settings\\Younes\\Desktop\\New Folder\\iTunes.exe:*:Enabled:iTunes"

"C:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"="C:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe:*:Enabled:Nero Home"

"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

"C:\\Program Files\\EA SPORTS\\Madden NFL 06\\updater.exe"="C:\\Program Files\\EA SPORTS\\Madden NFL 06\\updater.exe:*:Enabled:Updater"

"C:\\Program Files\\EA SPORTS\\Madden NFL 06\\mainapp.exe"="C:\\Program Files\\EA SPORTS\\Madden NFL 06\\mainapp.exe:*:Enabled:mainapp"

"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"

"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"

"C:\\Program Files\\EA SPORTS\\Madden NFL 07\\mainapp.exe"="C:\\Program Files\\EA SPORTS\\Madden NFL 07\\mainapp.exe:*:Enabled:mainapp"

"C:\\Program Files\\EA SPORTS\\Madden NFL 07\\Updater.exe"="C:\\Program Files\\EA SPORTS\\Madden NFL 07\\Updater.exe:*:Enabled:Updater"

"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"

"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

"C:\\WINDOWS\\system32\\txiaacwj.exe"="C:\\WINDOWS\\system32\\txi"

"C:\\WINDOWS\\system32\\ugasbmwl.exe"="C:\\WINDOWS\\system32\\uga"

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"

"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

 

Remaining Files:

---------------

 

File Backups: - C:\SDFIX\backups\backups.zip

 

Files with Hidden Attributes:

 

Sat 25 Mar 2006 80 A.SHR --- "C:\WINDOWS\system32\E92AFCCAC8.dll"

Sat 8 Apr 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"

Fri 8 Sep 2006 401 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv18.bak"

Sat 3 Nov 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fe95c915e785c18bf9cc0792fb5a73df\BIT4F.tmp"

Wed 10 Jan 2007 839,703 A.SH. --- "C:\_OTMoveIt\MovedFiles\WINDOWS\Fonts\svchost.exe"

Tue 20 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Ahmad\LOCALS~1\Temp\ico1.tmp"

Tue 20 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Ahmad\LOCALS~1\Temp\ico2.tmp"

Tue 20 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Ahmad\LOCALS~1\Temp\ico22.tmp"

Tue 20 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Ahmad\LOCALS~1\Temp\ico23.tmp"

Tue 20 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Ahmad\LOCALS~1\Temp\ico24.tmp"

Tue 20 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Ahmad\LOCALS~1\Temp\ico25.tmp"

Tue 20 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Ahmad\LOCALS~1\Temp\ico26.tmp"

Tue 20 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Ahmad\LOCALS~1\Temp\ico2B.tmp"

Tue 20 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Ahmad\LOCALS~1\Temp\ico2C.tmp"

Tue 20 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Ahmad\LOCALS~1\Temp\ico2D.tmp"

Tue 20 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Ahmad\LOCALS~1\Temp\ico2E.tmp"

Tue 20 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Ahmad\LOCALS~1\Temp\ico2F.tmp"

Tue 20 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Ahmad\LOCALS~1\Temp\ico3.tmp"

Tue 20 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Ahmad\LOCALS~1\Temp\ico30.tmp"

Tue 20 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Ahmad\LOCALS~1\Temp\ico31.tmp"

Tue 20 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Ahmad\LOCALS~1\Temp\ico32.tmp"

Tue 20 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Ahmad\LOCALS~1\Temp\ico33.tmp"

Tue 20 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Ahmad\LOCALS~1\Temp\ico34.tmp"

Tue 20 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Ahmad\LOCALS~1\Temp\ico35.tmp"

Tue 20 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Ahmad\LOCALS~1\Temp\ico36.tmp"

Tue 20 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Ahmad\LOCALS~1\Temp\ico37.tmp"

Tue 20 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Ahmad\LOCALS~1\Temp\ico38.tmp"

Tue 20 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Ahmad\LOCALS~1\Temp\ico39.tmp"

Tue 20 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Ahmad\LOCALS~1\Temp\ico3B.tmp"

Tue 20 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Ahmad\LOCALS~1\Temp\ico3C.tmp"

Tue 20 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Ahmad\LOCALS~1\Temp\ico3D.tmp"

Tue 20 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Ahmad\LOCALS~1\Temp\ico3E.tmp"

Tue 20 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Ahmad\LOCALS~1\Temp\ico3F.tmp"

Tue 20 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Ahmad\LOCALS~1\Temp\ico4.tmp"

Tue 20 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Ahmad\LOCALS~1\Temp\ico5.tmp"

 

Finished!

Share this post


Link to post
Share on other sites

Deckard's System Scanner v20071014.68

Run by Ahmad on 2007-11-21 12:14:54

Computer is in Normal Mode.

--------------------------------------------------------------------------------

 

 

 

-- HijackThis (run as Ahmad.exe) -----------------------------------------------

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:14:58 PM, on 11/21/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\Executive Software\Diskeeper\DkService.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Program Files\AIM\aim.exe

C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Webroot\Washer\wwDisp.exe

C:\program files\steam\steam.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Documents and Settings\Ahmad\Desktop\dss.exe

C:\DOCUME~1\Ahmad\Desktop\Ahmad.exe

 

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {137847A6-567A-4A2A-A96D-490AB6B582FB} - C:\WINDOWS\system32\ddayw.dll

O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.5.19.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {639DB5AF-9415-468F-B596-AFBF8BC2DD07} - (no file)

O2 - BHO: (no name) - {BBB05D9E-0297-404D-A6BF-D8F2876B84A6} - C:\WINDOWS\system32\wvuvttr.dll

O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)

O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe

O4 - HKCU\..\Run: [steam] "c:\program files\steam\steam.exe" -silent

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Prayer Times.lnk = C:\HAD\PTW.EXE

O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm

O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm

O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O20 - Winlogon Notify: fymsrkwy - C:\WINDOWS\

O20 - Winlogon Notify: wvuvttr - C:\WINDOWS\SYSTEM32\wvuvttr.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe

O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\ugasbmwl.exe (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: WUSB54Gv42SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

 

--

End of file - 7047 bytes

 

-- Files created between 2007-10-21 and 2007-11-21 -----------------------------

 

2007-11-21 12:08:22 0 d-------- C:\WINDOWS\LastGood

2007-11-21 11:57:10 0 d-------- C:\WINDOWS\ERUNT

2007-11-21 11:11:17 80960 --a------ C:\WINDOWS\system32\ijoimnxc.dll

2007-11-21 11:05:18 85056 --a------ C:\WINDOWS\system32\eywpiwus.dll

2007-11-21 11:01:04 36864 --a------ C:\Documents and Settings\Ahmad\services.exe

2007-11-21 00:04:37 37376 --a------ C:\WINDOWS\system32\jkkiiji.dll

2007-11-20 23:35:14 80960 --a------ C:\WINDOWS\system32\wgwgrcwt.dll

2007-11-20 23:35:08 85056 --a------ C:\WINDOWS\system32\conajbhy.dll

2007-11-20 23:23:05 71232 --a------ C:\WINDOWS\system32\kjolkvmc.exe <Not Verified; ; DDC>

2007-11-20 07:02:09 0 d-------- C:\VundoFix Backups

2007-11-20 06:29:41 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe

2007-11-20 06:29:41 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >

2007-11-20 06:29:40 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>

2007-11-20 06:29:40 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>

2007-11-20 06:29:40 51200 --a------ C:\WINDOWS\system32\dumphive.exe

2007-11-20 06:17:09 37376 --a------ C:\WINDOWS\system32\nnnonll.dll

2007-11-19 23:25:41 84544 --a------ C:\WINDOWS\system32\mbkvrgrp.dll

2007-11-19 17:51:09 0 d-------- C:\Documents and Settings\LocalService\Application Data\Xfire

2007-11-19 16:46:07 0 d-------- C:\Documents and Settings\Ahmad\Application Data\Grisoft

2007-11-19 16:45:34 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft

2007-11-19 15:34:13 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2007-11-19 14:28:52 2110 --a------ C:\WINDOWS\system32\tmp.reg

2007-11-19 05:22:55 36352 --a------ C:\WINDOWS\system32\yaywutq.dll

2007-11-18 23:07:37 79424 --a------ C:\WINDOWS\system32\warawgmj.dll

2007-11-18 19:26:22 0 d-------- C:\Program Files\Steam

2007-11-18 13:59:42 0 d-------- C:\Program Files\Webroot

2007-11-18 13:59:42 0 d-------- C:\Program Files\Common Files\Webroot Shared

2007-11-18 13:59:42 0 d-------- C:\Documents and Settings\Ahmad\Application Data\Webroot

2007-11-18 13:59:05 56832 --a------ C:\WINDOWS\Unwash6.exe <Not Verified; Webroot Software, Inc.; >

2007-11-18 11:57:24 0 d-------- C:\Program Files\Advanced Windows Cleaner

2007-11-18 10:49:34 440657 --ahs---- C:\WINDOWS\system32\wyadd.ini2

2007-11-18 10:49:23 320608 --a------ C:\WINDOWS\system32\ddayw.dll

2007-11-18 10:47:54 147456 --a------ C:\WINDOWS\system32\vbzip10.dll <Not Verified; Info-ZIP; Info-ZIP's WiZ>

2007-11-18 10:44:28 36352 --a------ C:\WINDOWS\system32\yayaywt.dll

2007-11-18 10:44:15 36352 --a------ C:\WINDOWS\system32\wvuvttr.dll

2007-11-18 10:42:52 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP

2007-11-18 10:27:48 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft

2007-11-04 11:27:27 94208 --a------ C:\WINDOWS\system32\GTW32N50.dll

2007-11-04 11:27:27 15872 --a------ C:\WINDOWS\system32\GTNDIS5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>

2007-11-04 11:27:12 0 d-------- C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor

2007-11-01 21:30:55 0 d-------- C:\WINDOWS\Prefetch

2007-10-27 10:47:07 229376 --a------ C:\Documents and Settings\LocalService\ntuser.dat

2007-10-27 10:47:07 4980736 --a------ C:\Documents and Settings\Ahmad\ntuser.dat

 

 

-- Find3M Report ---------------------------------------------------------------

 

2007-11-21 12:13:48 0 d-------- C:\Program Files\Al Muhaddith

2007-11-20 20:17:56 0 d---s---- C:\Program Files\Xfire

2007-11-20 16:29:45 0 d-------- C:\Documents and Settings\Ahmad\Application Data\Xfire

2007-11-20 07:20:33 0 d-------- C:\Program Files\Common Files

2007-11-18 12:21:52 0 d-------- C:\Program Files\iTunes

2007-11-18 10:28:12 0 d-------- C:\Program Files\Lavasoft

2007-11-18 10:28:10 0 d-------- C:\Documents and Settings\Ahmad\Application Data\Lavasoft

2007-11-18 10:27:08 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard

2007-11-18 10:21:39 0 d-------- C:\Program Files\Viewpoint

2007-11-18 10:20:36 0 d-------- C:\Program Files\The Weather Channel FW

2007-11-18 10:19:50 0 d-------- C:\Program Files\Maxthon

2007-11-18 10:19:22 0 d-------- C:\Program Files\Google

2007-11-18 10:19:05 0 d-------- C:\Program Files\EA SPORTS

2007-11-18 10:18:33 0 d-------- C:\Program Files\Air France TravelDesk

2007-11-18 10:15:14 0 d-------- C:\Program Files\Alitalia TravelDesk

2007-11-18 10:14:21 0 d-------- C:\Program Files\Pcsx2

2007-11-04 11:27:22 0 d--h----- C:\Program Files\InstallShield Installation Information

2007-11-01 21:21:38 22720 --a----c- C:\WINDOWS\system32\emptyregdb.dat

 

 

-- Registry Dump ---------------------------------------------------------------

 

*Note* empty entries & legit default entries are not shown

 

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{137847A6-567A-4A2A-A96D-490AB6B582FB}]

11/18/2007 10:49 AM 320608 --a------ C:\WINDOWS\system32\ddayw.dll

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{639DB5AF-9415-468F-B596-AFBF8BC2DD07}]

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}]

11/18/2007 10:44 AM 36352 --a------ C:\WINDOWS\system32\wvuvttr.dll

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DeadAIM"="C:\PROGRA~1\AIM\\DeadAIM.ocm" [02/28/2004 12:12 PM]

"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [09/06/2007 04:06 AM]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [07/20/2005 01:07 PM]

"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 03:25 AM]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" []

"AIM"="C:\Program Files\AIM\aim.exe" [04/27/2004 04:18 PM]

"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [11/30/2006 09:49 PM]

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 10:24 AM]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 06:00 AM]

"Window Washer"="C:\Program Files\Webroot\Washer\wwDisp.exe" [03/08/2005 10:02 AM]

"Steam"="c:\program files\steam\steam.exe" [11/18/2007 07:26 PM]

"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [08/31/2007 04:46 PM]

 

C:\Documents and Settings\Ahmad\Start Menu\Programs\Startup\

Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [3/16/2005 6:16:50 PM]

 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 1:01:04 AM]

Prayer Times.lnk - C:\HAD\PTW.EXE [5/27/2006 9:46:00 AM]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"DisableRegistryTools"=0 (0x0)

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}"= C:\WINDOWS\system32\wvuvttr.dll [11/18/2007 10:44 AM 36352]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fymsrkwy]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvuvttr]

wvuvttr.dll 11/18/2007 10:44 AM 36352 C:\WINDOWS\system32\wvuvttr.dll

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

"Authentication Packages"= msv1_0 C:\WINDOWS\system32\ddayw.dll

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@="Service"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]

"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

C:\WINDOWS\system32\ctfmon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]

"C:\Program Files\D-Tools\daemon.exe" -lang 1033

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]

"C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

"C:\Program Files\iTunes\iTunesHelper.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]

"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]

RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

nwiz.exe /install

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

"C:\Program Files\QuickTime\qttask.exe" -atboottime

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]

SOUNDMAN.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

 

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]

AutoRun\command- H:\Madden06.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]

AutoRun\command- I:\RunGame.exe

 

*Newly Created Service* - CATCHME

 

 

 

-- End of Deckard's System Scanner: finished at 2007-11-21 12:16:04 ------------

Share this post


Link to post
Share on other sites

Welcome back

 

Still quite infected here

 

 

These two files

C:\X.DAT - Deleted

C:\Z.DAT - Deleted

Are info stealers, if you use this this machine for sensitive items like banking, ebay, patpal, or credit cards please go to a known clean computer and change those.

It can even steal passwords and information for online gaming.

 

 

Please print or copy these instructions to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

 

It's IMPORTANT to carry out the instructions in the sequence listed below.

 

 

 

TeaTimer is an excellent tool for the prevention of spyware but it can sometimes prevent HijackThis from fixing certain things. Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

 

If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

How to disable TeaTimer

http://russelltexas.com/malware/teatimer.htm

 

After you disabled Teatimer, download ResetTeaTimer.bat

http://downloads.subratam.org/ResetTeaTimer.bat

to your desktop. (In case you use Firefox, rightclick the link and choose "save as").

After all the fixes have been carried through

Doubleclick ResetTeaTimer.bat and let it run.

This will only take a few seconds.

 

 

 

Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

 

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: (no name) - {137847A6-567A-4A2A-A96D-490AB6B582FB} - C:\WINDOWS\system32\ddayw.dll

O2 - BHO: (no name) - {639DB5AF-9415-468F-B596-AFBF8BC2DD07} - (no file)

O2 - BHO: (no name) - {BBB05D9E-0297-404D-A6BF-D8F2876B84A6} - C:\WINDOWS\system32\wvuvttr.dll

O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)

O20 - Winlogon Notify: fymsrkwy - C:\WINDOWS\

O20 - Winlogon Notify: wvuvttr - C:\WINDOWS\SYSTEM32\wvuvttr.dll

O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\ugasbmwl.exe (file missing)

 

 

Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote box to Notepad.

Save it to your desktop, make sure the file type is All File and name it FixServices.bat

 

@echo off

sc stop DomainService

sc delete DomainService

exit

Double click FixServices.bat.

A window will open and close. This is normal.

 

 

 

NEXT

 

* Double-click on OTMoveIt.exe to start the program

# Untick the option to Unregister Dll's and Ocx's (1).

# Select the contents of the below quotebox, then press Ctrl+C to copy it to the clipboard.

C:\WINDOWS\system32\ddayw.dll

C:\WINDOWS\system32\wvuvttr.dll

C:\WINDOWS\SYSTEM32\fymsrkwy.dll

C:\WINDOWS\system32\txiaacwj.exe

C:\WINDOWS\system32\ugasbmwl.exe

C:\WINDOWS\system32\ijoimnxc.dll

C:\WINDOWS\system32\eywpiwus.dll

C:\Documents and Settings\Ahmad\services.exe

C:\WINDOWS\system32\jkkiiji.dll

C:\WINDOWS\system32\wgwgrcwt.dll

C:\WINDOWS\system32\conajbhy.dll

C:\WINDOWS\system32\kjolkvmc.exe

C:\VundoFix Backups

C:\WINDOWS\system32\nnnonll.dll

C:\WINDOWS\system32\mbkvrgrp.dll

C:\WINDOWS\system32\yaywutq.dll

C:\WINDOWS\system32\warawgmj.dll

C:\WINDOWS\system32\wyadd.ini2

C:\WINDOWS\system32\vbzip10.dll

C:\WINDOWS\system32\yayaywt.dll

C:\SDFix\backups

# In OTMoveIt right-click on the box labelled Paste List of Files/Folders to be Moved.

# Click Paste (2).

# Click MoveIt! (3).

# If it asks you to reboot allow that.

# A logfile will be created at C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log (where mmddyyyy_hhmmss are numbers giving date and time the log was created).

 

 

 

Next, launch Notepad, (Start > Run, type in: notepad)

copy and paste next present in the quotebox below in it:

(don't forget to copy and paste REGEDIT4)

REGEDIT4

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"C:\\WINDOWS\\system32\\txiaacwj.exe"=-

"C:\\WINDOWS\\system32\\ugasbmwl.exe"=-

 

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{137847A6-567A-4A2A-A96D-490AB6B582FB}]

 

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{639DB5AF-9415-468F-B596-AFBF8BC2DD07}]

 

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}"=-

 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fymsrkwy]

 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvuvttr]

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00

Save the file as "delete.reg". Make sure to save it with the quotes. Choose to "Save type as - All Files" it should look like this Posted Image

Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards. Now reboot.

 

 

 

In your next reply post:

OTMoveIt log

New DSS log

 

Let me know how things are running now

Share this post


Link to post
Share on other sites

I just want you to know how much I really appreciate the help so far.

 

File move failed. C:\WINDOWS\system32\ddayw.dll scheduled to be moved on reboot.

File move failed. C:\WINDOWS\system32\wvuvttr.dll scheduled to be moved on reboot.

File/Folder C:\WINDOWS\SYSTEM32\fymsrkwy.dll not found.

File/Folder C:\WINDOWS\system32\txiaacwj.exe not found.

File/Folder C:\WINDOWS\system32\ugasbmwl.exe not found.

C:\WINDOWS\system32\ijoimnxc.dll moved successfully.

C:\WINDOWS\system32\eywpiwus.dll moved successfully.

C:\Documents and Settings\Ahmad\services.exe moved successfully.

C:\WINDOWS\system32\jkkiiji.dll moved successfully.

C:\WINDOWS\system32\wgwgrcwt.dll moved successfully.

C:\WINDOWS\system32\conajbhy.dll moved successfully.

C:\WINDOWS\system32\kjolkvmc.exe moved successfully.

C:\VundoFix Backups moved successfully.

C:\WINDOWS\system32\nnnonll.dll moved successfully.

C:\WINDOWS\system32\mbkvrgrp.dll moved successfully.

C:\WINDOWS\system32\yaywutq.dll moved successfully.

C:\WINDOWS\system32\warawgmj.dll moved successfully.

C:\WINDOWS\system32\wyadd.ini2 moved successfully.

C:\WINDOWS\system32\vbzip10.dll moved successfully.

C:\WINDOWS\system32\yayaywt.dll moved successfully.

Folder move failed. C:\SDFix\backups\HOSTS scheduled to be moved on reboot.

C:\SDFix\backups moved successfully.

 

Created on 11/21/2007 20:00:46

 

 

 

 

 

Deckard's System Scanner v20071014.68

Run by Ahmad on 2007-11-21 20:15:52

Computer is in Normal Mode.

--------------------------------------------------------------------------------

 

System Drive C: has 3.59 GiB (less than 15%) free.

 

 

-- HijackThis (run as Ahmad.exe) -----------------------------------------------

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:16:02 PM, on 11/21/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\Executive Software\Diskeeper\DkService.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\Program Files\AIM\aim.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Webroot\Washer\wwDisp.exe

C:\program files\steam\steam.exe

C:\WINDOWS\system32\wuauclt.exe

C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Xfire\Xfire.exe

C:\Documents and Settings\Ahmad\Desktop\dss.exe

C:\DOCUME~1\Ahmad\Desktop\Ahmad.exe

 

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.5.19.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: (no name) - {7D4E49BE-906D-47AE-B4B2-601AB714B307} - C:\WINDOWS\system32\ddayw.dll

O2 - BHO: (no name) - {BBB05D9E-0297-404D-A6BF-D8F2876B84A6} - C:\WINDOWS\system32\wvuvttr.dll

O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe

O4 - HKCU\..\Run: [steam] "c:\program files\steam\steam.exe" -silent

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Prayer Times.lnk = C:\HAD\PTW.EXE

O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm

O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm

O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O20 - Winlogon Notify: wvuvttr - C:\WINDOWS\SYSTEM32\wvuvttr.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: WUSB54Gv42SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

 

--

End of file - 6908 bytes

 

-- Files created between 2007-10-21 and 2007-11-21 -----------------------------

 

2007-11-21 20:02:59 485107 --ahs---- C:\WINDOWS\system32\wyadd.ini2

2007-11-21 19:48:02 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Xfire

2007-11-21 13:30:11 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia

2007-11-21 12:57:07 0 d-------- C:\Program Files\Sun

2007-11-21 12:53:33 0 d-------- C:\Program Files\Java

2007-11-21 12:53:09 0 d-------- C:\Program Files\Common Files\Java

2007-11-21 11:57:10 0 d-------- C:\WINDOWS\ERUNT

2007-11-20 06:29:41 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe

2007-11-20 06:29:41 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >

2007-11-20 06:29:40 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>

2007-11-20 06:29:40 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>

2007-11-20 06:29:40 51200 --a------ C:\WINDOWS\system32\dumphive.exe

2007-11-19 17:51:09 0 d-------- C:\Documents and Settings\LocalService\Application Data\Xfire

2007-11-19 16:46:07 0 d-------- C:\Documents and Settings\Ahmad\Application Data\Grisoft

2007-11-19 16:45:34 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft

2007-11-19 15:34:13 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2007-11-19 14:28:52 2110 --a------ C:\WINDOWS\system32\tmp.reg

2007-11-18 19:26:22 0 d-------- C:\Program Files\Steam

2007-11-18 13:59:42 0 d-------- C:\Program Files\Webroot

2007-11-18 13:59:42 0 d-------- C:\Program Files\Common Files\Webroot Shared

2007-11-18 13:59:42 0 d-------- C:\Documents and Settings\Ahmad\Application Data\Webroot

2007-11-18 13:59:05 56832 --a------ C:\WINDOWS\Unwash6.exe <Not Verified; Webroot Software, Inc.; >

2007-11-18 11:57:24 0 d-------- C:\Program Files\Advanced Windows Cleaner

2007-11-18 10:49:23 320608 --a------ C:\WINDOWS\system32\ddayw.dll

2007-11-18 10:44:15 36352 --a------ C:\WINDOWS\system32\wvuvttr.dll

2007-11-18 10:42:52 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP

2007-11-18 10:27:48 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft

2007-11-04 11:27:27 94208 --a------ C:\WINDOWS\system32\GTW32N50.dll

2007-11-04 11:27:27 15872 --a------ C:\WINDOWS\system32\GTNDIS5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>

2007-11-04 11:27:12 0 d-------- C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor

2007-11-01 21:30:55 0 d-------- C:\WINDOWS\Prefetch

2007-10-27 10:47:07 229376 --a------ C:\Documents and Settings\LocalService\ntuser.dat

2007-10-27 10:47:07 4980736 --a------ C:\Documents and Settings\Ahmad\ntuser.dat

 

 

-- Find3M Report ---------------------------------------------------------------

 

2007-11-21 20:13:04 0 d-------- C:\Program Files\Al Muhaddith

2007-11-21 14:51:48 0 d-------- C:\Documents and Settings\Ahmad\Application Data\Xfire

2007-11-21 12:53:09 0 d-------- C:\Program Files\Common Files

2007-11-20 20:17:56 0 d---s---- C:\Program Files\Xfire

2007-11-18 12:21:52 0 d-------- C:\Program Files\iTunes

2007-11-18 10:28:12 0 d-------- C:\Program Files\Lavasoft

2007-11-18 10:28:10 0 d-------- C:\Documents and Settings\Ahmad\Application Data\Lavasoft

2007-11-18 10:27:08 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard

2007-11-18 10:21:39 0 d-------- C:\Program Files\Viewpoint

2007-11-18 10:20:36 0 d-------- C:\Program Files\The Weather Channel FW

2007-11-18 10:19:50 0 d-------- C:\Program Files\Maxthon

2007-11-18 10:19:22 0 d-------- C:\Program Files\Google

2007-11-18 10:19:05 0 d-------- C:\Program Files\EA SPORTS

2007-11-18 10:18:33 0 d-------- C:\Program Files\Air France TravelDesk

2007-11-18 10:15:14 0 d-------- C:\Program Files\Alitalia TravelDesk

2007-11-18 10:14:21 0 d-------- C:\Program Files\Pcsx2

2007-11-04 11:27:22 0 d--h----- C:\Program Files\InstallShield Installation Information

2007-11-01 21:21:38 22720 --a----c- C:\WINDOWS\system32\emptyregdb.dat

 

 

-- Registry Dump ---------------------------------------------------------------

 

*Note* empty entries & legit default entries are not shown

 

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7D4E49BE-906D-47AE-B4B2-601AB714B307}]

11/18/2007 10:49 AM 320608 --a------ C:\WINDOWS\system32\ddayw.dll

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}]

11/18/2007 10:44 AM 36352 --a------ C:\WINDOWS\system32\wvuvttr.dll

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DeadAIM"="C:\PROGRA~1\AIM\\DeadAIM.ocm" [02/28/2004 12:12 PM]

"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [09/06/2007 04:06 AM]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [07/20/2005 01:07 PM]

"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 03:25 AM]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 01:11 AM]

"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [08/04/2004 06:00 AM]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" []

"AIM"="C:\Program Files\AIM\aim.exe" [04/27/2004 04:18 PM]

"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [11/30/2006 09:49 PM]

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 10:24 AM]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 06:00 AM]

"Window Washer"="C:\Program Files\Webroot\Washer\wwDisp.exe" [03/08/2005 10:02 AM]

"Steam"="c:\program files\steam\steam.exe" [11/18/2007 07:26 PM]

 

C:\Documents and Settings\Ahmad\Start Menu\Programs\Startup\

Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [3/16/2005 6:16:50 PM]

 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 1:01:04 AM]

Prayer Times.lnk - C:\HAD\PTW.EXE [5/27/2006 9:46:00 AM]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"DisableRegistryTools"=0 (0x0)

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}"= C:\WINDOWS\system32\wvuvttr.dll [11/18/2007 10:44 AM 36352]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvuvttr]

wvuvttr.dll 11/18/2007 10:44 AM 36352 C:\WINDOWS\system32\wvuvttr.dll

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

"Authentication Packages"= msv1_0 C:\WINDOWS\system32\ddayw.dll

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@="Service"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]

"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

C:\WINDOWS\system32\ctfmon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]

"C:\Program Files\D-Tools\daemon.exe" -lang 1033

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]

"C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

"C:\Program Files\iTunes\iTunesHelper.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]

"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]

RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

nwiz.exe /install

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

"C:\Program Files\QuickTime\qttask.exe" -atboottime

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]

SOUNDMAN.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

 

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]

AutoRun\command- H:\Madden06.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]

AutoRun\command- I:\RunGame.exe

 

 

 

 

-- End of Deckard's System Scanner: finished at 2007-11-21 20:16:40 ------------

 

 

one thing i've noticed, even through the first half of the cleaning, adaware would be picking up win32.trojandownload.zlob despite the lack of popups. I'm going to run it right now to see if its finally gone.

Share this post


Link to post
Share on other sites

Welcome back

 

I just want you to know how much I really appreciate the help so far.

Your very welcome

 

Please disable AVG Anti-Spyware as it may interfere with the fix.

Open AVG Anti-Spyware by double-clicking the multi-colored box emblazoned with an 'S' in the system tray.

In the Resident Shield section, toggle the AVG Anti-Spyware active protection off by clicking Change state which will then change the protection status to 'inactive'

If you are instructed to reboot at any time during your cleanup, AVG Anti-Spyware will prompt you as to whether you would like to Restart the Resident Shield.

Reply No and set it to inactive for the duration of your cleanup.

 

 

 

 

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".

This will change from what we know in 2006 read this article:

http://www.clickz.com/news/article.php/3561546

A side note about AIM Messenger, AOL user's and Viewpoint Manager. Viewpoint is one of the graphic engines that AOL uses and it is bundled with the application. If you continue to use AIM Messenger, it would likely be reinstalled. Or if you recieve some of the AOL E-cards it may ask you to download and run this program to view and run the graphics in E-cards.

Your call

Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present:

 

Viewpoint

Viewpoint Manager

Viewpoint Media Player

 

 

 

Please print or copy these instructions to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

 

It's IMPORTANT to carry out the instructions in the sequence listed below.

 

 

 

 

Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

 

O2 - BHO: (no name) - {7D4E49BE-906D-47AE-B4B2-601AB714B307} - C:\WINDOWS\system32\ddayw.dll

O2 - BHO: (no name) - {BBB05D9E-0297-404D-A6BF-D8F2876B84A6} - C:\WINDOWS\system32\wvuvttr.dll

O20 - Winlogon Notify: wvuvttr - C:\WINDOWS\SYSTEM32\wvuvttr.dll

 

 

 

Download ComboFix© by sUBs Here or Here

 

IMPORTANT !! Place it on your Desktop.

In case you have used Combofix before, please delete the version you have now and redownload it again, Combofix is updated everyday.

If your anti-virus or firewall give alerts, please allow this script to run as it is not malicious.

 

Next: Disconnect from the internet. If you are on Cable or DSL unplug your computer from the modem.

Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.

This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

 

 

Please open Notepad *Do Not Use Wordpad!* (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:

Save this as "CFScript.txt" and change the "Save as type" to "All Files" and place it on your desktop.

KillAll::

 

File::

C:\WINDOWS\system32\wyadd.ini2

C:\WINDOWS\system32\ddayw.dll

C:\WINDOWS\system32\wvuvttr.dll

 

Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7D4E49BE-906D-47AE-B4B2-601AB714B307}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvuvttr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]

"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

Posted Image

 

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.

ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

 

 

 

Clearing Java Cache

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)Posted Image

  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets

      Trace and Log Files

  • Click OK on Delete Temporary Files Window

    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

 

In your next reply post:

ComboFix.txt

New HJT log taken after the above scan has run

 

Let me know how the computer is running now

 

Also let me know if you would like a list of Free Firewalls.

Share this post


Link to post
Share on other sites

yep it came back, the pop ups and such. I'll keep on chuggin :) I haven't tried your latest instructions, doing so now.

Share this post


Link to post
Share on other sites

welcome back

 

I haven't tried your latest instructions, doing so now.

 

post back with the logs after you've completed those instructions in post #9

 

 

I'll be leaving for a while, it being a holiday but will check back in later this evening.

 

Happy Thanksgiving

Edited by Juliet

Share this post


Link to post
Share on other sites

ComboFix 07-11-19.3 - Ahmad 2007-11-22 12:18:35.4 - NTFSx86 MINIMAL

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.365 [GMT -6:00]

Running from: C:\Documents and Settings\Ahmad\Desktop\ComboFix(2).exe

Command switches used :: C:\Documents and Settings\Ahmad\Desktop\CFScript.txt

 

FILE

C:\WINDOWS\system32\ddayw.dll

C:\WINDOWS\system32\wvuvttr.dll

C:\WINDOWS\system32\wyadd.ini2

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\WINDOWS\system32\mghfdndu.dllbox

 

.

((((((((((((((((((((((((( Files Created from 2007-10-22 to 2007-11-22 )))))))))))))))))))))))))))))))

.

 

2007-11-22 11:13 85,056 --a------ C:\WINDOWS\system32\ydftyata.dll

2007-11-22 11:01 145,984 --a------ C:\WINDOWS\system32\mghfdndu.dll

2007-11-22 11:01 145,984 --a------ C:\WINDOWS\system32\hcstljfi.dll

2007-11-21 19:48 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Xfire

2007-11-21 12:57 <DIR> d-------- C:\Program Files\Sun

2007-11-21 12:56 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl

2007-11-21 12:55 5,097 --a------ C:\WINDOWS\system32\jupdate-1.6.0_03-b05.log

2007-11-21 12:53 <DIR> d-------- C:\Program Files\Java

2007-11-21 12:53 <DIR> d-------- C:\Program Files\Common Files\Java

2007-11-21 11:57 <DIR> d-------- C:\WINDOWS\ERUNT

2007-11-20 23:35 657,841 ---hs---- C:\WINDOWS\system32\yhbjanoc.ini

2007-11-20 06:29 53,248 --a------ C:\WINDOWS\system32\Process.exe

2007-11-19 23:19 816,368 ---hs---- C:\WINDOWS\system32\kycqfolt.ini

2007-11-19 17:51 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Xfire

2007-11-19 16:46 <DIR> d-------- C:\Documents and Settings\Ahmad\Application Data\Grisoft

2007-11-19 16:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft

2007-11-19 15:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2007-11-18 19:26 <DIR> d-------- C:\Program Files\Steam

2007-11-18 13:59 <DIR> d-------- C:\Program Files\Webroot

2007-11-18 13:59 <DIR> d-------- C:\Program Files\Common Files\Webroot Shared

2007-11-18 13:59 <DIR> d-------- C:\Documents and Settings\Ahmad\Application Data\Webroot

2007-11-18 13:59 56,832 --a------ C:\WINDOWS\Unwash6.exe

2007-11-18 11:57 <DIR> d-------- C:\Program Files\Advanced Windows Cleaner

2007-11-18 10:42 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP

2007-11-18 10:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft

2007-11-04 11:27 <DIR> d-------- C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor

2007-11-04 11:27 374,752 --a------ C:\WINDOWS\system32\WUSBGXP.sys

2007-11-04 11:27 339,488 --a------ C:\WINDOWS\system32\WUSB20XP.sys

2007-11-04 11:27 245,376 --a------ C:\WINDOWS\system32\rt2500usb.sys

2007-11-04 11:27 8,090 --a------ C:\WINDOWS\system32\WUSB54G.cat

2007-11-04 11:27 308 --a------ C:\WINDOWS\system32\results.txt

2007-11-01 21:28 156,672 --a--c--- C:\WINDOWS\system32\dllcache\winzm.ime

2007-11-01 21:28 156,672 --a--c--- C:\WINDOWS\system32\dllcache\winsp.ime

2007-11-01 21:28 156,672 --a--c--- C:\WINDOWS\system32\dllcache\winpy.ime

2007-11-01 21:28 69,120 --a--c--- C:\WINDOWS\system32\dllcache\wingb.ime

2007-11-01 21:28 65,536 --a--c--- C:\WINDOWS\system32\dllcache\winime.ime

2007-11-01 21:28 28,288 --a--c--- C:\WINDOWS\system32\dllcache\xjis.nls

2007-11-01 21:27 79,360 --a--c--- C:\WINDOWS\system32\dllcache\winar30.ime

2007-11-01 21:27 41,600 --a--c--- C:\WINDOWS\system32\dllcache\weitekp9.dll

2007-11-01 21:27 31,232 --a--c--- C:\WINDOWS\system32\dllcache\weitekp9.sys

2007-11-01 21:27 15,872 --a--c--- C:\WINDOWS\system32\dllcache\padrs404.dll

2007-11-01 21:26 101,888 --a--c--- C:\WINDOWS\system32\dllcache\evntagnt.dll

2007-11-01 21:26 92,160 --a--c--- C:\WINDOWS\system32\dllcache\evntwin.exe

2007-11-01 21:26 57,856 --a--c--- C:\WINDOWS\system32\dllcache\esuimgd.dll

2007-11-01 21:26 45,056 --a--c--- C:\WINDOWS\system32\dllcache\esunid.dll

2007-11-01 21:26 31,744 --a--c--- C:\WINDOWS\system32\dllcache\esucmd.dll

2007-11-01 21:26 25,856 --a--c--- C:\WINDOWS\system32\dllcache\et4000.sys

2007-11-01 21:26 24,632 --a--c--- C:\WINDOWS\system32\dllcache\fpadmcgi.exe

2007-11-01 21:26 24,064 --a--c--- C:\WINDOWS\system32\dllcache\evntcmd.exe

2007-11-01 21:26 20,541 --a--c--- C:\WINDOWS\system32\dllcache\fpadmdll.dll

2007-11-01 21:25 189,440 --a--c--- C:\WINDOWS\system32\dllcache\smtpadm.dll

2007-11-01 21:25 188,494 --a--c--- C:\WINDOWS\system32\dllcache\fpcount.exe

2007-11-01 21:25 76,800 --a--c--- C:\WINDOWS\system32\dllcache\logui.ocx

2007-11-01 21:25 68,608 --a--c--- C:\WINDOWS\system32\dllcache\iisext51.dll

2007-11-01 21:25 45,056 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_aqadmin.dll

2007-11-01 21:25 20,536 --a--c--- C:\WINDOWS\system32\dllcache\shtml.dll

2007-11-01 21:25 16,437 --a--c--- C:\WINDOWS\system32\dllcache\shtml.exe

2007-11-01 21:25 7,168 --a--c--- C:\WINDOWS\system32\dllcache\wamregps.dll

2007-11-01 21:25 5,632 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_adsiisex.dll

2007-11-01 21:24 20,540 --a--c--- C:\WINDOWS\system32\dllcache\author.dll

2007-11-01 21:24 16,439 --a--c--- C:\WINDOWS\system32\dllcache\author.exe

2007-11-01 21:23 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest

2007-11-01 21:23 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest

2007-11-01 21:23 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest

2007-11-01 21:23 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest

2007-11-01 21:23 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest

2007-11-01 21:13 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll

2007-11-01 21:13 24,661 --a--c--- C:\WINDOWS\system32\dllcache\spxcoins.dll

2007-11-01 21:13 13,312 --a------ C:\WINDOWS\system32\irclass.dll

2007-11-01 21:13 13,312 --a--c--- C:\WINDOWS\system32\dllcache\irclass.dll

2007-11-01 21:12 1,042,903 --a--c--- C:\WINDOWS\system32\dllcache\SP2.CAT

2007-11-01 21:12 31,281 --a--c--- C:\WINDOWS\system32\dllcache\FP4.CAT

2007-11-01 21:12 13,753 --a--c--- C:\WINDOWS\system32\dllcache\IMS.CAT

2007-11-01 21:12 13,472 --a--c--- C:\WINDOWS\system32\dllcache\HPCRDP.CAT

2007-11-01 21:12 9,581 --a--c--- C:\WINDOWS\system32\dllcache\MSMSGS.CAT

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-11-22 17:55 --------- d-----w C:\Program Files\Al Muhaddith

2007-11-22 17:15 80,960 ----a-w C:\WINDOWS\system32\fiotyyao.dll

2007-11-21 20:51 --------- d-----w C:\Documents and Settings\Ahmad\Application Data\Xfire

2007-11-21 02:17 --------- d-s---w C:\Program Files\Xfire

2007-11-18 18:21 --------- d-----w C:\Program Files\iTunes

2007-11-18 16:28 --------- d-----w C:\Program Files\Lavasoft

2007-11-18 16:28 --------- d-----w C:\Documents and Settings\Ahmad\Application Data\Lavasoft

2007-11-18 16:27 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard

2007-11-18 16:21 --------- d-----w C:\Program Files\Viewpoint

2007-11-18 16:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint

2007-11-18 16:20 --------- d-----w C:\Program Files\The Weather Channel FW

2007-11-18 16:19 --------- d-----w C:\Program Files\Maxthon

2007-11-18 16:19 --------- d-----w C:\Program Files\Google

2007-11-18 16:19 --------- d-----w C:\Program Files\EA SPORTS

2007-11-18 16:18 --------- d-----w C:\Program Files\Air France TravelDesk

2007-11-18 16:15 --------- d-----w C:\Program Files\Alitalia TravelDesk

2007-11-18 16:14 --------- d-----w C:\Program Files\Pcsx2

2007-11-04 17:27 20,747 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys

2007-11-04 17:27 --------- d--h--w C:\Program Files\InstallShield Installation Information

2007-10-04 05:36 25,600 ----a-w C:\WINDOWS\system32\WS2Fix.exe

2007-09-06 10:09 801,144 ----a-w C:\WINDOWS\system32\aswBoot.exe

2007-09-06 10:00 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr

2007-09-06 05:22 289,144 ----a-w C:\WINDOWS\system32\VCCLSID.exe

2006-08-20 03:28 19,952 -c--a-w C:\Documents and Settings\Younes\Application Data\GDIPFONTCACHEV1.DAT

2006-03-21 01:06 24 -c--a-w C:\Documents and Settings\Ahmad\mylist.dat

2003-07-31 23:53 147,456 ----a-w C:\WINDOWS\inf\EL2K_XP.sys

2003-07-31 23:50 448,768 ----a-w C:\WINDOWS\inf\EL2K_N64.sys

2003-07-31 23:43 147,456 ----a-w C:\WINDOWS\inf\EL2K_2K.sys

2006-03-25 22:34 80 -csha-r C:\WINDOWS\system32\E92AFCCAC8.dll

.

 

((((((((((((((((((((((((((((( [email protected]_12.14.31.03 )))))))))))))))))))))))))))))))))))))))))

.

- 2007-08-14 19:02:52 65,390 ----a-w C:\WINDOWS\AisAAAg.dat

+ 2007-08-14 19:22:51 65,471 ----a-w C:\WINDOWS\AisAAAg.dat

+ 2007-11-22 18:22:48 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_650.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]

2007-11-22 11:01 145984 --a------ C:\WINDOWS\system32\mghfdndu.dll

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\mghfdndu.dll [2007-11-22 11:01 145984]

 

[HKEY_CLASSES_ROOT\clsid\{11a69ae4-fbed-4832-a2bf-45af82825583}]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" []

"AIM"="C:\Program Files\AIM\aim.exe" [2004-04-27 16:18]

"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-11-30 21:49]

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00]

"Window Washer"="C:\Program Files\Webroot\Washer\wwDisp.exe" [2005-03-08 10:02]

"Steam"="c:\program files\steam\steam.exe" [2007-11-18 19:26]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DeadAIM"="C:\PROGRA~1\AIM\\DeadAIM.ocm" [2004-02-28 12:12]

"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 04:06]

"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 06:00 C:\WINDOWS\system32\rundll32.exe]

"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 03:25]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 06:00]

 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

Prayer Times.lnk - C:\HAD\PTW.EXE [2006-05-27 09:46:00]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"DisableRegistryTools"= 0 (0x0)

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mghfdndu]

mghfdndu.dll 2007-11-22 11:01 145984 C:\WINDOWS\system32\mghfdndu.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2004-08-04 06:00 15360 --a------ C:\WINDOWS\system32\ctfmon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]

C:\Program Files\D-Tools\daemon.exe -lang 1033

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]

C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe -scheduler

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2006-02-23 15:45 278528 --a------ C:\Program Files\iTunes\iTunesHelper.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]

C:\Program Files\MSN Messenger\msnmsgr.exe /background

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]

RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

nwiz.exe /install

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

C:\Program Files\QuickTime\qttask.exe -atboottime

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]

SOUNDMAN.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]

2007-08-31 16:46 1460560 --a------ C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

 

R2 WUSB54Gv42SVC;WUSB54Gv42SVC;"C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv42.exe"

R3 WUSB54GPV4SRV;Linksys Home Wireless-G USB Adaptor Driver;C:\WINDOWS\system32\DRIVERS\rt2500usb.sys

S3 Aldebaran;Aldebaran - Storage Filter Drivers;\??\C:\WINDOWS\system32\Drivers\Aldebaran.sys

S3 MR97310_VGA_DUAL_CAMERA;VGA Dual-Mode Camera;C:\WINDOWS\system32\DRIVERS\mr97310v.sys

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]

\Shell\AutoRun\command - H:\Madden06.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]

\Shell\AutoRun\command - I:\RunGame.exe

 

*Newly Created Service* - GTNDIS5

.

Contents of the 'Scheduled Tasks' folder

"2007-11-22 01:48:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe

.

**************************************************************************

 

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-11-22 12:23:32

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2007-11-22 12:26:14 - machine was rebooted

C:\ComboFix2.txt ... 2007-11-22 12:15

.

--- E O F ---

Share this post


Link to post
Share on other sites

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:01:21 PM, on 11/22/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\Executive Software\Diskeeper\DkService.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Documents and Settings\Ahmad\Desktop\Ahmad.exe

 

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.5.19.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\mghfdndu.dll

O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\mghfdndu.dll

O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe

O4 - HKCU\..\Run: [steam] "c:\program files\steam\steam.exe" -silent

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Prayer Times.lnk = C:\HAD\PTW.EXE

O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm

O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm

O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O20 - Winlogon Notify: mghfdndu - C:\WINDOWS\SYSTEM32\mghfdndu.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: WUSB54Gv42SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

 

--

End of file - 6541 bytes

Share this post


Link to post
Share on other sites

Please print or copy these instructions to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

 

It's IMPORTANT to carry out the instructions in the sequence listed below.

 

 

Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

 

O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\mghfdndu.dll

O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\mghfdndu.dll

O20 - Winlogon Notify: mghfdndu - C:\WINDOWS\SYSTEM32\mghfdndu.dll

 

 

 

 

 

 

For this next step, please ensure that ComboFix.exe is on your desktop:

 

Please open Notepad *Do Not Use Wordpad!* (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:

Save this as "CFScript.txt" and change the "Save as type" to "All Files" and place it on your desktop.

KillAll::

 

File::

C:\WINDOWS\system32\mghfdndu.dll

C:\WINDOWS\system32\ydftyata.dll

C:\WINDOWS\system32\hcstljfi.dll

C:\WINDOWS\system32\yhbjanoc.ini

C:\WINDOWS\system32\kycqfolt.ini

C:\WINDOWS\system32\fiotyyao.dll

 

Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{11A69AE4-FBED-4832-A2BF-45AF82825583}"=-

[-HKEY_CLASSES_ROOT\clsid\{11a69ae4-fbed-4832-a2bf-45af82825583}]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mghfdndu]

 

Posted Image

 

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.

ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

 

 

 

NEXT

 

*Note

It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.

Please don't go surfing while your resident protection is disabled!

Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.

http://www.kaspersky.com/kos/eng/partner/d...kavwebscan.html

Please use the Internet Explorer browser, and do an online scan with Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE YO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

 

Click Yes, when prompted to install its ActiveX component.

(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)

Or use Firefox with IE-Tab plugin

https://addons.mozilla.org/en-US/firefox/addon/1419

The program launches and downloads the latest definition files.

  • Once the files are downloaded click on Next
  • Click on Scan Settings and configure as follows:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:Scan Archives

      Scan Mail Bases

  • Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.

There is no option to clean/disinfect, however, we need to analyze the information on the report.

Posted Image

Posted Image

To obtain the report:

Click on: Save Report As (above - red blinking arrow)

Next, in the Save as prompt, Save in area, select: Desktop

In the File name area, use KScan, or something similar

In Save as type, click the drop arrow and select: Text file [*.txt]

Then, click: Save

Please post the Kaspersky Online Scanner Report in your reply.

 

 

 

 

 

 

 

NEXT

 

Your log shows that you have disabled some startup programs using msconfig. This is not recommended because I cannot clearly see everything that is loading on your computer at startup. This can be bad if they are malware, so I would like you to re-enable those startup entries.

 

To re-enable all startup items please follow these instructions:

Please go to Start -> Run and type (or copy and paste):

msconfig

Click OK.

If not already selected go to the General Tab.

Under Startup Selection select "Normal StartUp- load all device drivers and services"

Click Apply and then Close.

When you are prompted to reboot, select "Exit Without Restart"

 

 

 

 

In your next reply post:

ComboFix.txt

Kaspersky log

New HJT log taken after the above scans have run

 

Tell me how the computer is running now, also do you need info for free Firewall's?

Share this post


Link to post
Share on other sites

I actually think I have this thing pinned. Heres my latest log. Its not reappearing anymore after i nailed it with redoing all of your instructions, and on top of that, doing a boot time scan with avast. I've been clean for most of this evening (which is a good sign, usually i'm back to infected in less than an hour)

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:23:07 PM, on 11/22/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Sygate\SPF\smc.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\Executive Software\Diskeeper\DkService.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\Program Files\AIM\aim.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\program files\steam\steam.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Xfire\Xfire.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Ahmad\Desktop\Ahmad.exe

 

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.5.19.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe

O4 - HKCU\..\Run: [steam] "c:\program files\steam\steam.exe" -silent

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Prayer Times.lnk = C:\HAD\PTW.EXE

O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm

O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm

O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

O23 - Service: WUSB54Gv42SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

 

--

End of file - 6687 bytes

 

 

hows that look?

Share this post


Link to post
Share on other sites

welcome back

I actually think I have this thing pinned. Heres my latest log. Its not reappearing anymore after i nailed it with redoing all of your instructions, and on top of that, doing a boot time scan with avast. I've been clean for most of this evening (which is a good sign, usually i'm back to infected in less than an hour)

Yep, thats all good news.

You supplied me with a new HJT log (I hope taken after the scans were run) but I can't give you the all clear till I see those last logs from

In your next reply post:

ComboFix.txt

Kaspersky log

 

hows that look?

Good

 

Post those logs, we're probably ready for final cleanup and preventive tips.

Share this post


Link to post
Share on other sites

welcome back

 

Yep, thats all good news.

You supplied me with a new HJT log (I hope taken after the scans were run) but I can't give you the all clear till I see those last logs from

Good

 

Post those logs, we're probably ready for final cleanup and preventive tips.

 

alrighty, i'll get on it. :) As for the firewall, you might have noticed I did get one instead of using windows. I had been using sygate PF for a while, then stopped after i had some issues with it. Now its all good. I'll run the scans here and post the logs. :)

Share this post


Link to post
Share on other sites

alrighty, i'll get on it. :) As for the firewall, you might have noticed I did get one instead of using windows. I had been using sygate PF for a while, then stopped after i had some issues with it. Now its all good. I'll run the scans here and post the logs. :)

 

I might have spoken too soon :(

 

Seems combofix found those files again, and deleted them.

 

ComboFix 07-11-19.3 - Ahmad 2007-11-23 7:09:31.6 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.313 [GMT -6:00]

Running from: C:\Documents and Settings\Ahmad\Desktop\ComboFix(2).exe

Command switches used :: C:\Documents and Settings\Ahmad\Desktop\CFScript.txt

* Created a new restore point

 

FILE

C:\WINDOWS\system32\fiotyyao.dll

C:\WINDOWS\system32\hcstljfi.dll

C:\WINDOWS\system32\kycqfolt.ini

C:\WINDOWS\system32\mghfdndu.dll

C:\WINDOWS\system32\ydftyata.dll

C:\WINDOWS\system32\yhbjanoc.ini

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\WINDOWS\system32\fiotyyao.dll

C:\WINDOWS\system32\kycqfolt.ini

C:\WINDOWS\system32\ydftyata.dll

C:\WINDOWS\system32\yhbjanoc.ini

 

.

((((((((((((((((((((((((( Files Created from 2007-10-23 to 2007-11-23 )))))))))))))))))))))))))))))))

.

 

2007-11-21 19:48 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Xfire

2007-11-21 12:57 <DIR> d-------- C:\Program Files\Sun

2007-11-21 12:56 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl

2007-11-21 12:55 5,097 --a------ C:\WINDOWS\system32\jupdate-1.6.0_03-b05.log

2007-11-21 12:53 <DIR> d-------- C:\Program Files\Java

2007-11-21 12:53 <DIR> d-------- C:\Program Files\Common Files\Java

2007-11-21 11:57 <DIR> d-------- C:\WINDOWS\ERUNT

2007-11-20 06:29 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe

2007-11-20 06:29 51,200 --a------ C:\WINDOWS\system32\dumphive.exe

2007-11-20 06:29 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe

2007-11-19 17:51 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Xfire

2007-11-19 16:46 <DIR> d-------- C:\Documents and Settings\Ahmad\Application Data\Grisoft

2007-11-19 16:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft

2007-11-19 15:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2007-11-19 14:28 2,110 --a------ C:\WINDOWS\system32\tmp.reg

2007-11-19 14:28 0 --a------ C:\WINDOWS\system32\tmp.txt

2007-11-18 23:04 681,286 ---hs---- C:\WINDOWS\system32\ghqfvkho.ini

2007-11-18 19:26 <DIR> d-------- C:\Program Files\Steam

2007-11-18 13:59 <DIR> d-------- C:\Program Files\Webroot

2007-11-18 13:59 <DIR> d-------- C:\Program Files\Common Files\Webroot Shared

2007-11-18 13:59 <DIR> d-------- C:\Documents and Settings\Ahmad\Application Data\Webroot

2007-11-18 13:59 56,832 --a------ C:\WINDOWS\Unwash6.exe

2007-11-18 11:57 <DIR> d-------- C:\Program Files\Advanced Windows Cleaner

2007-11-18 10:42 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP

2007-11-18 10:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft

2007-11-04 11:27 <DIR> d-------- C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor

2007-11-04 11:27 374,752 --a------ C:\WINDOWS\system32\WUSBGXP.sys

2007-11-04 11:27 339,488 --a------ C:\WINDOWS\system32\WUSB20XP.sys

2007-11-04 11:27 94,208 --a------ C:\WINDOWS\system32\GTW32N50.dll

2007-11-04 11:27 31,930 --a------ C:\WINDOWS\system32\GTNDIS3.VXD

2007-11-04 11:27 15,872 --a------ C:\WINDOWS\system32\GTNDIS5.sys

2007-11-04 11:27 8,090 --a------ C:\WINDOWS\system32\WUSB54G.cat

2007-11-04 11:27 1,668 --a------ C:\WINDOWS\system32\WLAN.INI

2007-11-01 21:28 156,672 --a--c--- C:\WINDOWS\system32\dllcache\winzm.ime

2007-11-01 21:28 156,672 --a--c--- C:\WINDOWS\system32\dllcache\winsp.ime

2007-11-01 21:28 156,672 --a--c--- C:\WINDOWS\system32\dllcache\winpy.ime

2007-11-01 21:28 69,120 --a--c--- C:\WINDOWS\system32\dllcache\wingb.ime

2007-11-01 21:28 65,536 --a--c--- C:\WINDOWS\system32\dllcache\winime.ime

2007-11-01 21:28 28,288 --a--c--- C:\WINDOWS\system32\dllcache\xjis.nls

2007-11-01 21:27 79,360 --a--c--- C:\WINDOWS\system32\dllcache\winar30.ime

2007-11-01 21:27 41,600 --a--c--- C:\WINDOWS\system32\dllcache\weitekp9.dll

2007-11-01 21:27 31,232 --a--c--- C:\WINDOWS\system32\dllcache\weitekp9.sys

2007-11-01 21:27 15,872 --a--c--- C:\WINDOWS\system32\dllcache\padrs404.dll

2007-11-01 21:26 101,888 --a--c--- C:\WINDOWS\system32\dllcache\evntagnt.dll

2007-11-01 21:26 92,160 --a--c--- C:\WINDOWS\system32\dllcache\evntwin.exe

2007-11-01 21:26 57,856 --a--c--- C:\WINDOWS\system32\dllcache\esuimgd.dll

2007-11-01 21:26 45,056 --a--c--- C:\WINDOWS\system32\dllcache\esunid.dll

2007-11-01 21:26 31,744 --a--c--- C:\WINDOWS\system32\dllcache\esucmd.dll

2007-11-01 21:26 25,856 --a--c--- C:\WINDOWS\system32\dllcache\et4000.sys

2007-11-01 21:26 24,632 --a--c--- C:\WINDOWS\system32\dllcache\fpadmcgi.exe

2007-11-01 21:26 24,064 --a--c--- C:\WINDOWS\system32\dllcache\evntcmd.exe

2007-11-01 21:26 20,541 --a--c--- C:\WINDOWS\system32\dllcache\fpadmdll.dll

2007-11-01 21:25 189,440 --a--c--- C:\WINDOWS\system32\dllcache\smtpadm.dll

2007-11-01 21:25 188,494 --a--c--- C:\WINDOWS\system32\dllcache\fpcount.exe

2007-11-01 21:25 76,800 --a--c--- C:\WINDOWS\system32\dllcache\logui.ocx

2007-11-01 21:25 68,608 --a--c--- C:\WINDOWS\system32\dllcache\iisext51.dll

2007-11-01 21:25 45,056 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_aqadmin.dll

2007-11-01 21:25 20,536 --a--c--- C:\WINDOWS\system32\dllcache\shtml.dll

2007-11-01 21:25 16,437 --a--c--- C:\WINDOWS\system32\dllcache\shtml.exe

2007-11-01 21:25 7,168 --a--c--- C:\WINDOWS\system32\dllcache\wamregps.dll

2007-11-01 21:25 5,632 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_adsiisex.dll

2007-11-01 21:24 20,540 --a--c--- C:\WINDOWS\system32\dllcache\author.dll

2007-11-01 21:24 16,439 --a--c--- C:\WINDOWS\system32\dllcache\author.exe

2007-11-01 21:23 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest

2007-11-01 21:23 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest

2007-11-01 21:23 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest

2007-11-01 21:23 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest

2007-11-01 21:13 24,661 --a--c--- C:\WINDOWS\system32\dllcache\spxcoins.dll

2007-11-01 21:13 13,312 --a------ C:\WINDOWS\system32\irclass.dll

2007-11-01 21:13 13,312 --a--c--- C:\WINDOWS\system32\dllcache\irclass.dll

2007-11-01 21:12 1,042,903 --a--c--- C:\WINDOWS\system32\dllcache\SP2.CAT

2007-11-01 21:12 31,281 --a--c--- C:\WINDOWS\system32\dllcache\FP4.CAT

2007-11-01 21:12 13,753 --a--c--- C:\WINDOWS\system32\dllcache\IMS.CAT

2007-11-01 21:12 13,472 --a--c--- C:\WINDOWS\system32\dllcache\HPCRDP.CAT

2007-11-01 21:12 9,581 --a--c--- C:\WINDOWS\system32\dllcache\MSMSGS.CAT

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-11-23 12:10 --------- d-----w C:\Program Files\Al Muhaddith

2007-11-21 20:51 --------- d-----w C:\Documents and Settings\Ahmad\Application Data\Xfire

2007-11-21 02:17 --------- d-s---w C:\Program Files\Xfire

2007-11-18 18:21 --------- d-----w C:\Program Files\iTunes

2007-11-18 16:28 --------- d-----w C:\Program Files\Lavasoft

2007-11-18 16:28 --------- d-----w C:\Documents and Settings\Ahmad\Application Data\Lavasoft

2007-11-18 16:27 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard

2007-11-18 16:21 --------- d-----w C:\Program Files\Viewpoint

2007-11-18 16:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint

2007-11-18 16:20 --------- d-----w C:\Program Files\The Weather Channel FW

2007-11-18 16:19 --------- d-----w C:\Program Files\Maxthon

2007-11-18 16:19 --------- d-----w C:\Program Files\Google

2007-11-18 16:19 --------- d-----w C:\Program Files\EA SPORTS

2007-11-18 16:18 --------- d-----w C:\Program Files\Air France TravelDesk

2007-11-18 16:15 --------- d-----w C:\Program Files\Alitalia TravelDesk

2007-11-18 16:14 --------- d-----w C:\Program Files\Pcsx2

2007-11-04 17:27 20,747 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys

2007-11-04 17:27 --------- d--h--w C:\Program Files\InstallShield Installation Information

2006-08-20 03:28 19,952 -c--a-w C:\Documents and Settings\Younes\Application Data\GDIPFONTCACHEV1.DAT

2006-03-21 01:06 24 -c--a-w C:\Documents and Settings\Ahmad\mylist.dat

2006-03-25 22:34 80 -csha-r C:\WINDOWS\system32\E92AFCCAC8.dll

.

 

((((((((((((((((((((((((((((( [email protected]_12.14.31.03 )))))))))))))))))))))))))))))))))))))))))

.

- 2007-08-14 19:02:52 65,390 ----a-w C:\WINDOWS\AisAAAg.dat

+ 2007-08-15 14:13:48 65,795 ----a-w C:\WINDOWS\AisAAAg.dat

- 2007-11-21 17:57:28 4,820,992 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat

+ 2007-11-22 21:02:41 4,993,024 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat

- 2007-11-21 17:57:28 12,288 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat

+ 2007-11-22 21:02:41 147,456 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat

+ 2007-11-22 22:54:02 4,608 ----a-r C:\WINDOWS\Installer\{F34D9A5F-484A-4E31-A9D3-908CB265B289}\IconC989D247.exe

+ 2004-10-16 00:17:02 60,496 ----a-w C:\WINDOWS\system32\drivers\Teefer.sys

+ 2004-10-16 00:32:38 14,568 ----a-w C:\WINDOWS\system32\drivers\wg3n.sys

+ 2004-10-16 00:32:40 14,568 ----a-w C:\WINDOWS\system32\drivers\wg4n.sys

+ 2004-10-16 00:32:42 14,568 ----a-w C:\WINDOWS\system32\drivers\wg5n.sys

+ 2004-10-16 00:32:44 14,568 ----a-w C:\WINDOWS\system32\drivers\wg6n.sys

+ 2004-10-16 00:18:46 21,075 ----a-w C:\WINDOWS\system32\drivers\wpsdrvnt.sys

+ 2004-10-16 00:31:58 99,480 ----a-w C:\WINDOWS\system32\FwsVpn.dll

+ 2004-10-16 00:31:56 218,264 ----a-w C:\WINDOWS\system32\SetAid.dll

+ 2004-10-16 00:32:10 83,096 ----a-w C:\WINDOWS\system32\SSSensor.dll

+ 2007-11-23 13:13:46 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_694.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" []

"AIM"="C:\Program Files\AIM\aim.exe" [2004-04-27 16:18]

"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-11-30 21:49]

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00]

"Window Washer"="C:\Program Files\Webroot\Washer\wwDisp.exe" [2005-03-08 10:02]

"Steam"="c:\program files\steam\steam.exe" [2007-11-18 19:26]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DeadAIM"="C:\PROGRA~1\AIM\\DeadAIM.ocm" [2004-02-28 12:12]

"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 04:06]

"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 06:00 C:\WINDOWS\system32\rundll32.exe]

"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 03:25]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40]

 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

Prayer Times.lnk - C:\HAD\PTW.EXE [2006-05-27 09:46:00]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"DisableRegistryTools"= 0 (0x0)

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2004-08-04 06:00 15360 --a------ C:\WINDOWS\system32\ctfmon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]

C:\Program Files\D-Tools\daemon.exe -lang 1033

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]

C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe -scheduler

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2006-02-23 15:45 278528 --a------ C:\Program Files\iTunes\iTunesHelper.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]

C:\Program Files\MSN Messenger\msnmsgr.exe /background

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]

RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

nwiz.exe /install

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

C:\Program Files\QuickTime\qttask.exe -atboottime

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]

SOUNDMAN.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]

2007-08-31 16:46 1460560 --a------ C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

 

R3 WUSB54GPV4SRV;Linksys Home Wireless-G USB Adaptor Driver;C:\WINDOWS\system32\DRIVERS\rt2500usb.sys

S3 Aldebaran;Aldebaran - Storage Filter Drivers;\??\C:\WINDOWS\system32\Drivers\Aldebaran.sys

S3 MR97310_VGA_DUAL_CAMERA;VGA Dual-Mode Camera;C:\WINDOWS\system32\DRIVERS\mr97310v.sys

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]

\Shell\AutoRun\command - H:\Madden06.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]

\Shell\AutoRun\command - I:\RunGame.exe

 

*Newly Created Service* - GTNDIS5

.

Contents of the 'Scheduled Tasks' folder

"2007-11-22 01:48:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe

.

**************************************************************************

 

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-11-23 07:14:50

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2007-11-23 7:16:57 - machine was rebooted

C:\ComboFix2.txt ... 2007-11-22 15:11

C:\ComboFix3.txt ... 2007-11-22 12:26

.

--- E O F ---

Share this post


Link to post
Share on other sites

While I work on your next fix do this....

 

Please ensure Hidden files and folders are viewable:

 

Go to My Computer->Tools->Folder Options->View tab:

* Under the Hidden files and folders heading:

* select Show hidden files and folders.

* Uncheck Hide protected operating system files (recommended) option.

*Also, make sure there is no checkmark beside Hide file extensions for known file types.

* Click OK.

 

 

 

 

 

 

Please go to: VirusTotal

  • Posted Image

     

     

     

     

  • Click the Browse button and search for the following file: C:\WINDOWS\system32\E92AFCCAC8.dll
  • Click Open
  • Then click Send File
  • Please be patient while the file is scanned.
  • Once the scan results appear, please provide them in your next reply.

Then please next run this file through

C:\WINDOWS\Installer\{F34D9A5F-484A-4E31-A9D3-908CB265B289}\IconC989D247.exe

 

 

I would like to see a Kaspersky log?

Share this post


Link to post
Share on other sites

I'm currently scanning with Kaspersky... its taking quite a while, only 30% through, but it so far as shown 4 viruses and 14 infected objects :(

Share this post


Link to post
Share on other sites

Don't be worried yet......

It depends on where it was found and what folders....

 

be sure to include info for requested file scan at Virus Total and the kaspersky log for me next.

Share this post


Link to post
Share on other sites

Don't be worried yet......

It depends on where it was found and what folders....

 

be sure to include info for requested file scan at Virus Total and the kaspersky log for me next.

 

Well...

 

File IconC989D247.exe received on 11.23.2007 15:07:25 (CET)

Antivirus Version Last Update Result

AhnLab-V3 2007.11.23.1 2007.11.23 -

AntiVir 7.6.0.34 2007.11.23 -

Authentium 4.93.8 2007.11.21 -

Avast 4.7.1074.0 2007.11.22 -

AVG 7.5.0.503 2007.11.23 -

BitDefender 7.2 2007.11.23 -

CAT-QuickHeal 9.00 2007.11.22 -

ClamAV 0.91.2 2007.11.23 -

DrWeb 4.44.0.09170 2007.11.23 -

eSafe 7.0.15.0 2007.11.21 -

eTrust-Vet 31.3.5318 2007.11.23 -

Ewido 4.0 2007.11.23 -

FileAdvisor 1 2007.11.23 -

Fortinet 3.14.0.0 2007.11.23 -

F-Prot 4.4.2.54 2007.11.22 -

F-Secure 6.70.13030.0 2007.11.23 -

Ikarus T3.1.1.12 2007.11.23 -

Kaspersky 7.0.0.125 2007.11.21 -

McAfee 5169 2007.11.22 -

Microsoft 1.3007 2007.11.23 -

NOD32v2 2681 2007.11.23 -

Norman 5.80.02 2007.11.22 -

Panda 9.0.0.4 2007.11.23 -

Prevx1 V2 2007.11.23 -

Rising 20.19.41.00 2007.11.23 -

Sophos 4.23.0 2007.11.23 -

Sunbelt 2.2.907.0 2007.11.22 -

Symantec 10 2007.11.23 -

TheHacker 6.2.9.138 2007.11.22 -

VBA32 3.12.2.5 2007.11.23 -

VirusBuster 4.3.26:9 2007.11.23 -

Webwasher-Gateway 6.0.1 2007.11.23 -

Additional information

File size: 4608 bytes

MD5: 756ecd7a63948637e6c95f0f4ea560c4

SHA1: fc026cea6bce5e213e187cce9eed79c399d38f78

 

it did not find the first file you asked me to look for.

 

So far with Kaspersky, its up to 9 viruses and 40 infected files. I noticed the number of viruses jumped when it searched the System Volume Information folder.

Share this post


Link to post
Share on other sites

Yes, typical.

 

We have a fix for that to......

 

I'll know more when it's complete.

Share this post


Link to post
Share on other sites

I don't know how I can paste the kaspersky log. Its incredibly massive. If i had to guess, it'd be over 10 posts if not more. Is there a more efficient way?

Share this post


Link to post
Share on other sites

Look through the log and scan out those

locked and skipped

 

Those items held in quarantine folders from your antivirus are encrypted.

 

System Volume Information folder is important but, we can clean those out by creating a clean restore point...

No, I really don't want to go through 10 pages of Kaspersky log....

 

I'm looking for infection names now.

Let me know if any are identified as Virut or Virtob

 

 

And last but not least.....

IF, we have to you'll have to post multiple times....

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  

×
×
  • Create New...