• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Octavarium

Virus/spyware problems

12 posts in this topic

Alright. So I'm having some problems. I've been having them for about a week and trying to fix them on my own, but it wasn't working. Basically, here's my symptoms -

 

The most recent one, but the most important, is that when my computer starts, usually within 2-3 minutes, I get an error message telling me that "System and controller app has shut down" and then I get the 60 seconds until reboot message.

My second problem is that every time I load up my computer, SpywareGuard tells me I have an unwanted BHO that's been installed, and no matter what I try and do to remove it, it keeps on coming back. The number it gives me for the BHO changes every time I load up however, if that means anything.

My final problem (that I can think of off the top of my head, anyways) is that occasionally Avast will tell me I have a virus, and the same thing with that it won't get removed. It's usually some variant of a Win32 virus, but it changes.

 

My computer's now telling me I have 30 seconds until shutdown, so I'll see you later! Thanks in advance!

 

Please read our Forum FAQ in order to find out what info we need (HijackThislog) so we can help you.

 

EDIT: Ahh.... okay. Here's HijackThis. Looking through this, it also might be worth mentioning I used to have BearShare, but I got rid of it. Looks like it's still on there... -

 

Logfile of HijackThis v1.99.1

Scan saved at 2:44:33 PM, on 5/25/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\windows\System32\smss.exe

C:\windows\system32\winlogon.exe

C:\windows\system32\services.exe

C:\windows\system32\lsass.exe

C:\windows\system32\svchost.exe

C:\windows\System32\svchost.exe

C:\windows\system32\spoolsv.exe

C:\windows\Explorer.EXE

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\System32\cisvc.exe

C:\windows\system32\nvsvc32.exe

C:\windows\system32\nvraidservice.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\DAEMON Tools\daemon.exe

C:\windows\system32\RunDLL32.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\ResChanger 2005\ResChanger2005.exe

C:\windows\system32\dumprep.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program Files\SpywareGuard\sgmain.exe

C:\Program Files\SpywareGuard\sgbhp.exe

C:\windows\system32\dwwin.exe

C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\AIM\aim.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\System32\wbem\unsecapp.exe

C:\Program Files\Operav9\Opera.exe

C:\windows\system32\wuauclt.exe

C:\windows\system32\wuauclt.exe

C:\Documents and Settings\Teh Pwnerer\Desktop\hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll

O2 - BHO: (no name) - {4C0D6315-87CE-4063-98ED-3E66598C7383} - C:\windows\system32\ddccc.dll (file missing)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: (no name) - {DEFFF658-4443-48EC-800A-A270D99005B6} - C:\windows\system32\ikiwjvvk.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\windows\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NVRaidService] C:\windows\system32\nvraidservice.exe

O4 - HKLM\..\Run: [bearShare] "C:\Program Files\BearShare\BearShare.exe" /pause

O4 - HKLM\..\Run: [bearFlix] "C:\Program Files\BearFlix\BearFlix.exe" /pause

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKCU\..\Run: [ResChanger 2005] C:\Program Files\ResChanger 2005\ResChanger2005.exe

O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1137029215869

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1137029485108

O17 - HKLM\System\CCS\Services\Tcpip\..\{5B45D099-95EB-4860-B78C-C102FC59F46F}: NameServer = 68.87.77.130,68.87.72.130

O20 - Winlogon Notify: winmxw32 - C:\windows\SYSTEM32\winmxw32.dll

O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\windows\system32\WPDShServiceObj.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\system32\nvsvc32.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

EDIT again: Ewido Scan -

---------------------------------------------------------

ewido anti-malware - Scan report

---------------------------------------------------------

 

+ Created on: 3:09:39 PM, 5/25/2007

+ Report-Checksum: D6C9DA12

 

+ Scan result:

 

C:\Documents and Settings\Teh Pwnerer\Cookies\teh pwnerer@advertising[1].txt -> TrackingCookie.Advertising : Cleaned with backup

C:\Documents and Settings\Teh Pwnerer\Cookies\teh pwnerer@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup

C:\Documents and Settings\Teh Pwnerer\Cookies\teh pwnerer@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup

C:\Documents and Settings\Teh Pwnerer\Cookies\teh pwnerer@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup

C:\Documents and Settings\Teh Pwnerer\Cookies\teh pwnerer@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned with backup

 

 

::Report End

Edited by Octavarium

Share this post


Link to post
Share on other sites

Welcome to SWI. We apologize for the delay; our helpers have been very busy.

If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

 

Thank you for your patience.

 

[this is an automated reply]

Share this post


Link to post
Share on other sites

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

 

Step #1

 

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update:

  • Download the latest version of Java Runtime Environment (JRE) 6 Update 1 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6u1...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Read the License Agreement and then check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u1-windows-i586-p.exe to install the newest version.

Step #2

 

Scan again with HijackThis and check the following items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

 

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

 

O2 - BHO: (no name) - {4C0D6315-87CE-4063-98ED-3E66598C7383} - C:\windows\system32\ddccc.dll (file missing)

O2 - BHO: (no name) - {DEFFF658-4443-48EC-800A-A270D99005B6} - C:\windows\system32\ikiwjvvk.dll

 

O4 - HKLM\..\Run: [bearShare] "C:\Program Files\BearShare\BearShare.exe" /pause

O4 - HKLM\..\Run: [bearFlix] "C:\Program Files\BearFlix\BearFlix.exe" /pause

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

 

O20 - Winlogon Notify: winmxw32 - C:\windows\SYSTEM32\winmxw32.dll

After checking these items, close all browser windows except HijackThis and click "Fix checked".

 

Step #3

 

We need to make sure all hidden files are showing so please:

  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.

Step #4

 

Reboot Your System in Safe Mode:

  • Restart the computer.
  • As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.

Step #5

 

Find and delete these files and folders (if they are still there):

C:\Program Files\BearShare\BearShare.exe <= this folder

C:\Program Files\BearFlix <= this folder

 

C:\windows\SYSTEM32\winmxw32.dll <= this file

 

 

Reboot your computer normally.

 

Step #6

 

Please go HERE to run Panda's ActiveScan

  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

Step #7

 

Download Combofix to your desktop.

Doubleclick combofix.exe

Follow the prompts.

Don't click on the window while the fix is running, because that will cause your system to hang.

 

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.

Post this log in your next reply together with a new hijackthislog.

Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.

 

Step #8

 

Open HijackThis.

  • Click Open the Misc Tools section.
  • Click Open Uninstall Manager.
  • Click Save list (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.

Start HijackThis, perform a new scan and save the log file.

 

Use the Add Reply button to post your new logs back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

Edited by didom

Share this post


Link to post
Share on other sites

"Teh Pwnerer" - 2007-05-27 19:07:48 Service Pack 2

ComboFix 07-05.27.V - Running from: "C:\Documents and Settings\Teh Pwnerer\Desktop\"

 

Rootkit driver xpdt is present. ... attempting disinfection

xpdt ...... driver unloaded successfully.

ADS removed - system32: deleted 78580 bytes in 1 streams.

 

(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\windows\system32\glhhhnta.dll

C:\windows\system32\idqxpfif.dll

C:\windows\system32\ikiwjvvk.dll

C:\windows\system32\kflofwpv.dll

C:\windows\system32\winmxw32.dll

C:\windows\system32\edeeg.bak1

C:\windows\system32\edeeg.bak2

C:\windows\system32\edeeg.ini

C:\windows\system32\vpwfolfk.ini

C:\WINDOWS\system32\edeeg.bak1

C:\WINDOWS\system32\edeeg.bak2

C:\WINDOWS\system32\edeeg.ini

C:\windows\system32\geede.dll

C:\windows\system32\khffdef.dll

 

 

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

 

 

 

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

"C:\windows\gimmygames1.dat"

"C:\windows\winsysupd41.dat"

"C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe"

"C:\DOCUME~1\LOCALS~1\APPLIC~1\netmon\domains.txt"

"C:\DOCUME~1\LOCALS~1\APPLIC~1\netmon\log.txt"

"C:\DOCUME~1\LOCALS~1\APPLIC~1\netmon"

 

 

((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

-------\LEGACY_CMDSERVICE

-------\LEGACY_NETWORK_MONITOR

-------\cmdService

 

 

((((((((((((((((((((((((((((((( Files Created from 2007-04-27 to 2007-05-27 ))))))))))))))))))))))))))))))))))

 

 

2007-05-27 18:47 <DIR> d-------- C:\WINDOWS\system32\ActiveScan

2007-05-27 17:06 124,436 --a------ C:\WINDOWS\system32\ofqddeuh.dll

2007-05-25 16:57 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll

2007-05-25 16:57 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll

2007-05-25 16:57 <DIR> d-------- C:\Program Files\Xvid

2007-05-24 13:53 <DIR> d-------- C:\VundoFix Backups

2007-05-22 20:31 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Opera

2007-05-22 20:30 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT

2007-05-22 20:27 53,248 --a------ C:\WINDOWS\system32\Process.exe

2007-05-22 20:27 51,200 --a------ C:\WINDOWS\system32\dumphive.exe

2007-05-22 20:27 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe

2007-05-22 20:27 2,126 --a------ C:\WINDOWS\system32\tmp.reg

2007-05-20 21:49 <DIR> d-------- C:\Program Files\GameTop.com

2007-05-20 19:38 542 --a------ C:\WINDOWS\eReg.dat

2007-05-20 19:21 33,792 -ra------ C:\WINDOWS\NPSExec.exe

2007-05-20 19:21 <DIR> d-------- C:\Program Files\Electronic Arts

2007-05-20 19:19 <DIR> d-------- C:\Program Files\Maxis

2007-05-16 14:48 <DIR> d-------- C:\Program Files\QuickTime

2007-05-02 20:24 <DIR> d-------- C:\Program Files\Myst

 

 

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

 

2007-05-28 01:04:45 -------- d-----w C:\DOCUME~1\TEHPWN~1\APPLIC~1\uTorrent

2007-05-28 00:52:05 -------- d-----w C:\Program Files\DAEMON Tools

2007-05-28 00:52:04 -------- d-----w C:\Program Files\iTunes

2007-05-28 00:52:03 -------- d-----w C:\Program Files\SpywareGuard

2007-05-28 00:52:03 -------- d-----w C:\Program Files\ResChanger 2005

2007-05-28 00:51:50 -------- d-----w C:\Program Files\Operav9

2007-05-25 23:39:32 -------- d-----w C:\Program Files\Soulseek

2007-05-25 20:46:49 -------- d-----w C:\Program Files\ewido anti-malware

2007-05-25 03:56:52 -------- d-----w C:\DOCUME~1\TEHPWN~1\APPLIC~1\OpenOffice.org2

2007-05-21 01:40:39 -------- d-----w C:\Program Files\Yahoo!

2007-05-21 01:22:49 -------- d--h--w C:\Program Files\InstallShield Installation Information

2007-05-21 00:30:16 639,224 ----a-w C:\windows\system32\drivers\sptd.sys

2007-05-15 00:01:53 -------- d-----w C:\Program Files\LimeWire

2007-04-21 20:35:24 -------- d-----w C:\Program Files\Riven DVD

2007-04-21 05:38:49 -------- d-----w C:\Program Files\DivX

2007-04-21 00:23:03 240 ----a-w C:\windows\PowerReg.dat

2007-04-21 00:22:48 2,272 ----a-w C:\windows\system32\w95inf16.dll

2007-04-21 00:22:47 4,608 ----a-w C:\windows\system32\w95inf32.dll

2007-04-21 00:22:07 -------- d-----w C:\Program Files\Microprose

2007-04-18 16:12:23 2,854,400 ----a-w C:\windows\system32\msi.dll

2007-03-30 01:00:43 4,212 ---h--w C:\windows\system32\zllictbl.dat

2007-03-27 07:55:57 524,288 ----a-w C:\windows\system32\DivXsm.exe

2007-03-27 07:55:48 3,596,288 ----a-w C:\windows\system32\qt-dx331.dll

2007-03-27 07:55:23 200,704 ----a-w C:\windows\system32\ssldivx.dll

2007-03-27 07:55:23 1,044,480 ----a-w C:\windows\system32\libdivx.dll

2007-03-27 07:49:07 73,728 ----a-w C:\windows\system32\dpl100.dll

2007-03-27 07:49:07 196,608 ----a-w C:\windows\system32\dtu100.dll

2007-03-27 07:49:05 53,248 ----a-w C:\windows\system32\dpuGUI10.dll

2007-03-27 07:49:03 593,920 ----a-w C:\windows\system32\dpuGUI11.dll

2007-03-27 07:49:02 57,344 ----a-w C:\windows\system32\dpv11.dll

2007-03-27 07:49:02 344,064 ----a-w C:\windows\system32\dpus11.dll

2007-03-27 07:49:02 294,912 ----a-w C:\windows\system32\dpu11.dll

2007-03-27 07:49:02 294,912 ----a-w C:\windows\system32\dpu10.dll

2007-03-27 07:48:59 823,296 ----a-w C:\windows\system32\divx_xx07.dll

2007-03-27 07:48:58 823,296 ----a-w C:\windows\system32\divx_xx0c.dll

2007-03-27 07:48:58 802,816 ----a-w C:\windows\system32\divx_xx11.dll

2007-03-27 07:48:58 639,066 ----a-w C:\windows\system32\DivX.dll

2007-03-17 13:43:01 292,864 ----a-w C:\windows\system32\winsrv.dll

2007-03-09 06:02:00 75,512 ----a-w C:\windows\zllsputility.exe

2007-03-09 06:01:42 1,087,216 ----a-w C:\windows\system32\zpeng24.dll

2007-03-08 15:36:28 577,536 ----a-w C:\windows\system32\user32.dll

2007-03-08 15:36:28 40,960 ----a-w C:\windows\system32\mf3216.dll

2007-03-08 15:36:28 281,600 ----a-w C:\windows\system32\gdi32.dll

2007-03-08 13:47:48 1,843,584 ----a-w C:\windows\system32\win32k.sys

2005-07-29 21:24:26 472 -csha-r C:\windows\RXJpayBTY2hhdW1hbm4\lrLDuV1nsZ11xqY1vAb.vbs

 

 

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

{4A368E80-174F-4872-96B5-0B27DDD11DB2}=C:\Program Files\SpywareGuard\dlprotect.dll [2003-08-02 23:24]

{4C0D6315-87CE-4063-98ED-3E66598C7383}=C:\windows\system32\ddccc.dll []

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]

{DEFFF658-4443-48EC-800A-A270D99005B6}=C:\windows\system32\ofqddeuh.dll [2007-05-27 17:06]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-01-15 11:28]

"nwiz"="nwiz.exe" [2006-10-22 12:22 C:\WINDOWS\system32\nwiz.exe]

"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-08-23 18:40]

"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 04:48]

"NvMediaCenter"="NvMCTray.dll" [2006-10-22 12:22 C:\WINDOWS\system32\nvmctray.dll]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 19:05]

"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 00:02]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ResChanger 2005"="C:\Program Files\ResChanger 2005\ResChanger2005.exe" [2005-05-26 18:30]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"NoDispAppearancePage"=0 (0x0)

"NoColorChoice"=0 (0x0)

"NoSizeChoice"=0 (0x0)

"NoDispScrSavPage"=0 (0x0)

"NoDispCPL"=0 (0x0)

"NoVisualStyleChoice"=0 (0x0)

"NoDispSettingsPage"=0 (0x0)

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSaveSettings"=0 (0x0)

"NoThemesTab"=0 (0x0)

"NoSharedDocuments"=1 (0x1)

"NoInstrumentation"=1 (0x1)

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="C:\Program Files\ewido anti-malware\shellhook.dll" [2004-09-30 06:21]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Teh Pwnerer^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]

path=C:\Documents and Settings\Teh Pwnerer\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk

backup=C:\windows\pss\OpenOffice.org 2.0.lnkStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]

"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccRegVfy]

"C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CU1]

C:\Program Files\Common Files\VCClient\VCClient.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CU2]

C:\Program Files\Common Files\VCClient\VCMain.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]

"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus C60 Series (Copy 1)]

C:\windows\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE /P32 "EPSON Stylus C60 Series (Copy 1)" /O6 "USB001" /M "Stylus C60"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]

C:\Program Files\Common Files\AOL\1137807531\ee\AOLSoftware.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

"C:\Program Files\iTunes\iTunesHelper.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

"C:\Program Files\Messenger\msmsgs.exe" /background

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

RUNDLL32.EXE C:\windows\system32\NvCpl.dll,NvStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]

RUNDLL32.EXE C:\windows\system32\NvMcTray.dll,NvTaskbarInit

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVRaidService]

C:\WINDOWS\System32\nvraidservice.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

nwiz.exe /install

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

"C:\Program Files\QuickTime\qttask.exe" -atboottime

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]

SOUNDMAN.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunServer]

C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]

C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"SBService"=2 (0x2)

"navapsvc"=2 (0x2)

"ewido security suite guard"=2 (0x2)

"ewido security suite control"=2 (0x2)

"ccPwdSvc"=3 (0x3)

"ccEvtMgr"=2 (0x2)

 

 

 

~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

 

backup-20070527-180931-386

O4 - HKLM\..\Run: [bearShare] "C:\Program Files\BearShare\BearShare.exe" /pause

 

backup-20070527-180931-571

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

 

backup-20070527-180931-475

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

 

backup-20070527-180931-208

O4 - HKLM\..\Run: [bearFlix] "C:\Program Files\BearFlix\BearFlix.exe" /pause

 

backup-20070527-180931-238

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

 

backup-20070527-180931-459

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

 

backup-20070527-180931-666

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/

 

backup-20060313-132008-106

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

 

backup-20060313-132008-251

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

 

backup-20060210-175839-417

O20 - Winlogon Notify: ThemeManager - C:\WINDOWS\system32\azau0aj9edo.dll (file missing)

 

Windows Registry Editor Version 5.00

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ThemeManager]

"Asynchronous"=dword:00000000

"DllName"="C:\\WINDOWS\\system32\\azau0aj9edo.dll"

"Impersonate"=dword:00000000

"Logon"="WinLogon"

"Logoff"="WinLogoff"

"Shutdown"="WinShutdown"

 

 

 

backup-20060205-172245-793

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank

 

backup-20060205-172245-710

R3 - Default URLSearchHook is missing

 

backup-20060205-172245-700

O4 - HKCU\..\Run: [kkmf] C:\PROGRA~1\COMMON~1\kkmf\kkmfm.exe

 

backup-20060205-172245-490

O4 - HKLM\..\Run: [0wao0o9s.dll] RUNDLL32.EXE 0wao0o9s.dll,b 8054796

 

backup-20060205-172245-885

O4 - HKLM\..\Run: [Microsoft Windows Session Manager Subsystem] C:\windows\smss.exe

Contents of the 'Scheduled Tasks' folder

2007-05-23 20:45:01 C:\windows\tasks\AppleSoftwareUpdate.job

 

********************************************************************

 

catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-05-27 19:11:35

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

 

********************************************************************

 

Completion time: 2007-05-27 19:12:33 - machine was rebooted

C:\ComboFix-quarantined-files.txt ... 2007-05-27 19:12

 

--- E O F ---

 

 

 

 

 

 

 

 

Logfile of HijackThis v1.99.1

Scan saved at 7:16:01 PM, on 5/27/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\windows\System32\smss.exe

C:\windows\system32\winlogon.exe

C:\windows\system32\services.exe

C:\windows\system32\lsass.exe

C:\windows\system32\svchost.exe

C:\windows\System32\svchost.exe

C:\windows\system32\spoolsv.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\windows\system32\nvsvc32.exe

C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\windows\Explorer.EXE

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\DAEMON Tools\daemon.exe

C:\windows\system32\RunDLL32.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

C:\Program Files\ResChanger 2005\ResChanger2005.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program Files\palmOne\Hotsync.exe

C:\Program Files\SpywareGuard\sgmain.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\SpywareGuard\sgbhp.exe

C:\windows\system32\wuauclt.exe

C:\windows\system32\wuauclt.exe

C:\windows\system32\notepad.exe

C:\Program Files\Operav9\Opera.exe

C:\Documents and Settings\Teh Pwnerer\Desktop\hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll

O2 - BHO: (no name) - {4C0D6315-87CE-4063-98ED-3E66598C7383} - C:\windows\system32\ddccc.dll (file missing)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: (no name) - {DEFFF658-4443-48EC-800A-A270D99005B6} - C:\windows\system32\ofqddeuh.dll

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

O4 - HKCU\..\Run: [ResChanger 2005] C:\Program Files\ResChanger 2005\ResChanger2005.exe

O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1137029215869

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1137029485108

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{5B45D099-95EB-4860-B78C-C102FC59F46F}: NameServer = 68.87.77.130,68.87.72.130

O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\windows\system32\WPDShServiceObj.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\system32\nvsvc32.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

 

 

 

3DMark05

Ad-Aware SE Personal

Adobe Flash Player Plugin

Adobe Reader 7.0.9

Adobe Shockwave Player

AOL Instant Messenger

Apple Software Update

Athlon 64 Processor Driver

avast! Antivirus

CCleaner (remove only)

Civ II : Test Of Time

DivX Codec

DivX Content Uploader

DivX Converter

EPSON Printer Software

EVEREST Home Edition v2.20

EVGA Display Driver

ewido anti-malware

Finale NotePad 2006

FL Studio 6

Freelancer

Google Video Player

HijackThis 1.99.1

Hotfix for Windows Media Format 11 SDK (KB929399)

ImageJ 1.36b

IrfanView (remove only)

iTunes

Java SE Runtime Environment 6 Update 1

LimeWire 4.12.11

MadOnion.com/3DMark2001 SE

Microsoft .NET Framework 2.0

Microsoft User-Mode Driver Framework Feature Pack 1.0

Morrowind

Mozilla Firefox (1.5.0.6)

Myst for Windows 95

Network Play System (Patching)

NVIDIA Drivers

Oblivion

OpenOffice.org 2.0

Opera

Opera 9.01

Outerinfo

palmOne

Panda ActiveScan

Prime95

Pyware 3D Performers Practice Tools

QuickTime

RealPlayer

Realtek AC'97 Audio

ResChanger 2005

Riven DVD

Roll

RollerCoaster Tycoon 2

Security Update for Microsoft .NET Framework 2.0 (KB917283)

Security Update for Microsoft .NET Framework 2.0 (KB922770)

Security Update for Windows Media Player (KB911564)

Security Update for Windows Media Player 6.4 (KB925398)

Security Update for Windows Media Player 9 (KB911565)

Security Update for Windows Media Player 9 (KB917734)

Security Update for Windows XP (KB890046)

Security Update for Windows XP (KB893066)

Security Update for Windows XP (KB893756)

Security Update for Windows XP (KB896358)

Security Update for Windows XP (KB896422)

Security Update for Windows XP (KB896423)

Security Update for Windows XP (KB896424)

Security Update for Windows XP (KB896428)

Security Update for Windows XP (KB899587)

Security Update for Windows XP (KB899589)

Security Update for Windows XP (KB899591)

Security Update for Windows XP (KB900725)

Security Update for Windows XP (KB901017)

Security Update for Windows XP (KB901214)

Security Update for Windows XP (KB902400)

Security Update for Windows XP (KB904706)

Security Update for Windows XP (KB905414)

Security Update for Windows XP (KB905749)

Security Update for Windows XP (KB905915)

Security Update for Windows XP (KB908519)

Security Update for Windows XP (KB908531)

Security Update for Windows XP (KB911280)

Security Update for Windows XP (KB911562)

Security Update for Windows XP (KB911567)

Security Update for Windows XP (KB911927)

Security Update for Windows XP (KB912812)

Security Update for Windows XP (KB912919)

Security Update for Windows XP (KB913446)

Security Update for Windows XP (KB913580)

Security Update for Windows XP (KB914388)

Security Update for Windows XP (KB914389)

Security Update for Windows XP (KB916281)

Security Update for Windows XP (KB917159)

Security Update for Windows XP (KB917344)

Security Update for Windows XP (KB917422)

Security Update for Windows XP (KB917537)

Security Update for Windows XP (KB917953)

Security Update for Windows XP (KB918118)

Security Update for Windows XP (KB918439)

Security Update for Windows XP (KB918899)

Security Update for Windows XP (KB919007)

Security Update for Windows XP (KB920213)

Security Update for Windows XP (KB920214)

Security Update for Windows XP (KB920670)

Security Update for Windows XP (KB920683)

Security Update for Windows XP (KB920685)

Security Update for Windows XP (KB921398)

Security Update for Windows XP (KB921883)

Security Update for Windows XP (KB922616)

Security Update for Windows XP (KB922760)

Security Update for Windows XP (KB922819)

Security Update for Windows XP (KB923191)

Security Update for Windows XP (KB923414)

Security Update for Windows XP (KB923689)

Security Update for Windows XP (KB923694)

Security Update for Windows XP (KB923980)

Security Update for Windows XP (KB924191)

Security Update for Windows XP (KB924270)

Security Update for Windows XP (KB924496)

Security Update for Windows XP (KB924667)

Security Update for Windows XP (KB925454)

Security Update for Windows XP (KB925486)

Security Update for Windows XP (KB925902)

Security Update for Windows XP (KB926255)

Security Update for Windows XP (KB926436)

Security Update for Windows XP (KB927779)

Security Update for Windows XP (KB927802)

Security Update for Windows XP (KB928090)

Security Update for Windows XP (KB928255)

Security Update for Windows XP (KB928843)

Security Update for Windows XP (KB929969)

Security Update for Windows XP (KB930178)

Security Update for Windows XP (KB931261)

Security Update for Windows XP (KB931768)

Security Update for Windows XP (KB931784)

Security Update for Windows XP (KB932168)

Sid Meier's Civilization 4

SoulSeek Client 156c

Spybot - Search & Destroy 1.4

SpywareBlaster v3.5.1

SpywareGuard v2.2

Starcraft

System Requirements Lab

TES Construction Set

The Zone

Thief - Deadly Shadows

Update for Windows XP (KB894391)

Update for Windows XP (KB898461)

Update for Windows XP (KB900485)

Update for Windows XP (KB910437)

Update for Windows XP (KB916595)

Update for Windows XP (KB920872)

Update for Windows XP (KB922582)

Update for Windows XP (KB927891)

Update for Windows XP (KB929338)

Update for Windows XP (KB930916)

Update for Windows XP (KB931836)

Windows Genuine Advantage v1.3.0254.0

Windows Installer 3.1 (KB893803)

Windows Media Format 11 runtime

Windows Media Format 11 runtime

Windows XP Hotfix - KB873339

Windows XP Hotfix - KB885250

Windows XP Hotfix - KB885835

Windows XP Hotfix - KB885836

Windows XP Hotfix - KB886185

Windows XP Hotfix - KB887472

Windows XP Hotfix - KB887742

Windows XP Hotfix - KB888113

Windows XP Hotfix - KB888302

Windows XP Hotfix - KB890859

Windows XP Hotfix - KB891781

Windows XP Service Pack 2

WinRAR archiver

Xvid 1.1.2 final uninstall

ZoneAlarm

 

 

 

 

 

3 things worth noting - The two O2 BHOs that you told me to delete could not be found, same with the O20 one. Furthermore, when I tried to delete C:\windows\SYSTEM32\winmxw32.dll, it told me that access was denied, and so I couldn't delete it. Finally, probably the most important, the Panda ActiveScan did not work on my computer - it loaded, told me it was scanning my memory processes, and then the bar didn't move and nothing happened until I closed the window 15 minutes later.

Edited by Octavarium

Share this post


Link to post
Share on other sites

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

 

Step #1

 

Please click: Start--> Control Panel--> Add or Remove Programs--> Uninstall (if found) any instances of:

Outerinfo

 

Reboot your computer after that.

 

Step #2

 

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

 

File::
C:\WINDOWS\system32\tmp.reg
C:\Program Files\GameTop.com
C:\windows\RXJpayBTY2hhdW1hbm4\lrLDuV1nsZ11xqY1vAb.vbs
C:\windows\SYSTEM32\winmxw32.dll

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{4C0D6315-87CE-4063-98ED-3E66598C7383}=-
{DEFFF658-4443-48EC-800A-A270D99005B6}=-

 

 

Save this as ComboFix-Do.txt and change the "Save as type" to "All Files" and place it on your desktop.

 

 

Combo-Do.gif

 

 

 

Referring to the screenshot above, drag ComboFix-Do.txt into ComboFix.exe.

ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.

When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

 

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

 

Step #3

 

Please download VundoFix.exe to your desktop.

  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.

Step #4

 

* Download Dr.Web CureIt to the desktop:

ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: check.gif
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    move.gif
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

Please post the log from the ComboFix scan located at C:\ComboFix.txt, the VundoFix log along with the Dr.Web log.

Share this post


Link to post
Share on other sites

"Teh Pwnerer" - 2007-05-28 11:44:41 Service Pack 2

ComboFix 07-05.27.V - Running from: "C:\Documents and Settings\Teh Pwnerer\"

Command switches used :: ""C:\Documents and Settings\Teh Pwnerer\Desktop\combofix-do.txt""

 

 

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

"C:\WINDOWS\system32\tmp.reg"

 

 

((((((((((((((((((((((((((((((( Files Created from 2007-04-28 to 2007-05-28 ))))))))))))))))))))))))))))))))))

 

 

2007-05-27 22:54 <DIR> d-------- C:\Program Files\RADVideo

2007-05-27 22:52 <DIR> d-------- C:\DOCUME~1\TEHPWN~1\APPLIC~1\DivX

2007-05-27 22:47 <DIR> d-------- C:\Program Files\QuickTime

2007-05-27 19:12 49,152 --a------ C:\WINDOWS\nircmd.exe

2007-05-27 18:47 <DIR> d-------- C:\WINDOWS\system32\ActiveScan

2007-05-27 17:06 124,436 --a------ C:\WINDOWS\system32\ofqddeuh.dll

2007-05-25 16:57 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll

2007-05-25 16:57 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll

2007-05-25 16:57 <DIR> d-------- C:\Program Files\Xvid

2007-05-24 13:53 <DIR> d-------- C:\VundoFix Backups

2007-05-22 20:31 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Opera

2007-05-22 20:30 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT

2007-05-22 20:27 53,248 --a------ C:\WINDOWS\system32\Process.exe

2007-05-22 20:27 51,200 --a------ C:\WINDOWS\system32\dumphive.exe

2007-05-22 20:27 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe

2007-05-20 21:49 <DIR> d-------- C:\Program Files\GameTop.com

2007-05-20 19:38 542 --a------ C:\WINDOWS\eReg.dat

2007-05-20 19:21 33,792 -ra------ C:\WINDOWS\NPSExec.exe

2007-05-20 19:21 <DIR> d-------- C:\Program Files\Electronic Arts

2007-05-20 19:19 <DIR> d-------- C:\Program Files\Maxis

2007-05-02 20:24 <DIR> d-------- C:\Program Files\Myst

 

 

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

 

2007-05-28 05:03:58 -------- d-----w C:\DOCUME~1\TEHPWN~1\APPLIC~1\uTorrent

2007-05-28 04:47:09 -------- d-----w C:\Program Files\Apple Software Update

2007-05-28 01:21:12 -------- d-----w C:\Program Files\ewido anti-malware

2007-05-28 00:52:05 -------- d-----w C:\Program Files\DAEMON Tools

2007-05-28 00:52:04 -------- d-----w C:\Program Files\iTunes

2007-05-28 00:52:03 -------- d-----w C:\Program Files\SpywareGuard

2007-05-28 00:52:03 -------- d-----w C:\Program Files\ResChanger 2005

2007-05-28 00:51:50 -------- d-----w C:\Program Files\Operav9

2007-05-25 23:39:32 -------- d-----w C:\Program Files\Soulseek

2007-05-25 03:56:52 -------- d-----w C:\DOCUME~1\TEHPWN~1\APPLIC~1\OpenOffice.org2

2007-05-21 01:40:39 -------- d-----w C:\Program Files\Yahoo!

2007-05-21 01:22:49 -------- d--h--w C:\Program Files\InstallShield Installation Information

2007-05-21 00:30:16 639,224 ----a-w C:\windows\system32\drivers\sptd.sys

2007-05-15 00:01:53 -------- d-----w C:\Program Files\LimeWire

2007-04-21 20:35:24 -------- d-----w C:\Program Files\Riven DVD

2007-04-21 05:38:49 -------- d-----w C:\Program Files\DivX

2007-04-21 00:23:03 240 ----a-w C:\windows\PowerReg.dat

2007-04-21 00:22:48 2,272 ----a-w C:\windows\system32\w95inf16.dll

2007-04-21 00:22:47 4,608 ----a-w C:\windows\system32\w95inf32.dll

2007-04-21 00:22:07 -------- d-----w C:\Program Files\Microprose

2007-04-18 16:12:23 2,854,400 ----a-w C:\windows\system32\msi.dll

2007-03-30 01:00:43 4,212 ---h--w C:\windows\system32\zllictbl.dat

2007-03-27 07:55:57 524,288 ----a-w C:\windows\system32\DivXsm.exe

2007-03-27 07:55:48 3,596,288 ----a-w C:\windows\system32\qt-dx331.dll

2007-03-27 07:55:23 200,704 ----a-w C:\windows\system32\ssldivx.dll

2007-03-27 07:55:23 1,044,480 ----a-w C:\windows\system32\libdivx.dll

2007-03-27 07:49:07 73,728 ----a-w C:\windows\system32\dpl100.dll

2007-03-27 07:49:07 196,608 ----a-w C:\windows\system32\dtu100.dll

2007-03-27 07:49:05 53,248 ----a-w C:\windows\system32\dpuGUI10.dll

2007-03-27 07:49:03 593,920 ----a-w C:\windows\system32\dpuGUI11.dll

2007-03-27 07:49:02 57,344 ----a-w C:\windows\system32\dpv11.dll

2007-03-27 07:49:02 344,064 ----a-w C:\windows\system32\dpus11.dll

2007-03-27 07:49:02 294,912 ----a-w C:\windows\system32\dpu11.dll

2007-03-27 07:49:02 294,912 ----a-w C:\windows\system32\dpu10.dll

2007-03-27 07:48:59 823,296 ----a-w C:\windows\system32\divx_xx07.dll

2007-03-27 07:48:58 823,296 ----a-w C:\windows\system32\divx_xx0c.dll

2007-03-27 07:48:58 802,816 ----a-w C:\windows\system32\divx_xx11.dll

2007-03-27 07:48:58 639,066 ----a-w C:\windows\system32\DivX.dll

2007-03-17 13:43:01 292,864 ----a-w C:\windows\system32\winsrv.dll

2007-03-09 06:02:00 75,512 ----a-w C:\windows\zllsputility.exe

2007-03-09 06:01:42 1,087,216 ----a-w C:\windows\system32\zpeng24.dll

2007-03-08 15:36:28 577,536 ----a-w C:\windows\system32\user32.dll

2007-03-08 15:36:28 40,960 ----a-w C:\windows\system32\mf3216.dll

2007-03-08 15:36:28 281,600 ----a-w C:\windows\system32\gdi32.dll

2007-03-08 13:47:48 1,843,584 ----a-w C:\windows\system32\win32k.sys

2005-07-29 21:24:26 472 -csha-r C:\windows\RXJpayBTY2hhdW1hbm4\lrLDuV1nsZ11xqY1vAb.vbs

 

 

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

{4A368E80-174F-4872-96B5-0B27DDD11DB2}=C:\Program Files\SpywareGuard\dlprotect.dll [2003-08-02 23:24]

{4C0D6315-87CE-4063-98ED-3E66598C7383}=C:\windows\system32\ddccc.dll []

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]

{DEFFF658-4443-48EC-800A-A270D99005B6}=C:\windows\system32\ofqddeuh.dll [2007-05-27 17:06]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-01-15 11:28]

"nwiz"="nwiz.exe" [2006-10-22 12:22 C:\WINDOWS\system32\nwiz.exe]

"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-08-23 18:40]

"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 04:48]

"NvMediaCenter"="NvMCTray.dll" [2006-10-22 12:22 C:\WINDOWS\system32\nvmctray.dll]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 19:05]

"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 00:02]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ResChanger 2005"="C:\Program Files\ResChanger 2005\ResChanger2005.exe" [2005-05-26 18:30]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"NoDispAppearancePage"=0 (0x0)

"NoColorChoice"=0 (0x0)

"NoSizeChoice"=0 (0x0)

"NoDispScrSavPage"=0 (0x0)

"NoDispCPL"=0 (0x0)

"NoVisualStyleChoice"=0 (0x0)

"NoDispSettingsPage"=0 (0x0)

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSaveSettings"=0 (0x0)

"NoThemesTab"=0 (0x0)

"NoSharedDocuments"=1 (0x1)

"NoInstrumentation"=1 (0x1)

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="C:\Program Files\ewido anti-malware\shellhook.dll" [2004-09-30 06:21]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Teh Pwnerer^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]

path=C:\Documents and Settings\Teh Pwnerer\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk

backup=C:\windows\pss\OpenOffice.org 2.0.lnkStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]

"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccRegVfy]

"C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CU1]

C:\Program Files\Common Files\VCClient\VCClient.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CU2]

C:\Program Files\Common Files\VCClient\VCMain.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]

"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus C60 Series (Copy 1)]

C:\windows\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE /P32 "EPSON Stylus C60 Series (Copy 1)" /O6 "USB001" /M "Stylus C60"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]

C:\Program Files\Common Files\AOL\1137807531\ee\AOLSoftware.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

"C:\Program Files\iTunes\iTunesHelper.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

"C:\Program Files\Messenger\msmsgs.exe" /background

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

RUNDLL32.EXE C:\windows\system32\NvCpl.dll,NvStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]

RUNDLL32.EXE C:\windows\system32\NvMcTray.dll,NvTaskbarInit

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVRaidService]

C:\WINDOWS\System32\nvraidservice.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

nwiz.exe /install

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

"C:\Program Files\QuickTime\qttask.exe" -atboottime

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]

SOUNDMAN.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunServer]

C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]

C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"SBService"=2 (0x2)

"navapsvc"=2 (0x2)

"ewido security suite guard"=2 (0x2)

"ewido security suite control"=2 (0x2)

"ccPwdSvc"=3 (0x3)

"ccEvtMgr"=2 (0x2)

 

 

Contents of the 'Scheduled Tasks' folder

2007-05-28 04:47:10 C:\windows\tasks\AppleSoftwareUpdate.job

 

********************************************************************

 

catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-05-28 11:46:21

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

 

********************************************************************

 

Completion time: 2007-05-28 11:46:47

C:\ComboFix-quarantined-files.txt ... 2007-05-28 11:46

C:\ComboFix2.txt ... 2007-05-27 19:12

 

--- E O F ---

 

 

 

VundoFix V6.4.1

 

Checking Java version...

 

Java version is 1.5.0.6

Old versions of java are exploitable and should be removed.

 

Scan started at 1:53:42 PM 5/24/2007

 

Listing files found while scanning....

 

C:\windows\system32\cccdd.bak1

C:\windows\system32\cccdd.bak2

C:\windows\system32\cccdd.ini

C:\windows\system32\ddccc.dll

C:\windows\system32\ihmcrakv.ini

C:\windows\system32\iwwcajxq.dll

C:\windows\system32\mljkihg.dll

C:\windows\system32\vkarcmhi.dll

 

Beginning removal...

 

Attempting to delete C:\windows\system32\cccdd.bak1

C:\windows\system32\cccdd.bak1 Has been deleted!

 

Attempting to delete C:\windows\system32\cccdd.bak2

C:\windows\system32\cccdd.bak2 Has been deleted!

 

Attempting to delete C:\windows\system32\cccdd.ini

C:\windows\system32\cccdd.ini Has been deleted!

 

Attempting to delete C:\windows\system32\ddccc.dll

C:\windows\system32\ddccc.dll Could not be deleted.

 

Attempting to delete C:\windows\system32\ihmcrakv.ini

C:\windows\system32\ihmcrakv.ini Has been deleted!

 

Attempting to delete C:\windows\system32\iwwcajxq.dll

C:\windows\system32\iwwcajxq.dll Could not be deleted.

 

Attempting to delete C:\windows\system32\mljkihg.dll

C:\windows\system32\mljkihg.dll Could not be deleted.

 

Attempting to delete C:\windows\system32\vkarcmhi.dll

C:\windows\system32\vkarcmhi.dll Could not be deleted.

 

Performing Repairs to the registry.

Done!

 

Beginning removal...

 

Attempting to delete C:\windows\system32\cccdd.ini

C:\windows\system32\cccdd.ini Has been deleted!

 

Attempting to delete C:\windows\system32\ddccc.dll

C:\windows\system32\ddccc.dll Has been deleted!

 

Attempting to delete C:\windows\system32\iwwcajxq.dll

C:\windows\system32\iwwcajxq.dll Has been deleted!

 

Attempting to delete C:\windows\system32\mljkihg.dll

C:\windows\system32\mljkihg.dll Has been deleted!

 

Attempting to delete C:\windows\system32\vkarcmhi.dll

C:\windows\system32\vkarcmhi.dll Has been deleted!

 

Performing Repairs to the registry.

Done!

 

VundoFix V6.4.1

 

Checking Java version...

 

Java version is 1.5.0.6

Old versions of java are exploitable and should be removed.

 

Scan started at 11:47:41 AM 5/28/2007

 

Listing files found while scanning....

 

No infected files were found.

 

 

Beginning removal...

 

 

ofqddeuh.dll;c:\windows\system32;Adware.Crew;Incurable.Will be moved after reboot.;

setup.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_2.0.2.2;Probably BACKDOOR.Trojan;Incurable.Moved.;

Process.exe;C:\Documents and Settings\Teh Pwnerer\Desktop\Anti-Spyware\l2mfix;Tool.Prockill;Incurable.Deleted.;

restart.exe;C:\Documents and Settings\Teh Pwnerer\Desktop\Anti-Spyware\l2mfix;Tool.ShutDown.11;Deleted.;

Process.exe;C:\Documents and Settings\Teh Pwnerer\Desktop\Anti-Spyware\smitRem;Tool.Prockill;Incurable.Moved.;

DaemonTools_WhenUSave_Installer.exe;C:\Program Files\DaemonTools_WhenUSave_Installer;Adware.SaveNow;Incurable.Moved.;

npclntax.dll;C:\Program Files\Mozilla Firefox\plugins;Adware.Zango;Incurable.Moved.;

geede.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Trojan.Virtumod;Deleted.;

glhhhnta.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Trojan.Virtumod;Deleted.;

ikiwjvvk.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Adware.Crew;Incurable.Moved.;

kflofwpv.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Trojan.Virtumod;Deleted.;

winmxw32.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Trojan.DownLoader.22758;Deleted.;

A0423659.exe;C:\System Volume Information\_restore{E8FC3F4B-E1EC-4052-994F-8327CFB28B8D}\RP437;Trojan.DownLoader.19256;Deleted.;

A0423660.exe;C:\System Volume Information\_restore{E8FC3F4B-E1EC-4052-994F-8327CFB28B8D}\RP437;Trojan.Fakealert.257;Deleted.;

A0425921.exe;C:\System Volume Information\_restore{E8FC3F4B-E1EC-4052-994F-8327CFB28B8D}\RP440;Adware.SaveNow;Incurable.Moved.;

A0425940.exe;C:\System Volume Information\_restore{E8FC3F4B-E1EC-4052-994F-8327CFB28B8D}\RP440;Trojan.Click.2452;Deleted.;

A0425948.exe;C:\System Volume Information\_restore{E8FC3F4B-E1EC-4052-994F-8327CFB28B8D}\RP440;Tool.Prockill;Incurable.Moved.;

A0425950.exe;C:\System Volume Information\_restore{E8FC3F4B-E1EC-4052-994F-8327CFB28B8D}\RP440;Tool.ShutDown.11;Incurable.Moved.;

A0426114.dll;C:\System Volume Information\_restore{E8FC3F4B-E1EC-4052-994F-8327CFB28B8D}\RP440;Trojan.Virtumod;Deleted.;

A0426116.dll;C:\System Volume Information\_restore{E8FC3F4B-E1EC-4052-994F-8327CFB28B8D}\RP440;Trojan.Virtumod;Deleted.;

A0428389.exe;C:\System Volume Information\_restore{E8FC3F4B-E1EC-4052-994F-8327CFB28B8D}\RP443;Trojan.DownLoader.10963;Deleted.;

A0431719.dll;C:\System Volume Information\_restore{E8FC3F4B-E1EC-4052-994F-8327CFB28B8D}\RP447;Trojan.Virtumod;Deleted.;

A0431748.dll;C:\System Volume Information\_restore{E8FC3F4B-E1EC-4052-994F-8327CFB28B8D}\RP447;Trojan.Virtumod;Deleted.;

A0431749.dll;C:\System Volume Information\_restore{E8FC3F4B-E1EC-4052-994F-8327CFB28B8D}\RP447;Trojan.Virtumod;Deleted.;

A0431750.dll;C:\System Volume Information\_restore{E8FC3F4B-E1EC-4052-994F-8327CFB28B8D}\RP447;Adware.Crew;Incurable.Moved.;

A0431751.dll;C:\System Volume Information\_restore{E8FC3F4B-E1EC-4052-994F-8327CFB28B8D}\RP447;Trojan.Virtumod;Deleted.;

A0431752.dll;C:\System Volume Information\_restore{E8FC3F4B-E1EC-4052-994F-8327CFB28B8D}\RP447;Trojan.DownLoader.22758;Deleted.;

A0431764.dll;C:\System Volume Information\_restore{E8FC3F4B-E1EC-4052-994F-8327CFB28B8D}\RP447;Trojan.Virtumod;Deleted.;

iwwcajxq.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;

vkarcmhi.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;

actskn45.ocx;C:\WINDOWS\system32;Trojan.Isbar.439;Deleted.;

ofqddeuh.dll;C:\WINDOWS\system32;Adware.Crew;Incurable.Will be moved after reboot.;

Process.exe;C:\WINDOWS\system32;Tool.Prockill;Incurable.Moved.;

 

 

 

 

On notepad, I didn't see the "next icon" for Dr. CureIt so I just hit the "cure" button for everything that hadn't already been dealt with.

Share this post


Link to post
Share on other sites

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

 

Step #1

 

* Double-click VundoFix.exe to run it.

  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • In case it says that nothing was found, Right click the list box (white box) in the main VundoFix window.
  • Select “Add More Files?” from the menu that comes up. This will open a new VundoFix window.
  • In the Window: copy and paste next in the first field: C:\windows\system32\ddccc.dll
  • Copy and paste next in the second field: C:\windows\system32\ofqddeuh.dll
  • Click the “Add Files” button.
  • Click the "Close Window" button.
  • Click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.

Note: It is possible that VundoFix encountered a file it could not remove.

In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

 

After reboot,

 

Step #2

 

Scan again with HijackThis and check the following items:

O2 - BHO: (no name) - {4C0D6315-87CE-4063-98ED-3E66598C7383} - C:\windows\system32\ddccc.dll (file missing)

O2 - BHO: (no name) - {DEFFF658-4443-48EC-800A-A270D99005B6} - C:\windows\system32\ofqddeuh.dll

After checking these items, close all browser windows except HijackThis and click "Fix checked".

 

Reboot your computer.

 

Step #3

 

1. Please go HERE to run Panda's ActiveScan

  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

2. Please run a free online scan with Kaspersky AntiVirus (works only with MS Internet Explorer 5.0 or higher).

Go to http://www.kaspersky.com/virusscanner and click the "Kaspersky Online Scanner" button (NOT "Kaspersky File Scanner").

  • In the new window that opens, click the "Accept" button to accept the user agreement, install the ActiveX control, and download the program.
  • When you get the Windows dialog asking if you want to install this software, click the "Install" button.
  • When the "Update progress" line changes to "Ready" and the "NEXT ->" button lights up with a green arrow, click it.
  • Click on the "Scan Settings" button, and in the next window select the "extended" database, and click Ok.
  • Under "Please select a target to scan:", click My Computer to start the scan.

When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window, and post the text in kavscan.txt in your next reply.

 

3. Start HijackThis and perform a new scan.

 

4. Use the Add Reply button to post your new logs back here along with as details of any problems you encountered performing the above steps and I will review it when it comes in.

 

Tell me if you're still having any problems.

Edited by didom

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.99.1

Scan saved at 9:47:03 PM, on 5/28/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\windows\System32\smss.exe

C:\windows\system32\winlogon.exe

C:\windows\system32\services.exe

C:\windows\system32\lsass.exe

C:\windows\system32\svchost.exe

C:\windows\System32\svchost.exe

C:\windows\system32\spoolsv.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\windows\system32\nvsvc32.exe

C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\windows\Explorer.EXE

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\DAEMON Tools\daemon.exe

C:\windows\system32\RunDLL32.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\ResChanger 2005\ResChanger2005.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\SpywareGuard\sgmain.exe

C:\Program Files\SpywareGuard\sgbhp.exe

C:\windows\system32\wuauclt.exe

C:\Program Files\Operav9\Opera.exe

C:\Documents and Settings\Teh Pwnerer\Desktop\hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\windows\system32\NvCpl.dll,NvStartup

O4 - HKCU\..\Run: [ResChanger 2005] C:\Program Files\ResChanger 2005\ResChanger2005.exe

O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1137029215869

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1137029485108

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{5B45D099-95EB-4860-B78C-C102FC59F46F}: NameServer = 68.87.77.130,68.87.72.130

O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\windows\system32\WPDShServiceObj.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\system32\nvsvc32.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER REPORT

Monday, May 28, 2007 9:46:36 PM

Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)

Kaspersky Online Scanner version: 5.0.83.0

Kaspersky Anti-Virus database last update: 29/05/2007

Kaspersky Anti-Virus database records: 333286

-------------------------------------------------------------------------------

 

Scan Settings:

Scan using the following antivirus database: extended

Scan Archives: true

Scan Mail Bases: true

 

Scan Target - My Computer:

A:\

C:\

D:\

E:\

 

Scan Statistics:

Total number of scanned objects: 100106

Number of viruses found: 11

Number of infected objects: 24 / 0

Number of suspicious objects: 3

Duration of the scan process: 00:42:59

 

Infected Object Name / Virus Name / Last Action

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Teh Pwnerer\Application Data\Opera\Operav9\mail\indexer\indexer.dat Object is locked skipped

C:\Documents and Settings\Teh Pwnerer\Application Data\Opera\Operav9\mail\indexer\indexer_256.dat Object is locked skipped

C:\Documents and Settings\Teh Pwnerer\Application Data\Opera\Operav9\mail\lexicon\lexicon.dat Object is locked skipped

C:\Documents and Settings\Teh Pwnerer\Application Data\Opera\Operav9\mail\mailbase.dat Object is locked skipped

C:\Documents and Settings\Teh Pwnerer\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Teh Pwnerer\DoctorWeb\Quarantine\A0425921.exe Infected: not-a-virus:AdTool.Win32.WhenU.a skipped

C:\Documents and Settings\Teh Pwnerer\DoctorWeb\Quarantine\A0431750.dll Infected: Packed.Win32.Klone.j skipped

C:\Documents and Settings\Teh Pwnerer\DoctorWeb\Quarantine\DaemonTools_WhenUSave_Installer.exe Infected: not-a-virus:AdTool.Win32.WhenU.j skipped

C:\Documents and Settings\Teh Pwnerer\DoctorWeb\Quarantine\ikiwjvvk.dll.vir Infected: Packed.Win32.Klone.j skipped

C:\Documents and Settings\Teh Pwnerer\DoctorWeb\Quarantine\ofqddeu0.dll Suspicious: Packed.Win32.Morphine.a skipped

C:\Documents and Settings\Teh Pwnerer\DoctorWeb\Quarantine\ofqddeuh.dll Suspicious: Packed.Win32.Morphine.a skipped

C:\Documents and Settings\Teh Pwnerer\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Teh Pwnerer\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Teh Pwnerer\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Teh Pwnerer\Local Settings\Temp\hsperfdata_Teh Pwnerer\2304 Object is locked skipped

C:\Documents and Settings\Teh Pwnerer\Local Settings\Temp\~DFE347.tmp Object is locked skipped

C:\Documents and Settings\Teh Pwnerer\Local Settings\Temp\~DFE733.tmp Object is locked skipped

C:\Documents and Settings\Teh Pwnerer\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Teh Pwnerer\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Teh Pwnerer\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\logs\starwind.2007-05-28.16-27-22.log Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\khffdef.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{E8FC3F4B-E1EC-4052-994F-8327CFB28B8D}\RP434\A0422537.exe/stream/data0008 Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped

C:\System Volume Information\_restore{E8FC3F4B-E1EC-4052-994F-8327CFB28B8D}\RP434\A0422537.exe/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped

C:\System Volume Information\_restore{E8FC3F4B-E1EC-4052-994F-8327CFB28B8D}\RP434\A0422537.exe NSIS: infected - 2 skipped

C:\System Volume Information\_restore{E8FC3F4B-E1EC-4052-994F-8327CFB28B8D}\RP434\A0422629.exe/data.rar/keygen.exe Infected: Trojan-Downloader.Win32.LoadAdv.gen skipped

C:\System Volume Information\_restore{E8FC3F4B-E1EC-4052-994F-8327CFB28B8D}\RP434\A0422629.exe/data.rar/crack.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped

C:\System Volume Information\_restore{E8FC3F4B-E1EC-4052-994F-8327CFB28B8D}\RP434\A0422629.exe/data.rar/serial.exe Infected: Trojan.Win32.Dialer.qn skipped

C:\System Volume Information\_restore{E8FC3F4B-E1EC-4052-994F-8327CFB28B8D}\RP434\A0422629.exe/data.rar Infected: Trojan.Win32.Dialer.qn skipped

C:\System Volume Information\_restore{E8FC3F4B-E1EC-4052-994F-8327CFB28B8D}\RP434\A0422629.exe RarSFX: infected - 4 skipped

C:\System Volume Information\_restore{E8FC3F4B-E1EC-4052-994F-8327CFB28B8D}\RP437\A0423680.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped

C:\System Volume Information\_restore{E8FC3F4B-E1EC-4052-994F-8327CFB28B8D}\RP440\A0425939.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\System Volume Information\_restore{E8FC3F4B-E1EC-4052-994F-8327CFB28B8D}\RP440\A0425939.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\System Volume Information\_restore{E8FC3F4B-E1EC-4052-994F-8327CFB28B8D}\RP440\A0425939.exe RarSFX: infected - 2 skipped

C:\System Volume Information\_restore{E8FC3F4B-E1EC-4052-994F-8327CFB28B8D}\RP440\A0425949.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\System Volume Information\_restore{E8FC3F4B-E1EC-4052-994F-8327CFB28B8D}\RP440\A0426113.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped

C:\System Volume Information\_restore{E8FC3F4B-E1EC-4052-994F-8327CFB28B8D}\RP440\A0426115.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped

C:\System Volume Information\_restore{E8FC3F4B-E1EC-4052-994F-8327CFB28B8D}\RP447\A0431765.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped

C:\System Volume Information\_restore{E8FC3F4B-E1EC-4052-994F-8327CFB28B8D}\RP449\A0432457.exe Infected: not-a-virus:AdTool.Win32.WhenU.j skipped

C:\System Volume Information\_restore{E8FC3F4B-E1EC-4052-994F-8327CFB28B8D}\RP449\A0432462.dll Suspicious: Packed.Win32.Morphine.a skipped

C:\System Volume Information\_restore{E8FC3F4B-E1EC-4052-994F-8327CFB28B8D}\RP449\change.log Object is locked skipped

C:\VundoFix Backups\ddccc.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped

C:\VundoFix Backups\mljkihg.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\Internet Logs\ERIK.ldb Object is locked skipped

C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped

C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped

C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped

C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{99DF5CDD-9B6E-419F-8B63-248789390021}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\Temp\Perflib_Perfdata_e0.dat Object is locked skipped

C:\WINDOWS\Temp\ZLT07635.TMP Object is locked skipped

C:\WINDOWS\Temp\ZLT0763c.TMP Object is locked skipped

C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Share this post


Link to post
Share on other sites

Whoa sorry for the slow reply! Something must've happened the first time and I forgot...

 

Anyways, it's running fine. No slowdowns, no messages from anti-virus programs, it looks real good.

 

Thank you so much!

Share this post


Link to post
Share on other sites

This log looks clean!

  • Don't forget to re-hide all files and folders. To re-hide all files and folders:
    • Open My Computer.
    • Select the Tools menu and click Folder Options.
    • Select the View Tab.
    • Under the Hidden files and folders heading deselect "Show hidden files and folders".
    • Check the Hide protected operating system files (recommended) option.
    • Click Yes to confirm.
    • Click OK.

     

    To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

    1. Turn off System Restore.
      • On the Desktop, right-click My Computer.
      • Click Properties.
      • Click the System Restore tab.
      • Check "Turn off System Restore".
      • Click Apply, and then click OK.

    [*]Reboot your computer.

     

    [*]Turn ON System Restore.

    • On the Desktop, right-click My Computer.
    • Click Properties.
    • Click the System Restore tab.
    • UN-Check "Turn off System Restore".
    • Click Apply, and then click OK.

[*]This is a good time to set up protection against further attacks. Read the article behind this link "How did I get infected". If you don't already have them, you need an antivirus that is updated, a good firewall for example Kerio Personal Firewall or ZoneLabs Zone Alarm, a spyware blocker like SpywareBlaster and also IE-Spyads and spyware detection (Ad-aware SE and SpyBot S+D). All of these have good free versions available... be very cautious about any security software that advertises in popups or other intrusive ways, they are not only usually useless, but also often have malware in them....

 

Instead of Internet Explorer, use a different browser like Opera, Mozilla or Firefox.

 

Last, but not least, you need to keep Windows and Internet Explorer up to date by getting all the latest security patches that protects your computer.

 

This can be accessed by going to http://windowsupdate.microsoft.com and following the prompts. If you are running Windows XP make sure you get updated to SP-2!!

 

Please post back if you are still having any problems....

 

MWC-2.gif

Share this post


Link to post
Share on other sites

Since the issue appears to be resolved this Topic is closed.

 

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter.

 

Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0