|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| HijackThis Log Help Get Rid Of Malware With Help From Our Analysts. Follow the "First Steps" link at the top right of each page before posting for help. |
 |
|
|
Thread Tools |
06-14-2008, 10:21 PM
|
#21 (permalink) |
|
Registered User
Join Date: Jun 2008
Posts: 45
OS: xp sp1
|
Re: Uninstalling Malware and IE Hijacking
Here are the latest logs. The computer seems to be running fine. No strange pop-ups or programs running that I can identify. The mIRC program that I deleted from the Add or Remove Programs is back...see attached screen shot.
Hijack This ------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:15:55 AM, on 6/15/2008 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe C:\WINDOWS\System32\rundll32.exe C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe C:\WINDOWS\system32\cisvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\WINDOWS\System32\WgaTray.exe C:\WINDOWS\system32\cidaemon.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8.hpwis.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us8.hpwis.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dial R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/pote_x.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...ymmapi_416.dll O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe -- End of file - 4474 bytes otmoveit2 --------------------------- Explorer killed successfully File/Folder C:\bw.exe not found. < C:\Documents and Settings\Owner\Desktop\requested-files[2008-06-14_00_50].cab > File/Folder C:\Documents and Settings\Owner\Desktop\requested-files[2008-06-14_00_50].cab not found. File/Folder C:\Documents and Settings\Owner\ss.exe not found. File/Folder C:\gc.exe not found. File/Folder C:\mt-uninstaller.exe not found. File/Folder C:\Program Files\Common Files\WhenU not found. File/Folder C:\Program Files\Search Toolbar not found. File/Folder C:\SDFix not found. File/Folder C:\WINDOWS\bundles not found. File/Folder C:\WINDOWS\dhp2.dll not found. File/Folder C:\WINDOWS\EliteToolBar not found. File/Folder C:\WINDOWS\minigolf_affiliate.exe not found. File/Folder C:\WINDOWS\Qiphmhb.exe not found. File/Folder C:\WINDOWS\system32\autodrop.exe not found. File/Folder C:\WINDOWS\system32\axpfbho.exe not found. File/Folder C:\WINDOWS\system32\calcu.exe not found. C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0D41GRMP moved successfully. C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8B4X8BCT moved successfully. File/Folder C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ABCX678Z not found. File/Folder C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\W3BZQD7S not found. File/Folder C:\WINDOWS\system32\cs not found. File/Folder C:\WINDOWS\system32\dealhelper.exe not found. File/Folder C:\WINDOWS\system32\exul.exe not found. File/Folder C:\WINDOWS\system32\greenstd.exe not found. File/Folder C:\WINDOWS\system32\javexulm.vxd not found. File/Folder C:\WINDOWS\system32\kltye.exe not found. File/Folder C:\WINDOWS\system32\kwdstd.exe not found. File/Folder C:\WINDOWS\system32\mmview_ic.dll not found. File/Folder C:\WINDOWS\system32\mssysapps not found. File/Folder C:\WINDOWS\system32\niamx not found. File/Folder C:\WINDOWS\system32\ssm.exe not found. File/Folder C:\WINDOWS\system32\targetsavers.exe not found. File/Folder C:\WINDOWS\system32\xmqjy not found. File/Folder C:\WINDOWS\Temp\THI1127.tmp not found. File/Folder C:\WINDOWS\tqjd.exe not found. < emptytemp > File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\IadHide4.dll scheduled to be deleted on reboot. File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_5f0.dat scheduled to be deleted on reboot. File delete failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be deleted on reboot. File delete failed. C:\WINDOWS\temp\THI1C42.tmp\conflict.cab scheduled to be deleted on reboot. File delete failed. C:\WINDOWS\temp\THI1C42.tmp\conflict.inf scheduled to be deleted on reboot. File delete failed. C:\WINDOWS\temp\THI77F1.tmp\conflict.cab scheduled to be deleted on reboot. File delete failed. C:\WINDOWS\temp\THI77F1.tmp\conflict.inf scheduled to be deleted on reboot. Temp folders emptied. IE temp folders emptied. Explorer started successfully OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 06142008_233806 Files moved on Reboot... DllUnregisterServer procedure not found in C:\DOCUME~1\Owner\LOCALS~1\Temp\IadHide4.dll C:\DOCUME~1\Owner\LOCALS~1\Temp\IadHide4.dll NOT unregistered. C:\DOCUME~1\Owner\LOCALS~1\Temp\IadHide4.dll moved successfully. File C:\WINDOWS\temp\Perflib_Perfdata_5f0.dat not found! File C:\WINDOWS\temp\_avast4_\Webshlock.txt not found! File move failed. C:\WINDOWS\temp\THI1C42.tmp\conflict.cab scheduled to be moved on reboot. File move failed. C:\WINDOWS\temp\THI1C42.tmp\conflict.inf scheduled to be moved on reboot. File move failed. C:\WINDOWS\temp\THI77F1.tmp\conflict.cab scheduled to be moved on reboot. File move failed. C:\WINDOWS\temp\THI77F1.tmp\conflict.inf scheduled to be moved on reboot. mbam ------------------- Malwarebytes' Anti-Malware 1.17 Database version: 856 12:11:21 AM 6/15/2008 mbam-log-6-15-2008 (00-11-10).txt Scan type: Full Scan (C:\|D:\|) Objects scanned: 94608 Time elapsed: 18 minute(s), 16 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 6 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 1 Files Infected: 15 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> No action taken. HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> No action taken. HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> No action taken. HKEY_CURRENT_USER\Software\xjado (Trojan.Downloader) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> No action taken. HKEY_CLASSES_ROOT\WUSN.1 (Adware.WhenUSave) -> No action taken. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: C:\Program Files\STC (Fake.Dropped.Malware) -> No action taken. Files Infected: C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP171\A0164688.scr (Adware.MyWebSearch) -> No action taken. C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP171\A0164694.SCR (Adware.MyWebSearch) -> No action taken. C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP171\A0164696.DLL (Adware.MyWeb.FunWeb) -> No action taken. C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP171\A0164698.DLL (Adware.MyWebSearch) -> No action taken. C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP173\A0165072.dll (Adware.ClickSpring) -> No action taken. C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP175\A0166694.dll (Adware.Hotbar) -> No action taken. C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP175\A0166701.dll (Adware.Hotbar) -> No action taken. C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP180\A0168174.exe (Worm.Padobot) -> No action taken. C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP180\A0168186.exe (Worm.Padobot) -> No action taken. C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP180\A0168187.exe (Worm.Padobot) -> No action taken. C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP180\A0168193.exe (Worm.Padobot) -> No action taken. C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP180\A0168218.exe (Adware.MediaTickets) -> No action taken. C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP180\A0168248.exe (Worm.Padobot) -> No action taken. C:\winserv.exe (Trojan.Agent) -> No action taken. C:\WINDOWS\system32\osrouter.dll (Spyware.MarketScore) -> No action taken. |
|
     
|
|
06-14-2008, 10:36 PM
|
#22 (permalink) |
|
Moderator/Analyst, Security Team ; Rangemaster, TSF Academy
Join Date: Oct 2006
Location: BC, Canada
Posts: 2,711
OS: XP
|
Re: Uninstalling Malware and IE Hijacking
Hi,
That's odd.. everything that kaspersky detected was gone.. MBAM wasn't configured to delete all it detected..We'll use otmoveit2 to delete it instead so you won't need another 19 mins to run the scan again. Uninstall the mirc application again please and let me know how it goes.
*Re-run kaspersky online scanner. *Download Gmer
On your next reply, please include a
__________________
Proud member of UNITE and ASAP since 2006  If we have helped you, please consider donating. The past won't be able to hurt you unless you keep on looking back at it. |
|
|
|
|
06-14-2008, 10:57 PM
|
#24 (permalink) |
|
Moderator/Analyst, Security Team ; Rangemaster, TSF Academy
Join Date: Oct 2006
Location: BC, Canada
Posts: 2,711
OS: XP
|
Re: Uninstalling Malware and IE Hijacking
I see. Looks like it's simply a leftover entry. I thought it came back for some more
 Proceed with the instructions please.
__________________
Proud member of UNITE and ASAP since 2006 If we have helped you, please consider donating. The past won't be able to hurt you unless you keep on looking back at it. |
|
|
|
|
06-15-2008, 12:50 AM
|
#25 (permalink) |
|
Registered User
Join Date: Jun 2008
Posts: 45
OS: xp sp1
|
Re: Uninstalling Malware and IE Hijacking
Here are the updated log files:
DSS: ------- Deckard's System Scanner v20071014.68 Run by Owner on 2008-06-15 02:46:02 Computer is in Normal Mode. -------------------------------------------------------------------------------- Total Physical Memory: 448 MiB (512 MiB recommended). -- HijackThis (run as Owner.exe) ----------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2:46:08 AM, on 6/15/2008 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe C:\WINDOWS\system32\cisvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\WgaTray.exe C:\WINDOWS\system32\cidaemon.exe C:\Documents and Settings\Owner\Desktop\dss.exe C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8.hpwis.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us8.hpwis.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dial R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/pote_x.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...ymmapi_416.dll O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe -- End of file - 4352 bytes -- Files created between 2008-05-15 and 2008-06-15 ----------------------------- 2008-06-14 23:45:39 0 d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes 2008-06-14 23:45:35 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-06-14 23:45:35 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-06-14 18:56:47 0 d-------- C:\Program Files\Java 2008-06-14 18:56:06 0 d-------- C:\Documents and Settings\Owner\Application Data\Sun 2008-06-14 17:51:29 0 d-------- C:\Program Files\Alwil Software 2008-06-14 01:42:11 0 d-------- C:\WINDOWS\ERUNT 2008-06-13 22:40:35 0 d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage 2008-06-13 22:40:30 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage 2008-06-12 17:54:05 0 d-------- C:\Program Files\Trend Micro 2008-06-12 16:57:22 0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia 2008-06-12 07:19:22 0 d-------- C:\Documents and Settings\Administrator\WINDOWS 2008-06-12 07:19:22 0 d--h----- C:\Documents and Settings\Administrator\Templates 2008-06-12 07:19:22 0 dr------- C:\Documents and Settings\Administrator\Start Menu 2008-06-12 07:19:22 0 dr-h----- C:\Documents and Settings\Administrator\SendTo 2008-06-12 07:19:22 0 dr-h----- C:\Documents and Settings\Administrator\Recent 2008-06-12 07:19:22 0 d--h----- C:\Documents and Settings\Administrator\PrintHood 2008-06-12 07:19:22 0 d--h----- C:\Documents and Settings\Administrator\NetHood 2008-06-12 07:19:22 0 dr------- C:\Documents and Settings\Administrator\My Documents 2008-06-12 07:19:22 0 d--h----- C:\Documents and Settings\Administrator\Local Settings 2008-06-12 07:19:22 0 dr------- C:\Documents and Settings\Administrator\Favorites 2008-06-12 07:19:22 0 d-------- C:\Documents and Settings\Administrator\Desktop 2008-06-12 07:19:22 0 d---s---- C:\Documents and Settings\Administrator\Cookies 2008-06-12 07:19:22 0 dr-h----- C:\Documents and Settings\Administrator\Application Data 2008-06-12 07:19:22 0 d-------- C:\Documents and Settings\Administrator\Application Data\Symantec 2008-06-12 07:19:22 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sonic 2008-06-12 07:19:22 0 d-------- C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder 2008-06-12 07:19:22 0 d-------- C:\Documents and Settings\Administrator\Application Data\SampleView 2008-06-12 07:19:22 0 d-------- C:\Documents and Settings\Administrator\Application Data\Real 2008-06-12 07:19:22 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft 2008-06-12 07:19:22 0 d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust 2008-06-12 07:19:22 0 d-------- C:\Documents and Settings\Administrator\Application Data\interMute 2008-06-12 07:19:22 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities 2008-06-12 07:19:22 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe 2008-06-12 07:19:21 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT 2008-06-11 06:21:25 0 d-------- C:\Documents and Settings\LocalService\Application Data\Help 2008-06-10 19:45:46 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-06-10 13:49:45 0 d-------- C:\WINDOWS\nview -- Find3M Report --------------------------------------------------------------- 2008-06-14 23:28:19 0 d-------- C:\Program Files\Common Files 2008-06-14 18:56:43 0 d-------- C:\Program Files\Common Files\Java 2008-06-14 18:12:45 0 d-------- C:\Program Files\XML 2008-06-14 18:05:32 0 d-------- C:\Program Files\hbinst 2008-06-14 18:05:31 0 d-------- C:\Program Files\DR_S 2008-06-10 14:45:16 0 d--h----- C:\Program Files\InstallShield Installation Information 2008-06-10 13:53:52 0 d-------- C:\Documents and Settings\Owner\Application Data\interMute 2008-06-10 11:48:33 0 d-------- C:\Program Files\Common Files\Symantec Shared 2008-06-10 10:36:50 0 d-------- C:\Program Files\Easy Internet signup -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [03/03/2003 01:44 PM] "nwiz"="nwiz.exe" [03/03/2003 01:44 PM C:\WINDOWS\system32\nwiz.exe] "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [05/15/2008 06:19 PM] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28 AM] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NVIEW"="nview.dll,nViewLoadHook" [] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [9/20/2002 9:20:02 PM] Updates from HP.lnk - C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe [4/10/2003 2:04:00 AM] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, *Newly Created Service* - GMER -- End of Deckard's System Scanner: finished at 2008-06-15 02:46:23 ------------ Kaspersky: ----------- -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7 REPORT Sunday, June 15, 2008 Operating System: Microsoft Windows XP Home Edition Service Pack 1 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Sunday, June 15, 2008 04:56:20 Records in database: 865393 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yes Scan area - My Computer: A:\ C:\ D:\ E:\ F:\ G:\ H:\ I:\ J:\ Scan statistics: Files scanned: 58371 Threat name: 50 Infected objects: 96 Suspicious objects: 0 Duration of the scan: 01:14:50 File name / Threat name / Threats count C:\_OTMoveIt\MovedFiles\06142008_174133\counter.cab Infected: Trojan-Dropper.Win32.Small.ls 1 C:\_OTMoveIt\MovedFiles\06142008_232819\bw.exe Infected: Trojan-Dropper.Win32.Agent.amm 1 C:\_OTMoveIt\MovedFiles\06142008_232819\bw.exe Infected: Net-Worm.Win32.Randon 3 C:\_OTMoveIt\MovedFiles\06142008_232819\bw.exe Infected: not-a-virus:RiskTool.Win32.HideWindows 2 C:\_OTMoveIt\MovedFiles\06142008_232819\bw.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.603 1 C:\_OTMoveIt\MovedFiles\06142008_232819\bw.exe Infected: Trojan.BAT.Passer.a 1 C:\_OTMoveIt\MovedFiles\06142008_232819\bw.exe Infected: not-a-virus:RiskTool.Win32.PsExec.131 1 C:\_OTMoveIt\MovedFiles\06142008_232819\bw.exe Infected: Backdoor.Win32.Asylum.014 1 C:\_OTMoveIt\MovedFiles\06142008_232819\bw.exe Infected: not-a-virus:NetTool.Win32.XScan.13 1 C:\_OTMoveIt\MovedFiles\06142008_232819\bw.exe Infected: Backdoor.Win32.IrcContact.30 1 C:\_OTMoveIt\MovedFiles\06142008_232819\bw.exe Infected: not-a-virus:RiskTool.Win32.HideRun 1 C:\_OTMoveIt\MovedFiles\06142008_232819\Documents and Settings\Owner\Desktop\requested-files[2008-06-14_00_50].cab Infected: Backdoor.Win32.Wootbot.gen 2 C:\_OTMoveIt\MovedFiles\06142008_232819\Documents and Settings\Owner\Desktop\requested-files[2008-06-14_00_50].cab Infected: not-a-virus:RiskTool.Win32.HideWindows 1 C:\_OTMoveIt\MovedFiles\06142008_232819\Documents and Settings\Owner\Desktop\requested-files[2008-06-14_00_50].cab Infected: Backdoor.Win32.Rbot.gen 3 C:\_OTMoveIt\MovedFiles\06142008_232819\Documents and Settings\Owner\Desktop\requested-files[2008-06-14_00_50].cab Infected: Trojan-Downloader.Win32.Agent.am 1 C:\_OTMoveIt\MovedFiles\06142008_232819\Documents and Settings\Owner\ss.exe Infected: not-a-virus:AdWare.Win32.AdURL.a 1 C:\_OTMoveIt\MovedFiles\06142008_232819\gc.exe Infected: Trojan-Clicker.Win32.Small.bj 1 C:\_OTMoveIt\MovedFiles\06142008_232819\mt-uninstaller.exe Infected: not-a-virus:AdWare.Win32.PurityScan.bu 1 C:\_OTMoveIt\MovedFiles\06142008_232819\Program Files\Common Files\WhenU\EmbedSE.dll Infected: not-a-virus:AdWare.Win32.SaveNow.bb 1 C:\_OTMoveIt\MovedFiles\06142008_232819\Program Files\Search Toolbar\toolbar.dll Infected: not-a-virus:AdWare.Win32.WebSearch.o 1 C:\_OTMoveIt\MovedFiles\06142008_232819\SDFix\backups\backups.zip Infected: Trojan-Dropper.Win32.Delf.ev 1 C:\_OTMoveIt\MovedFiles\06142008_232819\SDFix\backups\backups.zip Infected: Backdoor.Win32.Rbot.gen 19 C:\_OTMoveIt\MovedFiles\06142008_232819\SDFix\backups\backups.zip Infected: Backdoor.Win32.EggDrop.v 1 C:\_OTMoveIt\MovedFiles\06142008_232819\WINDOWS\bundles\runsearch.exe Infected: not-a-virus:AdWare.Win32.MegaSearch.d 1 C:\_OTMoveIt\MovedFiles\06142008_232819\WINDOWS\dhp2.dll Infected: not-a-virus:AdWare.Win32.DealHelper.j 1 C:\_OTMoveIt\MovedFiles\06142008_232819\WINDOWS\EliteToolBar\EliteToolBar version 52.dll Infected: not-a-virus:AdWare.Win32.EliteBar.t 1 C:\_OTMoveIt\MovedFiles\06142008_232819\WINDOWS\minigolf_affiliate.exe Infected: Trojan-Downloader.NSIS.Agent.g 1 C:\_OTMoveIt\MovedFiles\06142008_232819\WINDOWS\Qiphmhb.exe Infected: Backdoor.Win32.Agent.bg 1 C:\_OTMoveIt\MovedFiles\06142008_232819\WINDOWS\system32\autodrop.exe Infected: Trojan-Downloader.Win32.Agent.gp 2 C:\_OTMoveIt\MovedFiles\06142008_232819\WINDOWS\system32\axpfbho.exe Infected: Trojan-Downloader.Win32.Agent.gp 1 C:\_OTMoveIt\MovedFiles\06142008_232819\WINDOWS\system32\axpfbho.exe Infected: not-a-virus:AdWare.Win32.NoName.e 1 C:\_OTMoveIt\MovedFiles\06142008_232819\WINDOWS\system32\calcu.exe Infected: Trojan-Dropper.Win32.Agent.amm 1 C:\_OTMoveIt\MovedFiles\06142008_232819\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0D41GRMP\js[1].htm Infected: Exploit.HTML.CodeBaseExec 1 C:\_OTMoveIt\MovedFiles\06142008_232819\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0D41GRMP\mt[1].htm Infected: Trojan-Clicker.JS.Linker.j 1 C:\_OTMoveIt\MovedFiles\06142008_232819\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0D41GRMP\runsearch[1].exe Infected: not-a-virus:AdWare.Win32.MegaSearch.d 1 C:\_OTMoveIt\MovedFiles\06142008_232819\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8B4X8BCT\install[1].exe Infected: not-a-virus:AdWare.Win32.Adstart.c 1 C:\_OTMoveIt\MovedFiles\06142008_232819\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8B4X8BCT\install[1].exe Infected: not-a-virus:AdWare.Win32.Adstart.b 2 C:\_OTMoveIt\MovedFiles\06142008_232819\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8B4X8BCT\install[1].exe Infected: not-a-virus:AdWare.Win32.Adstart.d 1 C:\_OTMoveIt\MovedFiles\06142008_232819\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8B4X8BCT\lcsex[1].html Infected: Trojan-Downloader.JS.Small.h 1 C:\_OTMoveIt\MovedFiles\06142008_232819\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8B4X8BCT\SYSsfitb[1].dll Infected: not-a-virus:AdWare.Win32.SearchIt.g 1 C:\_OTMoveIt\MovedFiles\06142008_232819\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ABCX678Z\common[1].cab Infected: not-a-virus:AdWare.Win32.WebSearch.s 1 C:\_OTMoveIt\MovedFiles\06142008_232819\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ABCX678Z\ezStub[1].exe Infected: not-a-virus:AdWare.Win32.EZula.y 1 C:\_OTMoveIt\MovedFiles\06142008_232819\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ABCX678Z\js[1].htm Infected: Exploit.HTML.CodeBaseExec 1 C:\_OTMoveIt\MovedFiles\06142008_232819\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ABCX678Z\js[3].htm Infected: Exploit.HTML.CodeBaseExec 1 C:\_OTMoveIt\MovedFiles\06142008_232819\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ABCX678Z\load[1].htm Infected: Trojan-Downloader.JS.IstBar.m 1 C:\_OTMoveIt\MovedFiles\06142008_232819\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ABCX678Z\prompt[2].php Infected: Trojan-Downloader.JS.WinAD.a 1 C:\_OTMoveIt\MovedFiles\06142008_232819\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ABCX678Z\ysb_prompt[1].htm Infected: Trojan-Downloader.JS.IstBar.j 1 C:\_OTMoveIt\MovedFiles\06142008_232819\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ABCX678Z\ysb_prompt[2].htm Infected: Trojan-Downloader.JS.IstBar.j 1 C:\_OTMoveIt\MovedFiles\06142008_232819\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\W3BZQD7S\DnldNCSX0002[1].exe Infected: not-a-virus:AdWare.Win32.SaveNow.ay 1 C:\_OTMoveIt\MovedFiles\06142008_232819\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\W3BZQD7S\load[1].html Infected: Trojan-Downloader.JS.IstBar.x 1 C:\_OTMoveIt\MovedFiles\06142008_232819\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\W3BZQD7S\mt[2].html Infected: Trojan-Clicker.JS.Linker.j 1 C:\_OTMoveIt\MovedFiles\06142008_232819\WINDOWS\system32\cs Infected: Net-Worm.Win32.Randon 1 C:\_OTMoveIt\MovedFiles\06142008_232819\WINDOWS\system32\dealhelper.exe Infected: Trojan-Downloader.Win32.Small.nj 1 C:\_OTMoveIt\MovedFiles\06142008_232819\WINDOWS\system32\exul.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.n 1 C:\_OTMoveIt\MovedFiles\06142008_232819\WINDOWS\system32\greenstd.exe Infected: Trojan-Downloader.Win32.Agent.gp 2 C:\_OTMoveIt\MovedFiles\06142008_232819\WINDOWS\system32\javexulm.vxd Infected: not-a-virus:AdWare.Win32.BargainBuddy.n 1 C:\_OTMoveIt\MovedFiles\06142008_232819\WINDOWS\system32\kltye.exe Infected: not-a-virus:RiskTool.Win32.PsExec.131 1 C:\_OTMoveIt\MovedFiles\06142008_232819\WINDOWS\system32\kwdstd.exe Infected: Trojan-Downloader.Win32.Agent.fo 1 C:\_OTMoveIt\MovedFiles\06142008_232819\WINDOWS\system32\kwdstd.exe Infected: Trojan-Downloader.Win32.Agent.gp 1 C:\_OTMoveIt\MovedFiles\06142008_232819\WINDOWS\system32\mmview_ic.dll Infected: Trojan-Downloader.Win32.Agent.cu 1 C:\_OTMoveIt\MovedFiles\06142008_232819\WINDOWS\system32\mssysapps\targetsavers.exe Infected: Trojan-Downloader.Win32.TSUpdate.a 1 C:\_OTMoveIt\MovedFiles\06142008_232819\WINDOWS\system32\niamx Infected: Net-Worm.Win32.Randon 1 C:\_OTMoveIt\MovedFiles\06142008_232819\WINDOWS\system32\ssm.exe Infected: Trojan-Downloader.Win32.Agent.gp 1 C:\_OTMoveIt\MovedFiles\06142008_232819\WINDOWS\system32\targetsavers.exe Infected: Trojan-Downloader.Win32.TSUpdate.a 1 C:\_OTMoveIt\MovedFiles\06142008_232819\WINDOWS\system32\xmqjy\qcfq.exe Infected: Trojan-Downloader.Win32.Agent.fo 1 C:\_OTMoveIt\MovedFiles\06142008_232819\WINDOWS\Temp\THI1127.tmp\localNrd.cab Infected: not-a-virus:AdWare.Win32.BiSpy.n 1 C:\_OTMoveIt\MovedFiles\06142008_232819\WINDOWS\Temp\THI1127.tmp\localNrd.cab Infected: not-a-virus:AdWare.Win32.BiSpy.o 1 C:\_OTMoveIt\MovedFiles\06142008_232819\WINDOWS\Temp\THI1127.tmp\localNrd.cab Infected: Trojan-Downloader.Win32.Agent.ae 1 C:\_OTMoveIt\MovedFiles\06142008_232819\WINDOWS\tqjd.exe Infected: Backdoor.Win32.Agent.bg 1 The selected area was scanned. gmer: -------- GMER 1.0.14.14536 - http://www.gmer.net Rootkit scan 2008-06-15 02:45:21 Windows 5.1.2600 Service Pack 1 ---- System - GMER 1.0.14 ---- SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xEDAE6588] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xEDAE6444] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xEDAE6922] SSDT IPVNMon.sys (IPVNMon/Visual Networks) ZwDeviceIoControlFile [0xF72B6803] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xEDAE601C] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xEDAE651E] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xEDAE5F5C] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xEDAE5FC0] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xEDAE663E] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xEDAE65FE] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xEDAE677E] ---- Kernel IAT/EAT - GMER 1.0.14 ---- IAT \SystemRoot\System32\DRIVERS\nic1394.sys[NDIS.SYS!NdisMSetAttributesEx] [F72B6744] IPVNMon.sys (IPVNMon/Visual Networks) IAT \SystemRoot\System32\DRIVERS\nic1394.sys[NDIS.SYS!NdisMRegisterMiniport] [F72B651E] IPVNMon.sys (IPVNMon/Visual Networks) IAT \SystemRoot\System32\DRIVERS\rasl2tp.sys[NDIS.SYS!NdisMRegisterMiniport] [F72B651E] IPVNMon.sys (IPVNMon/Visual Networks) IAT \SystemRoot\System32\DRIVERS\rasl2tp.sys[NDIS.SYS!NdisMSetAttributesEx] [F72B6744] IPVNMon.sys (IPVNMon/Visual Networks) IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [F72B671A] IPVNMon.sys (IPVNMon/Visual Networks) IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [F72B66A7] IPVNMon.sys (IPVNMon/Visual Networks) IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisMSetAttributesEx] [F72B6744] IPVNMon.sys (IPVNMon/Visual Networks) IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [F72B6380] IPVNMon.sys (IPVNMon/Visual Networks) IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisMRegisterMiniport] [F72B651E] IPVNMon.sys (IPVNMon/Visual Networks) IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [F72B671A] IPVNMon.sys (IPVNMon/Visual Networks) IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F72B66A7] IPVNMon.sys (IPVNMon/Visual Networks) IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F72B6380] IPVNMon.sys (IPVNMon/Visual Networks) IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisMSetAttributesEx] [F72B6744] IPVNMon.sys (IPVNMon/Visual Networks) IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisMRegisterMiniport] [F72B651E] IPVNMon.sys (IPVNMon/Visual Networks) IAT \SystemRoot\System32\DRIVERS\raspptp.sys[NDIS.SYS!NdisMRegisterMiniport] [F72B651E] IPVNMon.sys (IPVNMon/Visual Networks) IAT \SystemRoot\System32\DRIVERS\raspptp.sys[NDIS.SYS!NdisMSetAttributesEx] [F72B6744] IPVNMon.sys (IPVNMon/Visual Networks) IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisIMRegisterLayeredMiniport] [F72B648B] IPVNMon.sys (IPVNMon/Visual Networks) IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F72B6380] IPVNMon.sys (IPVNMon/Visual Networks) IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisMSetAttributesEx] [F72B6744] IPVNMon.sys (IPVNMon/Visual Networks) IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [F72B671A] IPVNMon.sys (IPVNMon/Visual Networks) IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F72B66A7] IPVNMon.sys (IPVNMon/Visual Networks) IAT \SystemRoot\System32\DRIVERS\raspti.sys[NDIS.SYS!NdisMSetAttributesEx] [F72B6744] IPVNMon.sys (IPVNMon/Visual Networks) IAT \SystemRoot\System32\DRIVERS\raspti.sys[NDIS.SYS!NdisMRegisterMiniport] [F72B651E] IPVNMon.sys (IPVNMon/Visual Networks) IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F72B6380] IPVNMon.sys (IPVNMon/Visual Networks) IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [F72B671A] IPVNMon.sys (IPVNMon/Visual Networks) IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F72B66A7] IPVNMon.sys (IPVNMon/Visual Networks) IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F72B671A] IPVNMon.sys (IPVNMon/Visual Networks) IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F72B6380] IPVNMon.sys (IPVNMon/Visual Networks) IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F72B66A7] IPVNMon.sys (IPVNMon/Visual Networks) IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F72B6380] IPVNMon.sys (IPVNMon/Visual Networks) IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F72B66A7] IPVNMon.sys (IPVNMon/Visual Networks) IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F72B671A] IPVNMon.sys (IPVNMon/Visual Networks) IAT \SystemRoot\System32\DRIVERS\arp1394.sys[NDIS.SYS!NdisCloseAdapter] [F72B671A] IPVNMon.sys (IPVNMon/Visual Networks) IAT \SystemRoot\System32\DRIVERS\arp1394.sys[NDIS.SYS!NdisOpenAdapter] [F72B66A7] IPVNMon.sys (IPVNMon/Visual Networks) IAT \SystemRoot\System32\DRIVERS\arp1394.sys[NDIS.SYS!NdisRegisterProtocol] [F72B6380] IPVNMon.sys (IPVNMon/Visual Networks) IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F72B6380] IPVNMon.sys (IPVNMon/Visual Networks) IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F72B671A] IPVNMon.sys (IPVNMon/Visual Networks) IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F72B66A7] IPVNMon.sys (IPVNMon/Visual Networks) ---- User IAT/EAT - GMER 1.0.14 ---- IAT C:\WINDOWS\system32\services.exe[696] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00510002 IAT C:\WINDOWS\system32\services.exe[696] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00510000 ---- Devices - GMER 1.0.14 ---- AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software) AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software) ---- EOF - GMER 1.0.14 ---- otmoveit2 --------------- Explorer killed successfully < HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} > Registry key HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0}\\ not found. < HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} > Registry key HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c}\\ not found. < HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} > Registry key HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179}\\ not found. < HKEY_CURRENT_USER\Software\xjado > Registry key HKEY_CURRENT_USER\Software\xjado \\ not found. < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss > Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss \\ not found. < HKEY_CLASSES_ROOT\WUSN.1 > Registry key HKEY_CLASSES_ROOT\WUSN.1\\ not found. File/Folder C:\Program Files\STC not found. File/Folder C:\winserv.exe not found. File/Folder C:\WINDOWS\system32\osrouter.dll not found. < emptytemp > File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\IadHide4.dll scheduled to be deleted on reboot. File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_5d8.dat scheduled to be deleted on reboot. File delete failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be deleted on reboot. File delete failed. C:\WINDOWS\temp\THI1C42.tmp\conflict.cab scheduled to be deleted on reboot. File delete failed. C:\WINDOWS\temp\THI1C42.tmp\conflict.inf scheduled to be deleted on reboot. File delete failed. C:\WINDOWS\temp\THI77F1.tmp\conflict.cab scheduled to be deleted on reboot. File delete failed. C:\WINDOWS\temp\THI77F1.tmp\conflict.inf scheduled to be deleted on reboot. Temp folders emptied. IE temp folders emptied. Explorer started successfully OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 06152008_004606 Files moved on Reboot... DllUnregisterServer procedure not found in C:\DOCUME~1\Owner\LOCALS~1\Temp\IadHide4.dll C:\DOCUME~1\Owner\LOCALS~1\Temp\IadHide4.dll NOT unregistered. C:\DOCUME~1\Owner\LOCALS~1\Temp\IadHide4.dll moved successfully. C:\WINDOWS\temp\Perflib_Perfdata_5d8.dat moved successfully. File C:\WINDOWS\temp\_avast4_\Webshlock.txt not found! File move failed. C:\WINDOWS\temp\THI1C42.tmp\conflict.cab scheduled to be moved on reboot. File move failed. C:\WINDOWS\temp\THI1C42.tmp\conflict.inf scheduled to be moved on reboot. File move failed. C:\WINDOWS\temp\THI77F1.tmp\conflict.cab scheduled to be moved on reboot. File move failed. C:\WINDOWS\temp\THI77F1.tmp\conflict.inf scheduled to be moved on reboot. |
|
|
|
|
06-15-2008, 07:48 AM
|
#26 (permalink) |
|
Moderator/Analyst, Security Team ; Rangemaster, TSF Academy
Join Date: Oct 2006
Location: BC, Canada
Posts: 2,711
OS: XP
|
Re: Uninstalling Malware and IE Hijacking
Hi,
Victory is ours  Delete these folders: C:\Program Files\hbinst C:\Program Files\DR_S How's it running? Is there anything suspicious still going on? Let me know.
__________________
Proud member of UNITE and ASAP since 2006 If we have helped you, please consider donating. The past won't be able to hurt you unless you keep on looking back at it. |
|
|
|
|
06-15-2008, 12:16 PM
|
#27 (permalink) |
|
Registered User
Join Date: Jun 2008
Posts: 45
OS: xp sp1
|
Re: Uninstalling Malware and IE Hijacking
It is running great. The connection to the internet is as expected. There are no redirections or odd programs the start up. Boots & restarts great!
So where do I go from here? |
|
|
|
|
06-15-2008, 01:07 PM
|
#28 (permalink) |
|
Moderator/Analyst, Security Team ; Rangemaster, TSF Academy
Join Date: Oct 2006
Location: BC, Canada
Posts: 2,711
OS: XP
|
Re: Uninstalling Malware and IE Hijacking
Hi,
Congratulations! Your log looks clean! You may update to sp2 now. Let's clear out the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if used inappropriately.
Configure Windows Xp to hide system files:
This is a good time to clear your existing system restore points and establish a new clean restore point:
Here are some free programs I recommend that could help you improve your pc's security. Firewall Application - Although Windows Xp comes with a firewall, you should not rely on it because the Windows Firewall can only filter incoming data; outgoing traffic is not controlled, meaning that malware/viruses that are present in your computer can access the internet with no restrictions. There are several other Firewall that can protect you better by filtering incoming and outgoing data. Make sure you get only one of these. » Comodo » Kerio MVPS Hosts File ~You can download it from here ~I highly recommend this hosts file. You can learn more about this here IESpyAds ~Instructions on downloading and using it here Note: This only works for Internet Explorer. Install SpyWare Blaster ~You can download it from here ~You can read the tutorial on how to use Spyware Blaster here Install WinPatrol ~You can download it from here ~You can get some information about how WinPatrol works here Note: Make sure you update your Antivirus programs and other security products regularly to avoid new threats that could infect your system. Please check out Tony Klein's article "How did I get infected in the first place?" Happy safe surfing! Please reply one last time so I could mark this thread as resolved.
__________________
Proud member of UNITE and ASAP since 2006 If we have helped you, please consider donating. The past won't be able to hurt you unless you keep on looking back at it. |
|
|
|
|
06-15-2008, 02:01 PM
|
#29 (permalink) |
|
Registered User
Join Date: Jun 2008
Posts: 45
OS: xp sp1
|
Re: Uninstalling Malware and IE Hijacking
I am having problems updating to sp2. When i go to the windows update page. I am prompted to "Get the latest Windows Update Software". I click the "Install Now" button.
it downloads, copies and registers the files and then I get: [Error number: 0x8024D007] Can you help with this or do I need to post this somewhere else? |
|
|
|
