HijackThis log (Please check ASAP)

ChemicalRomance · 05-07-2007, 06:36 AM

Logfile of HijackThis v1.99.1
Scan saved at 9:53:14 PM, on 5/7/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\urdvxc.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\WINDOWS\system32\ssc.exe
C:\WINDOWS\retadpu41.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Ipwindows\ipwins.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Helper Class - {D80C4E21-C346-4E21-8E64-20746AA20AEB} - C:\Program Files\NavExcel Search Toolbar\NavExcelBar.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: NavExcel Toolbar - {5AA06644-BC46-4220-A460-47A6EB47C96D} - C:\Program Files\NavExcel Search Toolbar\NavExcelBar.dll (file missing)
O4 - HKLM\..\Run: [Anti Trojan Elite] C:\Program Files\Anti Trojan Elite\TJEnder.exe :NO
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 hercplgs.cpl,BootEntryPoint
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [johnj315] C:\WINDOWS\system32\srvc.exe
O4 - HKLM\..\Run: [sixer5] C:\WINDOWS\system32\ssc.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu41.exe 61A847B5BBF72816338B2B27128065E9C084320161C4661227A755E9C2933154389A28452DA545E9B1894E754BE54C29159A7DA682D7735667D926033AAC01F09DDF7618419154310B87659CA5E04E5067DF690232BC15E2DCD66A47
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [johnj315] C:\WINDOWS\system32\srvc.exe
O4 - HKCU\..\Run: [sixer5] C:\WINDOWS\system32\ssc.exe
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1174468873093
O17 - HKLM\System\CCS\Services\Tcpip\..\{1AEB9E14-2AE8-4374-B48E-4BD936FAAFFE}: NameServer = 203.194.27.57 203.194.56.150
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: Network Windows Service (MSWindows) - Unknown owner - C:\WINDOWS\System32\urdvxc.exe" /service (file missing)

ChemicalRomance · 05-10-2007, 02:50 AM

*Bump*

Ried · 05-10-2007, 11:43 AM

Hello ChemicalRomance and welcome to TSF,

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

Also be sure to carry out the instructions in the sequence listed below.

***************************************************

Download SDFix and save it to your Desktop. Double click SDFix.exe and it will extract the files to %systemdrive% -(Drive that contains the Windows Directory, typically C:\SDFix)

--------------------------------------------------------------------

Download Combofix and save it to your desktop.

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

Close any open browsers.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts. When finished, it shall produce a log for you which I will need in your next reply.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

--------------------------------------------------------------------

Please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login with your usual account. Make sure to close any open browsers.

--------------------------------------------------------------------

Open the extracted SDFix folder and double click RunThis.bat to start the script.

Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt I'll need that in your next reply a well.

--------------------------------------------------------------------

Run a new scan with HijackThis and save the log.

--------------------------------------------------------------------

Please include the following in your next reply:

C:\SDFix\Report.txt
C:\ComboFix.txt
New HijackThis log
Update on system behavior

ChemicalRomance · 05-12-2007, 04:17 AM

"Johnny" - 2007-05-12 17:18:12 Service Pack 1
ComboFix 07-05.08.3.V - Running from: "C:\Documents and Settings\Johnny\Desktop\"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\WINDOWS\retadpu41.exe
C:\WINDOWS\updater.exe
C:\Program Files\ipwindows\ipwins.dll
C:\Program Files\ipwindows\ipwins.exe
C:\Program Files\ipwindows\UnInstall.exe
C:\Program Files\outerinfo\OiUninstaller.exe
C:\Program Files\outerinfo\outerinfo.ico
C:\Program Files\outerinfo\Terms.rtf
C:\WINDOWS\b122.exe
C:\Program Files\inetget2
C:\Program Files\ipwindows
C:\Program Files\outerinfo
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\C\DOCUME~1
C:\qoobox\purity\C\DOCUME~1\Johnny
C:\qoobox\purity\C\DOCUME~1\Johnny\MYDOCU~1
C:\qoobox\purity\C\DOCUME~1\Johnny\MYDOCU~1\WNSXS~1
C:\qoobox\purity\C\DOCUME~1\Johnny\MYDOCU~1\WNSXS~1\w?wexec.exe

((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-12 ))))))))))))))))))))))))))))))))))

2007-05-07 21:56 2,560 ---hs---- C:\WINDOWS\system32\helperssc.exe
2007-05-07 20:52 2,560 ---hs---- C:\WINDOWS\system32\helpersrvc.exe
2007-05-01 05:18 <DIR> d-------- C:\WORD
2007-05-01 03:16 <DIR> d-------- C:\Program Files\GPSoftware
2007-04-29 19:37 <DIR> d-------- C:\Program Files\Webteh
2007-04-29 19:37 <DIR> d-------- C:\DOCUME~1\Johnny\APPLIC~1\BSplayer Pro
2007-04-29 19:37 <DIR> d-------- C:\DOCUME~1\Johnny\APPLIC~1\BSplayer
2007-04-29 15:37 <DIR> d-------- C:\Program Files\CyberLink
2007-04-29 15:37 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\CyberLink
2007-04-20 11:30 2 --a------ C:\WINDOWS\system32\wintsvtr32.exe
2007-04-20 11:27 <DIR> d-------- C:\Program Files\Common Files\àdobe
2007-04-20 03:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-04-17 10:21 94,424 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-04-17 10:21 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-04-17 10:21 43,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-04-17 10:21 31,560 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-04-17 10:21 23,352 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-04-17 10:20 90,112 --a------ C:\WINDOWS\system32\AVASTSS.scr
2007-04-17 10:20 689,280 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-04-17 10:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2007-04-17 10:20 <DIR> d-------- C:\Program Files\Alwil Software
2007-04-16 12:07 947,472 --a------ C:\WINDOWS\system32\msjava.dll
2007-04-16 12:07 63,248 --a------ C:\WINDOWS\system32\javaprxy.dll
2007-04-16 12:07 6,550 --a------ C:\WINDOWS\jautoexp.dat
2007-04-16 12:07 49,424 --a------ C:\WINDOWS\system32\clspack.exe
2007-04-16 12:07 46,352 --a------ C:\WINDOWS\setdebug.exe
2007-04-16 12:07 404,752 --a------ C:\WINDOWS\system32\javart.dll
2007-04-16 12:07 313,856 --a------ C:\WINDOWS\system32\dx3j.dll
2007-04-16 12:07 286,992 --a------ C:\WINDOWS\system32\vmhelper.dll
2007-04-16 12:07 21,264 --a------ C:\WINDOWS\system32\msjdbc10.dll
2007-04-16 12:07 187,152 --a------ C:\WINDOWS\system32\javacypt.dll
2007-04-16 12:07 172,304 --a------ C:\WINDOWS\system32\jview.exe
2007-04-16 12:07 171,792 --a------ C:\WINDOWS\system32\wjview.exe
2007-04-16 12:07 171,280 --a------ C:\WINDOWS\system32\jit.dll
2007-04-16 12:07 154,384 --a------ C:\WINDOWS\system32\msawt.dll
2007-04-16 12:07 15,120 --a------ C:\WINDOWS\system32\jdbgmgr.exe
2007-04-16 12:07 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2007-04-16 12:07 113 --a------ C:\WINDOWS\system32\zonedon.reg
2007-04-16 12:07 113 --a------ C:\WINDOWS\system32\zonedoff.reg
2007-04-14 20:07 <DIR> d-------- C:\Program Files\Everstrike Software
2007-04-14 20:07 <DIR> d-------- C:\Program Files\Common Files\Everstrike Software
2007-04-14 13:37 299 ---hs---- C:\WINDOWS\system32\ssc.exe
2007-04-13 15:42 <DIR> d-------- C:\Program Files\WinAVIVideoConverter

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-08 03:52:17 304 --sh--w C:\WINDOWS\system32\srvc.exe
2007-05-01 10:16:50 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-04-28 20:46:30 -------- d-----w C:\DOCUME~1\Johnny\APPLIC~1\uTorrent
2007-04-25 23:22:15 -------- d-----w C:\Program Files\Common Files\?dobe
2007-04-22 21:52:28 -------- d-----w C:\Program Files\SpeedFan
2007-04-20 10:42:30 -------- d-----w C:\Program Files\SpywareBlaster
2007-04-16 19

29 -------- d-----w C:\Program Files\Messenger
2007-04-04 08:00:07 -------- d-----w C:\DOCUME~1\Johnny\APPLIC~1\Real
2007-04-04 08:00:07 -------- d-----w C:\DOCUME~1\Johnny\APPLIC~1\Media Player Classic
2007-04-04 07:59:58 -------- d-----w C:\Program Files\Real Alternative
2007-04-04 07:59:55 -------- d-----w C:\Program Files\Media Player Classic
2007-04-01 08:07:35 3,712 ----a-w C:\WINDOWS\system32\socketlock.sys
2007-04-01 07:34:30 -------- d-----w C:\Program Files\Foxit Software
2007-03-31 10:41:34 -------- d-----w C:\Program Files\Ares
2007-03-29 23:44:44 -------- d-----w C:\Program Files\SlySoft
2007-03-29 23:28:56 -------- d-----w C:\Program Files\Alcohol Soft
2007-03-29 23:28:01 -------- d-----w C:\Program Files\Elaborate Bytes
2007-03-29 23:26:21 -------- d-----w C:\Program Files\DVD Shrink
2007-03-28 12:28:40 -------- d-----w C:\Program Files\Winamp
2007-03-24 01:42:51 -------- d-----w C:\Program Files\NavExcel Search Toolbar
2007-03-23 09:40:12 -------- d--h--w C:\Program Files\WindowsUpdate
2007-03-22 08:09:38 -------- d-----w C:\Program Files\XviD
2007-03-22 07:43:30 -------- d-----w C:\DOCUME~1\Johnny\APPLIC~1\vlc
2007-03-22 00:56:06 -------- d-----w C:\Program Files\DivX
2007-03-22 00:51:37 -------- d-----w C:\Program Files\RegistryFix
2007-03-22 00:00:00 -------- d-----w C:\Program Files\Kerio
2007-03-21 23:59:48 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-03-21 12:12:09 -------- d-----w C:\Program Files\MediaMonkey
2007-03-21 11:49:22 -------- d-----w C:\Program Files\VideoLAN
2007-03-21 11:40:35 -------- d-----w C:\Program Files\Hercules
2007-03-21 11:20:59 -------- d-----w C:\Program Files\PestPatrol
2007-03-21 11:20:30 -------- d-----w C:\Program Files\VERITAS Software
2007-03-21 11:00:13 -------- d-----w C:\Program Files\Ahead
2007-03-21 11:00:12 -------- d-----w C:\Program Files\Common Files\Ahead
2007-03-21 09:01:42 -------- d-----w C:\Program Files\Anti Trojan Elite
2007-03-21 09:01:21 -------- d-----w C:\Program Files\RegistryCleanerXP
2007-03-21 09:01:18 -------- d-----w C:\Program Files\Network Associates
2007-03-21 04:39:04 63,488 --sha-w C:\WINDOWS\system32\urdvxc.exe
2007-03-21 03:46:23 64,281 ----a-w C:\WINDOWS\system32\dload.exe
2007-03-21 03:39:14 -------- d-----w C:\Program Files\MSN Messenger
2007-03-21 02:44:41 -------- d-----w C:\DOCUME~1\Johnny\APPLIC~1\RegUpdate
2007-03-20 09:57:50 -------- d-----w C:\DOCUME~1\Johnny\APPLIC~1\.BitTornado
2007-03-20 09:56:41 0 ----a-w C:\WINDOWS\nsreg.dat
2007-03-20 09:56:35 2,301 ----a-w C:\WINDOWS\mozver.dat
2007-03-20 09:55:59 -------- d-----w C:\Program Files\BitTornado
2007-03-20 09:24:51 -------- d-----w C:\Program Files\microsoft frontpage
2007-03-20 09:24:29 0 --sha-r C:\MSDOS.SYS
2007-03-20 09:24:29 0 --sha-r C:\IO.SYS
2007-03-20 09:24:29 0 ----a-w C:\CONFIG.SYS
2007-03-20 09:24:29 0 ----a-w C:\AUTOEXEC.BAT
2007-03-20 09:23:09 -------- d-----w C:\Program Files\Online Services
2007-03-20 09:22:35 -------- d-----w C:\Program Files\Movie Maker
2007-03-20 09:21:57 -------- d-----w C:\Program Files\Common Files\MSSoap
2007-03-20 09:20:56 21,640 ----a-w C:\WINDOWS\system32\emptyregdb.dat
2007-03-20 09:20:20 -------- d-----w C:\Program Files\MSN Gaming Zone
2007-03-20 09:20:17 -------- d-----w C:\Program Files\Windows NT
2007-03-20 01:11:07 -------- d-----w C:\Program Files\Common Files\ODBC
2007-03-20 01:11:03 -------- d-----w C:\Program Files\Common Files\SpeechEngines

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{D80C4E21-C346-4E21-8E64-20746AA20AEB}"="C:\Program Files\NavExcel Search Toolbar\NavExcelBar.dll" [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"RegistryUpdate"=""
"Anti Trojan Elite"="C:\\Program Files\\Anti Trojan Elite\\TJEnder.exe :NO"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"SoundFusion"="RunDll32 hercplgs.cpl,BootEntryPoint"
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"AnyDVD"="C:\\Program Files\\SlySoft\\AnyDVD\\AnyDVD.exe"
"johnj315"="C:\\WINDOWS\\system32\\srvc.exe"
"sixer5"="C:\\WINDOWS\\system32\\ssc.exe"
"LFAgent"=""
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"johnj315"="C:\\WINDOWS\\system32\\srvc.exe"
"sixer5"="C:\\WINDOWS\\system32\\ssc.exe"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages scecli\0\0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-12 17:45:32
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 2007-05-12 17:45:37
C:\ComboFix-quarantined-files.txt ... 2007-05-12 17:45

ChemicalRomance · 05-12-2007, 04:18 AM

SDFix: Version 1.83

Run by Johnny - Sat 05/12/2007 - 18:55:21.60

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\DOCUME~1\Johnny\Desktop\SDFix

Safe Mode:
Checking Services:

Name:
MSWindows

ImagePath:
"C:\WINDOWS\System32\urdvxc.exe" /service

MSWindows - Deleted

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\SYSTEM32\DLOAD.EXE - Deleted
C:\WINDOWS\updater.exe.tmp - Deleted
C:\WINDOWS\system32\helperssc.exe - Deleted
C:\WINDOWS\system32\helpersrvc.exe - Deleted
C:\WINDOWS\system32\i - Deleted
C:\WINDOWS\system32\srvc.exe - Deleted
C:\WINDOWS\system32\ssc.exe - Deleted
C:\WINDOWS\system32\urdvxc.exe - Deleted

Removing Temp Files

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.

Final Check:

Remaining Services:
------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------

Backups Folder: - C:\DOCUME~1\Johnny\Desktop\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes:

Finished

ChemicalRomance · 05-12-2007, 04:19 AM

Logfile of HijackThis v1.99.1
Scan saved at 7:38:21 PM, on 5/12/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Helper Class - {D80C4E21-C346-4E21-8E64-20746AA20AEB} - C:\Program Files\NavExcel Search Toolbar\NavExcelBar.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: NavExcel Toolbar - {5AA06644-BC46-4220-A460-47A6EB47C96D} - C:\Program Files\NavExcel Search Toolbar\NavExcelBar.dll (file missing)
O4 - HKLM\..\Run: [Anti Trojan Elite] C:\Program Files\Anti Trojan Elite\TJEnder.exe :NO
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 hercplgs.cpl,BootEntryPoint
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1174468873093
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe

Ried · 05-12-2007, 08:12 AM

Let's do a sweep and search for any remnants that may still be lurking.

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

***************************************************

Download AVG Anti Spyware

Use the link at the bottom of the page under "AVG Anti-Spyware Free for Windows"

Install AVG Anti Spyware
Double-click the icon on Desktop to launch AVG
On the top of the main screen click Shield
Click the word active to change it to inactive
On the top of the main screen click Update.
Then click on Start Update. The update will start and a progress bar will show the updates being installed.
Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
- Select "Automatically generate report after every scan"
- Un-Select "Only if threats were found"

When you have finished updating, EXIT AVG Anti Spyware. Do Not run a scan just yet, we will shortly.

--------------------------------------------------------------------

Please download ATF Cleaner by Atribune.

--------------------------------------------------------------------

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login with your usual account. Make sure to close any open browsers.

--------------------------------------------------------------------

Please ensure Hidden files and folders are viewable:

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading:
* select Show hidden files and folders.
* Uncheck Hide protected operating system files (recommended) option.
*Also, make sure there is no checkmark beside Hide file extensions for known file types.
* Click OK.

--------------------------------------------------------------------

Using 'My Computer', navigate to and delete the following File

C:\WINDOWS\SYSTEM32\ WINTSVTR32.EXE

--------------------------------------------------------------------

Double-click ATF-Cleaner.exe to run the program.

Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

--------------------------------------------------------------------

IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
Run AVG Anti-Spyware with it's updated definitions:(...it's important that all windows must be closed)

Click Scanner
Click on the Scan tab
Click Complete System Scan to begin scanning.
Once the scan is complete do the following:
If you have any infections you will prompted, **Please ensure it is set to Quarantine then select "Apply all actions"
Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important).

**AVG Anti-Spyware is compatible with most AV and anti-spyware products, and the free version will continue to be useful as a second anti-malware scanner.

--------------------------------------------------------------------

Reboot into Normal Mode.

--------------------------------------------------------------------

Please run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Perform an online scan with Internet Explorer with Panda ActiveScan

Click on located at the bottom of the page.
A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*

Begin the scan by selecting

If it finds any malware, it will offer you a report.
Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
Click on then click

* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

--------------------------------------------------------------------

Run a new scan with HijackThis and save the log.

--------------------------------------------------------------------

Please include the following in your next reply:

AVG Anti-Spyware results
Panda results
New HijackThis log

Please let me know how the system is behaving--what issues remain?

ChemicalRomance · 05-15-2007, 12:45 PM

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 4:21:24 AM 5/14/2007

+ Scan result:

C:\System Volume Information\_restore{518D3577-F666-41D3-AAFD-0E325CE00446}\RP7\A0001379.exe -> Adware.ManReg : No action taken.
C:\System Volume Information\_restore{518D3577-F666-41D3-AAFD-0E325CE00446}\RP7\A0001436.exe -> Adware.ManReg : No action taken.
D:\System Volume Information\_restore{518D3577-F666-41D3-AAFD-0E325CE00446}\RP29\A0004160.exe -> Adware.ManReg : No action taken.
C:\System Volume Information\_restore{518D3577-F666-41D3-AAFD-0E325CE00446}\RP15\A0003632.dll -> Adware.NavExcel : No action taken.
C:\QooBox\Quarantine\C\Program Files\Outerinfo\OiUninstaller.exe.vir -> Adware.PurityScan : No action taken.
C:\QooBox\purity\C\DOCUME~1\Johnny\MYDOCU~1\WNSXS~1\wοwexec.exe -> Adware.PurityScan : No action taken.
C:\System Volume Information\_restore{518D3577-F666-41D3-AAFD-0E325CE00446}\RP105\A0012140.dll -> Adware.PurityScan : No action taken.
C:\System Volume Information\_restore{518D3577-F666-41D3-AAFD-0E325CE00446}\RP125\A0015932.exe -> Adware.PurityScan : No action taken.
C:\Documents and Settings\Johnny\Start Menu\Programs\WhenU -> Adware.SaveNow : No action taken.
C:\Documents and Settings\Johnny\Start Menu\Programs\WhenU\Customer Support.lnk -> Adware.SaveNow : No action taken.
C:\Documents and Settings\Johnny\Start Menu\Programs\WhenU\Learn More About WhenU Save.url -> Adware.SaveNow : No action taken.
C:\Documents and Settings\Johnny\Start Menu\Programs\WhenU\Learn More About WhenU SaveNow.url -> Adware.SaveNow : No action taken.
C:\Documents and Settings\Johnny\Start Menu\Programs\WhenU\Uninstall Instructions.lnk -> Adware.SaveNow : No action taken.
C:\Documents and Settings\Johnny\Start Menu\Programs\WhenU\WhenU.com Website.url -> Adware.SaveNow : No action taken.
C:\Program Files\Mozilla Firefox\extensions\{BEE3E87E-E1C6-4bfe-BE9D-48E84271AB34}\components\whenu_ff.dll -> Adware.SaveNow : No action taken.
C:\System Volume Information\_restore{518D3577-F666-41D3-AAFD-0E325CE00446}\RP113\A0013433.exe -> Adware.SaveNow : No action taken.
C:\System Volume Information\_restore{518D3577-F666-41D3-AAFD-0E325CE00446}\RP113\A0013437.exe -> Adware.SaveNow : No action taken.
C:\System Volume Information\_restore{518D3577-F666-41D3-AAFD-0E325CE00446}\RP114\A0013504.exe -> Adware.SaveNow : No action taken.
D:\System Volume Information\_restore{518D3577-F666-41D3-AAFD-0E325CE00446}\RP114\A0013498.exe -> Adware.SaveNow : No action taken.
C:\QooBox\Quarantine\C\WINDOWS\b122.exe.vir -> Adware.Softomate : No action taken.
C:\System Volume Information\_restore{518D3577-F666-41D3-AAFD-0E325CE00446}\RP125\A0015934.exe -> Adware.Softomate : No action taken.
C:\WINDOWS\b116.exe -> Adware.Softomate : No action taken.
C:\System Volume Information\_restore{518D3577-F666-41D3-AAFD-0E325CE00446}\RP116\A0013611.exe -> Backdoor.IRCBot.aak : No action taken.
C:\System Volume Information\_restore{518D3577-F666-41D3-AAFD-0E325CE00446}\RP125\A0015969.exe -> Backdoor.IRCBot.aak : No action taken.
C:\System Volume Information\_restore{518D3577-F666-41D3-AAFD-0E325CE00446}\RP125\A0015980.exe -> Backdoor.IRCBot.aak : No action taken.
C:\System Volume Information\_restore{518D3577-F666-41D3-AAFD-0E325CE00446}\RP108\A0013237.exe -> Downloader.Age : No action taken.
C:\QooBox\Quarantine\C\WINDOWS\retadpu41.exe.vir -> Downloader.Agent.bls : No action taken.
C:\QooBox\Quarantine\C\WINDOWS\updater.exe.vir -> Downloader.Agent.bls : No action taken.
C:\System Volume Information\_restore{518D3577-F666-41D3-AAFD-0E325CE00446}\RP103\A0011069.exe -> Downloader.Agent.bls : No action taken.
C:\System Volume Information\_restore{518D3577-F666-41D3-AAFD-0E325CE00446}\RP118\A0013677.exe -> Downloader.Agent.bls : No action taken.
C:\System Volume Information\_restore{518D3577-F666-41D3-AAFD-0E325CE00446}\RP124\A0015819.exe -> Downloader.Agent.bls : No action taken.
C:\System Volume Information\_restore{518D3577-F666-41D3-AAFD-0E325CE00446}\RP125\A0015927.exe -> Downloader.Agent.bls : No action taken.
C:\System Volume Information\_restore{518D3577-F666-41D3-AAFD-0E325CE00446}\RP125\A0015928.exe -> Downloader.Agent.bls : No action taken.
D:\System Volume Information\_restore{518D3577-F666-41D3-AAFD-0E325CE00446}\RP45\A0008737.exe -> Downloader.Agent.bls : No action taken.
D:\System Volume Information\_restore{518D3577-F666-41D3-AAFD-0E325CE00446}\RP44\A0008683.exe -> Downloader.Harnig.bq : No action taken.
C:\System Volume Information\_restore{518D3577-F666-41D3-AAFD-0E325CE00446}\RP105\A0012153.exe -> Downloader.PurityScan.eh : No action taken.
C:\Documents and Settings\Johnny\3.exe -> Proxy.Slaper.e : No action taken.
C:\System Volume Information\_restore{518D3577-F666-41D3-AAFD-0E325CE00446}\RP120\A0014712.exe -> Proxy.Slaper.e : No action taken.
C:\System Volume Information\_restore{518D3577-F666-41D3-AAFD-0E325CE00446}\RP120\A0014726.exe -> Proxy.Slaper.e : No action taken.
C:\System Volume Information\_restore{518D3577-F666-41D3-AAFD-0E325CE00446}\RP120\A0015706.exe -> Proxy.Slaper.e : No action taken.
C:\System Volume Information\_restore{518D3577-F666-41D3-AAFD-0E325CE00446}\RP120\A0015711.exe -> Proxy.Slaper.e : No action taken.
C:\System Volume Information\_restore{518D3577-F666-41D3-AAFD-0E325CE00446}\RP125\A0015970.exe -> Proxy.Slaper.e : No action taken.
C:\System Volume Information\_restore{518D3577-F666-41D3-AAFD-0E325CE00446}\RP125\A0015971.exe -> Proxy.Slaper.e : No action taken.
C:\System Volume Information\_restore{518D3577-F666-41D3-AAFD-0E325CE00446}\RP125\A0015981.exe -> Proxy.Slaper.e : No action taken.
C:\System Volume Information\_restore{518D3577-F666-41D3-AAFD-0E325CE00446}\RP125\A0015982.exe -> Proxy.Slaper.e : No action taken.
C:\System Volume Information\_restore{518D3577-F666-41D3-AAFD-0E325CE00446}\RP46\A0008752.exe -> Proxy.Slaper.e : No action taken.
C:\Program Files\Alcohol Soft\Alcohol 120\crack.exe -> Trojan.Feutel.av : No action taken.
C:\System Volume Information\_restore{518D3577-F666-41D3-AAFD-0E325CE00446}\RP25\A0004020.exe -> Trojan.Feutel.av : No action taken.
C:\QooBox\Quarantine\C\Program Files\Ipwindows\UnInstall.exe.vir -> Trojan.Rond : No action taken.
C:\QooBox\Quarantine\C\Program Files\Ipwindows\ipwins.dll.vir -> Trojan.Rond : No action taken.
C:\QooBox\Quarantine\C\Program Files\Ipwindows\ipwins.exe.vir -> Trojan.Rond : No action taken.
C:\System Volume Information\_restore{518D3577-F666-41D3-AAFD-0E325CE00446}\RP125\A0015929.dll -> Trojan.Rond : No action taken.
C:\System Volume Information\_restore{518D3577-F666-41D3-AAFD-0E325CE00446}\RP125\A0015930.exe -> Trojan.Rond : No action taken.
C:\System Volume Information\_restore{518D3577-F666-41D3-AAFD-0E325CE00446}\RP125\A0015931.exe -> Trojan.Rond : No action taken.
C:\System Volume Information\_restore{518D3577-F666-41D3-AAFD-0E325CE00446}\RP126\A0016127.exe -> Trojan.Small : No action taken.

::Report end

ChemicalRomance · 05-15-2007, 12:50 PM

Incident Status Location

Virus:W32/Rahack.gen Disinfected Operating system
Adware:adware/whenusearch Not disinfected C:\Documents and Settings\Johnny\Start Menu\Programs\WhenU
Adware:adware/navhelper Not disinfected c:\program files\NavExcel Search Toolbar
Virus:W32/Rahack.gen Disinfected C:\Documents and Settings\All Users\Application Data\CyberLink\PowerDVD\iPower\khqljben.exe
Virus:W32/Rahack.gen Disinfected C:\Documents and Settings\All Users\Application Data\CyberLink\PowerDVD\iPower\lsjkcbbl.exe
Virus:HTML/Instancob.A Disinfected C:\Documents and Settings\All Users\Application Data\CyberLink\PowerDVD\iPower\start.htm
Virus:HTML/Instancob.A Disinfected C:\Documents and Settings\All Users\Application Data\CyberLink\PowerDVD\iPower\start_temp.htm
Virus:Trj/MailBot.CN Disinfected C:\Documents and Settings\Johnny\3.exe
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Johnny\Application Data\Mozilla\Firefox\Profiles\mau99txl.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Johnny\Application Data\Mozilla\Firefox\Profiles\mau99txl.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Johnny\Application Data\Mozilla\Firefox\Profiles\mau99txl.default\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Johnny\Application Data\Mozilla\Firefox\Profiles\mau99txl.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Johnny\Application Data\Mozilla\Firefox\Profiles\mau99txl.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Johnny\Application Data\Mozilla\Firefox\Profiles\mau99txl.default\cookies.txt[.ad.yieldmanager.com/]
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\Johnny\Application Data\Mozilla\Firefox\Profiles\mau99txl.default\cookies.txt[.cs.sexcounter.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Johnny\Application Data\Mozilla\Firefox\Profiles\mau99txl.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Johnny\Application Data\Mozilla\Firefox\Profiles\mau99txl.default\cookies.txt[.go.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Johnny\Application Data\Mozilla\Firefox\Profiles\mau99txl.default\cookies.txt[.zedo.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Johnny\Application Data\Mozilla\Firefox\Profiles\mau99txl.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Johnny\Application Data\Mozilla\Firefox\Profiles\mau99txl.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Johnny\Application Data\Mozilla\Firefox\Profiles\mau99txl.default\cookies.txt[.yadro.ru/]
Adware:Adware/SaveNow Not disinfected C:\Documents and Settings\Johnny\Desktop\bsplayer220.949_clip.exe[BSplayer_WhenUSave_InstallerInst.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Johnny\Desktop\ComboFix.exe[ComboFixT\nircmd.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Johnny\Desktop\SDFix.exe[SDFix\apps\Process.exe]
Virus:HTML/Instancob.A Disinfected C:\Documents and Settings\Johnny\Local Settings\Temporary Internet Files\Content.IE5\04ZCSQX4\forum[1].htm
Virus:HTML/Instancob.A Disinfected C:\Documents and Settings\Johnny\Local Settings\Temporary Internet Files\Content.IE5\04ZCSQX4\forum[2].htm
Virus:W32/Rahack.gen Disinfected C:\Documents and Settings\Johnny\Local Settings\Temporary Internet Files\Content.IE5\04ZCSQX4\lkrcqeec.exe
Virus:HTML/Instancob.A Disinfected C:\Documents and Settings\Johnny\Local Settings\Temporary Internet Files\Content.IE5\04ZCSQX4\loading[1].html
Virus:HTML/Instancob.A Disinfected C:\Documents and Settings\Johnny\Local Settings\Temporary Internet Files\Content.IE5\04ZCSQX4\login_security_tips[1].htm
Virus:W32/Rahack.gen Disinfected C:\Documents and Settings\Johnny\Local Settings\Temporary Internet Files\Content.IE5\04ZCSQX4\ltletqcj.exe
Virus:W32/Rahack.gen Disinfected C:\Documents and Settings\Johnny\Local Settings\Temporary Internet Files\Content.IE5\04ZCSQX4\nvbhrrnv.exe
Virus:HTML/Instancob.A Disinfected C:\Documents and Settings\Johnny\Local Settings\Temporary Internet Files\Content.IE5\04ZCSQX4\pop_preview[1].htm
Virus:HTML/Instancob.A Disinfected C:\Documents and Settings\Johnny\Local Settings\Temporary Internet Files\Content.IE5\04ZCSQX4\pop_preview[2].htm
Virus:W32/Rahack.gen Disinfected C:\Documents and Settings\Johnny\Local Settings\Temporary Internet Files\Content.IE5\04ZCSQX4\qnkrcsbe.exe
Virus:W32/Rahack.gen Disinfected C:\Documents and Settings\Johnny\Local Settings\Temporary Internet Files\Content.IE5\04ZCSQX4\qvlsltrq.exe
Virus:HTML/Instancob.A Disinfected C:\Documents and Settings\Johnny\Local Settings\Temporary Internet Files\Content.IE5\04ZCSQX4\search[1].htm
Virus:HTML/Instancob.A Disinfected C:\Documents and Settings\Johnny\Local Settings\Temporary Internet Files\Content.IE5\04ZCSQX4\search[2].htm
Virus:W32/Rahack.gen Disinfected C:\Documents and Settings\Johnny\Local Settings\Temporary Internet Files\Content.IE5\04ZCSQX4\sssneqtx.exe
Virus:HTML/Instancob.A Disinfected C:\Documents and Settings\Johnny\Local Settings\Temporary Internet Files\Content.IE5\04ZCSQX4\topic[1].htm
Virus:W32/Rahack.gen Disinfected C:\Documents and Settings\Johnny\Local Settings\Temporary Internet Files\Content.IE5\04ZCSQX4\tsenbjlr.exe
Virus:HTML/Instancob.A Disinfected C:\Documents and Settings\Johnny\Local Settings\Temporary Internet Files\Content.IE5\K9ANO1ER\forum[1].htm
Virus:W32/Rahack.gen Disinfected C:\Documents and Settings\Johnny\Local Settings\Temporary Internet Files\Content.IE5\K9ANO1ER\jhhrchtj.exe
Virus:W32/Rahack.gen Disinfected C:\Documents and Settings\Johnny\Local Settings\Temporary Internet Files\Content.IE5\K9ANO1ER\jwjtrjej.exe
Virus:W32/Rahack.gen Disinfected C:\Documents and Settings\Johnny\Local Settings\Temporary Internet Files\Content.IE5\K9ANO1ER\jwlknthn.exe
Virus:W32/Rahack.gen Disinfected C:\Documents and Settings\Johnny\Local Settings\Temporary Internet Files\Content.IE5\K9ANO1ER\kjsbbrkt.exe
Virus:W32/Rahack.gen Disinfected C:\Documents and Settings\Johnny\Local Settings\Temporary Internet Files\Content.IE5\K9ANO1ER\krwqrnhk.exe
Virus:W32/Rahack.gen Disinfected C:\Documents and Settings\Johnny\Local Settings\Temporary Internet Files\Content.IE5\K9ANO1ER\ljsnbbbj.exe
Virus:W32/Rahack.gen Disinfected C:\Documents and Settings\Johnny\Local Settings\Temporary Internet Files\Content.IE5\K9ANO1ER\nkteqjnk.exe
Virus:HTML/Instancob.A Disinfected C:\Documents and Settings\Johnny\Local Settings\Temporary Internet Files\Content.IE5\K9ANO1ER\pop_preview[1].htm
Virus:HTML/Instancob.A Disinfected C:\Documents and Settings\Johnny\Local Settings\Temporary Internet Files\Content.IE5\K9ANO1ER\post[1].htm
Virus:HTML/Instancob.A Disinfected C:\Documents and Settings\Johnny\Local Settings\Temporary Internet Files\Content.IE5\K9ANO1ER\post[2].htm
Virus:HTML/Instancob.A Disinfected C:\Documents and Settings\Johnny\Local Settings\Temporary Internet Files\Content.IE5\K9ANO1ER\post_info[1].htm
Virus:HTML/Instancob.A Disinfected C:\Documents and Settings\Johnny\Local Settings\Temporary Internet Files\Content.IE5\K9ANO1ER\propaganda[1].htm
Virus:HTML/Instancob.A Disinfected C:\Documents and Settings\Johnny\Local Settings\Temporary Internet Files\Content.IE5\K9ANO1ER\search[1].htm
Virus:HTML/Instancob.A Disinfected C:\Documents and Settings\Johnny\Local Settings\Temporary Internet Files\Content.IE5\K9ANO1ER\search[2].htm
Virus:HTML/Instancob.A Disinfected C:\Documents and Settings\Johnny\Local Settings\Temporary Internet Files\Content.IE5\K9ANO1ER\search[3].htm
Virus:HTML/Instancob.A Disinfected C:\Documents and Settings\Johnny\Local Settings\Temporary Internet Files\Content.IE5\K9ANO1ER\topic[1].htm
Virus:HTML/Instancob.A Disinfected C:\Documents and Settings\Johnny\Local Settings\Temporary Internet Files\Content.IE5\K9ANO1ER\topic[2].htm
Virus:W32/Rahack.gen Disinfected C:\Documents and Settings\Johnny\Local Settings\Temporary Internet Files\Content.IE5\K9ANO1ER\txkwjvnj.exe
Virus:W32/Rahack.gen Disinfected C:\Documents and Settings\Johnny\Local Settings\Temporary Internet Files\Content.IE5\K9ANO1ER\wstetnhs.exe
Virus:HTML/Instancob.A Disinfected C:\Documents and Settings\Johnny\Local Settings\Temporary Internet Files\Content.IE5\LG53DKFA\active[1].htm
Virus:W32/Rahack.gen Disinfected C:\Documents and Settings\Johnny\Local Settings\Temporary Internet Files\Content.IE5\LG53DKFA\chxhjllj.exe
Virus:HTML/Instancob.A Disinfected C:\Documents and Settings\Johnny\Local Settings\Temporary Internet Files\Content.IE5\LG53DKFA\forum[1].htm
Virus:W32/Rahack.gen Disinfected C:\Documents and Settings\Johnny\Local Settings\Temporary Internet Files\Content.IE5\LG53DKFA\hlvrqnkt.exe
Virus:W32/Rahack.gen Disinfected C:\Documents and Settings\Johnny\Local Settings\Temporary Internet Files\Content.IE5\LG53DKFA\kjvts

05-07-2007, 06:36 AM	#1 (permalink)
ChemicalRomance Registered User Join Date: May 2007 Posts: 33 OS: XP	HijackThis log (Please check ASAP) Logfile of HijackThis v1.99.1 Scan saved at 9:53:14 PM, on 5/7/2007 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\System32\urdvxc.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe C:\WINDOWS\system32\ssc.exe C:\WINDOWS\retadpu41.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Ipwindows\ipwins.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: Helper Class - {D80C4E21-C346-4E21-8E64-20746AA20AEB} - C:\Program Files\NavExcel Search Toolbar\NavExcelBar.dll (file missing) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: NavExcel Toolbar - {5AA06644-BC46-4220-A460-47A6EB47C96D} - C:\Program Files\NavExcel Search Toolbar\NavExcelBar.dll (file missing) O4 - HKLM\..\Run: [Anti Trojan Elite] C:\Program Files\Anti Trojan Elite\TJEnder.exe :NO O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [SoundFusion] RunDll32 hercplgs.cpl,BootEntryPoint O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe O4 - HKLM\..\Run: [johnj315] C:\WINDOWS\system32\srvc.exe O4 - HKLM\..\Run: [sixer5] C:\WINDOWS\system32\ssc.exe O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu41.exe 61A847B5BBF72816338B2B27128065E9C084320161C4661227A755E9C2933154389A28452DA545E9B1894E754BE54C29159A7DA682D7735667D926033AAC01F09DDF7618419154310B87659CA5E04E5067DF690232BC15E2DCD66A47 O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [johnj315] C:\WINDOWS\system32\srvc.exe O4 - HKCU\..\Run: [sixer5] C:\WINDOWS\system32\ssc.exe O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1174468873093 O17 - HKLM\System\CCS\Services\Tcpip\..\{1AEB9E14-2AE8-4374-B48E-4BD936FAAFFE}: NameServer = 203.194.27.57 203.194.56.150 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe O23 - Service: Network Windows Service (MSWindows) - Unknown owner - C:\WINDOWS\System32\urdvxc.exe" /service (file missing)

05-10-2007, 02:50 AM	#2 (permalink)
ChemicalRomance Registered User Join Date: May 2007 Posts: 33 OS: XP	Re: HijackThis log (Please check ASAP) Bump

05-10-2007, 11:43 AM	#3 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 20,048 OS: WinXP and Vista	Re: HijackThis log (Please check ASAP) Hello ChemicalRomance and welcome to TSF, Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions. Also be sure to carry out the instructions in the sequence listed below. ************************************************* Download SDFix and save it to your Desktop. Double click SDFix.exe and it will extract the files to %systemdrive% -(Drive that contains the Windows Directory, typically C:\SDFix) -------------------------------------------------------------------- Download Combofix and save it to your desktop. Note: It is important that it is saved directly to your desktop -------------------------------------------------------------------- Close any open browsers. -------------------------------------------------------------------- Double click on combofix.exe & follow the prompts. When finished, it shall produce a log for you which I will need in your next reply. Note: Do not mouseclick combofix's window while it's running. That may cause it to stall -------------------------------------------------------------------- Please reboot your computer in Safe Mode by doing the following: 1) Restart your computer 2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3) Instead of Windows loading as normal, a menu should appear 4) Use the up arrow key to highlight Safe Mode and press Enter. 5) Login with your usual account. Make sure to close any open browsers. -------------------------------------------------------------------- Open the extracted SDFix folder and double click RunThis.bat to start the script. Type Y to begin the cleanup process. It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot. Press any Key and it will restart the PC. When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons. Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt** I'll need that in your next reply a well. -------------------------------------------------------------------- Run a new scan with HijackThis and save the log. -------------------------------------------------------------------- Please include the following in your next reply: C:\SDFix\Report.txt C:\ComboFix.txt New HijackThis log Update on system behavior __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

05-12-2007, 04:17 AM	#4 (permalink)
ChemicalRomance Registered User Join Date: May 2007 Posts: 33 OS: XP	Re: HijackThis log (Please check ASAP) "Johnny" - 2007-05-12 17:18:12 Service Pack 1 ComboFix 07-05.08.3.V - Running from: "C:\Documents and Settings\Johnny\Desktop\" (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe C:\WINDOWS\retadpu41.exe C:\WINDOWS\updater.exe C:\Program Files\ipwindows\ipwins.dll C:\Program Files\ipwindows\ipwins.exe C:\Program Files\ipwindows\UnInstall.exe C:\Program Files\outerinfo\OiUninstaller.exe C:\Program Files\outerinfo\outerinfo.ico C:\Program Files\outerinfo\Terms.rtf C:\WINDOWS\b122.exe C:\Program Files\inetget2 C:\Program Files\ipwindows C:\Program Files\outerinfo ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Folders Quarantined: C:\qoobox\purity\C\DOCUME~1 C:\qoobox\purity\C\DOCUME~1\Johnny C:\qoobox\purity\C\DOCUME~1\Johnny\MYDOCU~1 C:\qoobox\purity\C\DOCUME~1\Johnny\MYDOCU~1\WNSXS~1 C:\qoobox\purity\C\DOCUME~1\Johnny\MYDOCU~1\WNSXS~1\w?wexec.exe ((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-12 )))))))))))))))))))))))))))))))))) 2007-05-07 21:56 2,560 ---hs---- C:\WINDOWS\system32\helperssc.exe 2007-05-07 20:52 2,560 ---hs---- C:\WINDOWS\system32\helpersrvc.exe 2007-05-01 05:18 <DIR> d-------- C:\WORD 2007-05-01 03:16 <DIR> d-------- C:\Program Files\GPSoftware 2007-04-29 19:37 <DIR> d-------- C:\Program Files\Webteh 2007-04-29 19:37 <DIR> d-------- C:\DOCUME~1\Johnny\APPLIC~1\BSplayer Pro 2007-04-29 19:37 <DIR> d-------- C:\DOCUME~1\Johnny\APPLIC~1\BSplayer 2007-04-29 15:37 <DIR> d-------- C:\Program Files\CyberLink 2007-04-29 15:37 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\CyberLink 2007-04-20 11:30 2 --a------ C:\WINDOWS\system32\wintsvtr32.exe 2007-04-20 11:27 <DIR> d-------- C:\Program Files\Common Files\àdobe 2007-04-20 03:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy 2007-04-17 10:21 94,424 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys 2007-04-17 10:21 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys 2007-04-17 10:21 43,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys 2007-04-17 10:21 31,560 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys 2007-04-17 10:21 23,352 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys 2007-04-17 10:20 90,112 --a------ C:\WINDOWS\system32\AVASTSS.scr 2007-04-17 10:20 689,280 --a------ C:\WINDOWS\system32\aswBoot.exe 2007-04-17 10:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll 2007-04-17 10:20 <DIR> d-------- C:\Program Files\Alwil Software 2007-04-16 12:07 947,472 --a------ C:\WINDOWS\system32\msjava.dll 2007-04-16 12:07 63,248 --a------ C:\WINDOWS\system32\javaprxy.dll 2007-04-16 12:07 6,550 --a------ C:\WINDOWS\jautoexp.dat 2007-04-16 12:07 49,424 --a------ C:\WINDOWS\system32\clspack.exe 2007-04-16 12:07 46,352 --a------ C:\WINDOWS\setdebug.exe 2007-04-16 12:07 404,752 --a------ C:\WINDOWS\system32\javart.dll 2007-04-16 12:07 313,856 --a------ C:\WINDOWS\system32\dx3j.dll 2007-04-16 12:07 286,992 --a------ C:\WINDOWS\system32\vmhelper.dll 2007-04-16 12:07 21,264 --a------ C:\WINDOWS\system32\msjdbc10.dll 2007-04-16 12:07 187,152 --a------ C:\WINDOWS\system32\javacypt.dll 2007-04-16 12:07 172,304 --a------ C:\WINDOWS\system32\jview.exe 2007-04-16 12:07 171,792 --a------ C:\WINDOWS\system32\wjview.exe 2007-04-16 12:07 171,280 --a------ C:\WINDOWS\system32\jit.dll 2007-04-16 12:07 154,384 --a------ C:\WINDOWS\system32\msawt.dll 2007-04-16 12:07 15,120 --a------ C:\WINDOWS\system32\jdbgmgr.exe 2007-04-16 12:07 139,536 --a------ C:\WINDOWS\system32\javaee.dll 2007-04-16 12:07 113 --a------ C:\WINDOWS\system32\zonedon.reg 2007-04-16 12:07 113 --a------ C:\WINDOWS\system32\zonedoff.reg 2007-04-14 20:07 <DIR> d-------- C:\Program Files\Everstrike Software 2007-04-14 20:07 <DIR> d-------- C:\Program Files\Common Files\Everstrike Software 2007-04-14 13:37 299 ---hs---- C:\WINDOWS\system32\ssc.exe 2007-04-13 15:42 <DIR> d-------- C:\Program Files\WinAVIVideoConverter (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-05-08 03:52:17 304 --sh--w C:\WINDOWS\system32\srvc.exe 2007-05-01 10:16:50 -------- d--h--w C:\Program Files\InstallShield Installation Information 2007-04-28 20:46:30 -------- d-----w C:\DOCUME~1\Johnny\APPLIC~1\uTorrent 2007-04-25 23:22:15 -------- d-----w C:\Program Files\Common Files\?dobe 2007-04-22 21:52:28 -------- d-----w C:\Program Files\SpeedFan 2007-04-20 10:42:30 -------- d-----w C:\Program Files\SpywareBlaster 2007-04-16 1929 -------- d-----w C:\Program Files\Messenger 2007-04-04 08:00:07 -------- d-----w C:\DOCUME~1\Johnny\APPLIC~1\Real 2007-04-04 08:00:07 -------- d-----w C:\DOCUME~1\Johnny\APPLIC~1\Media Player Classic 2007-04-04 07:59:58 -------- d-----w C:\Program Files\Real Alternative 2007-04-04 07:59:55 -------- d-----w C:\Program Files\Media Player Classic 2007-04-01 08:07:35 3,712 ----a-w C:\WINDOWS\system32\socketlock.sys 2007-04-01 07:34:30 -------- d-----w C:\Program Files\Foxit Software 2007-03-31 10:41:34 -------- d-----w C:\Program Files\Ares 2007-03-29 23:44:44 -------- d-----w C:\Program Files\SlySoft 2007-03-29 23:28:56 -------- d-----w C:\Program Files\Alcohol Soft 2007-03-29 23:28:01 -------- d-----w C:\Program Files\Elaborate Bytes 2007-03-29 23:26:21 -------- d-----w C:\Program Files\DVD Shrink 2007-03-28 12:28:40 -------- d-----w C:\Program Files\Winamp 2007-03-24 01:42:51 -------- d-----w C:\Program Files\NavExcel Search Toolbar 2007-03-23 09:40:12 -------- d--h--w C:\Program Files\WindowsUpdate 2007-03-22 08:09:38 -------- d-----w C:\Program Files\XviD 2007-03-22 07:43:30 -------- d-----w C:\DOCUME~1\Johnny\APPLIC~1\vlc 2007-03-22 00:56:06 -------- d-----w C:\Program Files\DivX 2007-03-22 00:51:37 -------- d-----w C:\Program Files\RegistryFix 2007-03-22 00:00:00 -------- d-----w C:\Program Files\Kerio 2007-03-21 23:59:48 -------- d-----w C:\Program Files\Common Files\InstallShield 2007-03-21 12:12:09 -------- d-----w C:\Program Files\MediaMonkey 2007-03-21 11:49:22 -------- d-----w C:\Program Files\VideoLAN 2007-03-21 11:40:35 -------- d-----w C:\Program Files\Hercules 2007-03-21 11:20:59 -------- d-----w C:\Program Files\PestPatrol 2007-03-21 11:20:30 -------- d-----w C:\Program Files\VERITAS Software 2007-03-21 11:00:13 -------- d-----w C:\Program Files\Ahead 2007-03-21 11:00:12 -------- d-----w C:\Program Files\Common Files\Ahead 2007-03-21 09:01:42 -------- d-----w C:\Program Files\Anti Trojan Elite 2007-03-21 09:01:21 -------- d-----w C:\Program Files\RegistryCleanerXP 2007-03-21 09:01:18 -------- d-----w C:\Program Files\Network Associates 2007-03-21 04:39:04 63,488 --sha-w C:\WINDOWS\system32\urdvxc.exe 2007-03-21 03:46:23 64,281 ----a-w C:\WINDOWS\system32\dload.exe 2007-03-21 03:39:14 -------- d-----w C:\Program Files\MSN Messenger 2007-03-21 02:44:41 -------- d-----w C:\DOCUME~1\Johnny\APPLIC~1\RegUpdate 2007-03-20 09:57:50 -------- d-----w C:\DOCUME~1\Johnny\APPLIC~1\.BitTornado 2007-03-20 09:56:41 0 ----a-w C:\WINDOWS\nsreg.dat 2007-03-20 09:56:35 2,301 ----a-w C:\WINDOWS\mozver.dat 2007-03-20 09:55:59 -------- d-----w C:\Program Files\BitTornado 2007-03-20 09:24:51 -------- d-----w C:\Program Files\microsoft frontpage 2007-03-20 09:24:29 0 --sha-r C:\MSDOS.SYS 2007-03-20 09:24:29 0 --sha-r C:\IO.SYS 2007-03-20 09:24:29 0 ----a-w C:\CONFIG.SYS 2007-03-20 09:24:29 0 ----a-w C:\AUTOEXEC.BAT 2007-03-20 09:23:09 -------- d-----w C:\Program Files\Online Services 2007-03-20 09:22:35 -------- d-----w C:\Program Files\Movie Maker 2007-03-20 09:21:57 -------- d-----w C:\Program Files\Common Files\MSSoap 2007-03-20 09:20:56 21,640 ----a-w C:\WINDOWS\system32\emptyregdb.dat 2007-03-20 09:20:20 -------- d-----w C:\Program Files\MSN Gaming Zone 2007-03-20 09:20:17 -------- d-----w C:\Program Files\Windows NT 2007-03-20 01:11:07 -------- d-----w C:\Program Files\Common Files\ODBC 2007-03-20 01:11:03 -------- d-----w C:\Program Files\Common Files\SpeechEngines (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] "{D80C4E21-C346-4E21-8E64-20746AA20AEB}"="C:\Program Files\NavExcel Search Toolbar\NavExcelBar.dll" [x] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "RegistryUpdate"="" "Anti Trojan Elite"="C:\\Program Files\\Anti Trojan Elite\\TJEnder.exe :NO" "NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe" "SoundFusion"="RunDll32 hercplgs.cpl,BootEntryPoint" "WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe" "AnyDVD"="C:\\Program Files\\SlySoft\\AnyDVD\\AnyDVD.exe" "johnj315"="C:\\WINDOWS\\system32\\srvc.exe" "sixer5"="C:\\WINDOWS\\system32\\ssc.exe" "LFAgent"="" "avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background" "johnj315"="C:\\WINDOWS\\system32\\srvc.exe" "sixer5"="C:\\WINDOWS\\system32\\ssc.exe" HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages msv1_0\0\0 Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages scecli\0\0 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost] LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService DnsCache\0\0 rpcss RpcSs\0\0 imgsvc StiSvc\0\0 termsvcs TermService\0\0 HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost ****************************************************************** catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-05-12 17:45:32 Windows 5.1.2600 Service Pack 1 NTFS scanning hidden processes ... scanning hidden services ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 ****************************************************************** Completion time: 2007-05-12 17:45:37 C:\ComboFix-quarantined-files.txt ... 2007-05-12 17:45

05-12-2007, 04:18 AM	#5 (permalink)
ChemicalRomance Registered User Join Date: May 2007 Posts: 33 OS: XP	Re: HijackThis log (Please check ASAP) SDFix: Version 1.83 Run by Johnny - Sat 05/12/2007 - 18:55:21.60 Microsoft Windows XP [Version 5.1.2600] Running From: C:\DOCUME~1\Johnny\Desktop\SDFix Safe Mode: Checking Services: Name: MSWindows ImagePath: "C:\WINDOWS\System32\urdvxc.exe" /service MSWindows - Deleted Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting... Normal Mode: Checking Files: Below files will be copied to Backups folder then removed: C:\WINDOWS\SYSTEM32\DLOAD.EXE - Deleted C:\WINDOWS\updater.exe.tmp - Deleted C:\WINDOWS\system32\helperssc.exe - Deleted C:\WINDOWS\system32\helpersrvc.exe - Deleted C:\WINDOWS\system32\i - Deleted C:\WINDOWS\system32\srvc.exe - Deleted C:\WINDOWS\system32\ssc.exe - Deleted C:\WINDOWS\system32\urdvxc.exe - Deleted Removing Temp Files ADS Check: Checking if ADS is attached to system32 Folder C:\WINDOWS\system32 No streams found. Checking if ADS is attached to svchost.exe C:\WINDOWS\system32\svchost.exe No streams found. Final Check: Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" Remaining Files: --------------- Backups Folder: - C:\DOCUME~1\Johnny\Desktop\SDFix\backups\backups.zip Checking For Files with Hidden Attributes: Finished

05-12-2007, 04:19 AM	#6 (permalink)
ChemicalRomance Registered User Join Date: May 2007 Posts: 33 OS: XP	Re: HijackThis log (Please check ASAP) Logfile of HijackThis v1.99.1 Scan saved at 7:38:21 PM, on 5/12/2007 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\RunDll32.exe C:\Program Files\Winamp\winampa.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe C:\Program Files\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: Helper Class - {D80C4E21-C346-4E21-8E64-20746AA20AEB} - C:\Program Files\NavExcel Search Toolbar\NavExcelBar.dll (file missing) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: NavExcel Toolbar - {5AA06644-BC46-4220-A460-47A6EB47C96D} - C:\Program Files\NavExcel Search Toolbar\NavExcelBar.dll (file missing) O4 - HKLM\..\Run: [Anti Trojan Elite] C:\Program Files\Anti Trojan Elite\TJEnder.exe :NO O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [SoundFusion] RunDll32 hercplgs.cpl,BootEntryPoint O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1174468873093 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe

05-12-2007, 08:12 AM	#7 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 20,048 OS: WinXP and Vista	Re: HijackThis log (Please check ASAP) Let's do a sweep and search for any remnants that may still be lurking. Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions. ************************************************* Download AVG Anti Spyware Use the link at the bottom of the page under "AVG Anti-Spyware Free for Windows" Install AVG Anti Spyware Double-click the icon on Desktop to launch AVG On the top of the main screen click Shield Click the word active to change it to inactive On the top of the main screen click Update. Then click on Start Update. The update will start and a progress bar will show the updates being installed. Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab. Once in the Settings screen click on "Recommended actions" and then select "Quarantine". Under "Reports" Select "Automatically generate report after every scan" Un-Select "Only if threats were found" When you have finished updating, EXIT AVG Anti Spyware. Do Not run a scan just yet, we will shortly. -------------------------------------------------------------------- Please download ATF Cleaner by Atribune. -------------------------------------------------------------------- Next, please reboot your computer in Safe Mode by doing the following: 1) Restart your computer 2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3) Instead of Windows loading as normal, a menu should appear 4) Use the up arrow key to highlight Safe Mode and press Enter. 5) Login with your usual account. Make sure to close any open browsers. -------------------------------------------------------------------- Please ensure Hidden files and folders are viewable: Go to My Computer->Tools->Folder Options->View** tab: * Under the Hidden files and folders heading: * select Show hidden files and folders. * Uncheck Hide protected operating system files (recommended) option. Also, make sure there is no checkmark beside Hide file extensions for known file types. Click OK. -------------------------------------------------------------------- Using 'My Computer', navigate to and delete the following File C:\WINDOWS\SYSTEM32\ WINTSVTR32.EXE -------------------------------------------------------------------- Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. If you use Firefox browser Click Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browser Click Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. For Technical Support, double-click the e-mail address located at the bottom of each menu. -------------------------------------------------------------------- IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess: Run AVG Anti-Spyware with it's updated definitions:(...it's important that all windows must be closed) Click Scanner Click on the Scan tab Click Complete System Scan to begin scanning. Once the scan is complete do the following: If you have any infections you will prompted, Please ensure it is set to Quarantine then select "Apply all actions" Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important). AVG Anti-Spyware is compatible with most AV and anti-spyware products, and the free version will continue to be useful as a second anti-malware scanner. -------------------------------------------------------------------- Reboot into Normal Mode. -------------------------------------------------------------------- Please run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course: Perform an online scan with Internet Explorer with Panda ActiveScan Click on located at the bottom of the page. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it * Enter your e-mail address, country, and state & click "Free Online Scan" The download of the 8 MB Panda's ActiveX control will take place Begin the scan by selecting If it finds any malware, it will offer you a report. Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later. Click on then click * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report. * Turn off the real time scanner of any existing antivirus program while performing the online scan -------------------------------------------------------------------- Run a new scan with HijackThis and save the log. -------------------------------------------------------------------- Please include the following in your next reply: AVG Anti-Spyware results Panda results New HijackThis log Please let me know how the system is behaving--what issues remain? __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

05-15-2007, 12:45 PM	#8 (permalink)
ChemicalRomance Registered User Join Date: May 2007 Posts: 33 OS: XP	Re: HijackThis log (Please check ASAP) --------------------------------------------------------- AVG Anti-Spyware - Scan Report --------------------------------------------------------- + Created at: 4:21:24 AM 5/14/2007 + Scan result: C:\System Volume Information\_restore{518D3577-F666-41D3-AAFD-0E325CE00446}\RP7\A0001379.exe -> Adware.ManReg : No action taken. C:\System Volume Information\_restore{518D3577-F666-41D3-AAFD-0E325CE00446}\RP7\A0001436.exe -> Adware.ManReg : No action taken. D:\System Volume Information\_restore{518D3577-F666-41D3-AAFD-0E325CE00446}\RP29\A0004160.exe -> Adware.ManReg : No action taken. C:\System Volume Information\_restore{518D3577-F666-41D3-AAFD-0E325CE00446}\RP15\A0003632.dll -> Adware.NavExcel : No action taken. C:\QooBox\Quarantine\C\Program Files\Outerinfo\OiUninstaller.exe.vir -> Adware.PurityScan : No action taken. C:\QooBox\purity\C\DOCUME~1\Johnny\MYDOCU~1\WNSXS~1\wοwexec.exe -> Adware.PurityScan : No action taken. C:\System Volume Information\_restore{518D3577-F666-41D3-AAFD-0E325CE00446}\RP105\A0012140.dll -> Adware.PurityScan : No action taken. C:\System Volume Information\_restore{518D3577-F666-41D3-AAFD-0E325CE00446}\RP125\A0015932.exe -> Adware.PurityScan : No action taken. C:\Documents and Settings\Johnny\Start Menu\Programs\WhenU -> Adware.SaveNow : No action taken. C:\Documents and Settings\Johnny\Start Menu\Programs\WhenU\Customer Support.lnk -> Adware.SaveNow : No action taken. C:\Documents and Settings\Johnny\Start Menu\Programs\WhenU\Learn More About WhenU Save.url -> Adware.SaveNow : No action taken. C:\Documents and Settings\Johnny\Start Menu\Programs\WhenU\Learn More About WhenU SaveNow.url -> Adware.SaveNow : No action taken. C:\Documents and Settings\Johnny\Start Menu\Programs\WhenU\Uninstall Instructions.lnk -> Adware.SaveNow : No action taken. C:\Documents and Settings\Johnny\Start Menu\Programs\WhenU\WhenU.com Website.url -> Adware.SaveNow : No action taken. C:\Program Files\Mozilla Firefox\extensions\{BEE3E87E-E1C6-4bfe-BE9D-48E84271AB34}\components\whenu_ff.dll -> Adware.SaveNow : No action taken. C:\System Volume Information\_restore{518D3577-F666-41D3-AAFD-0E325CE00446}\RP113\A0013433.exe -> Adware.SaveNow : No action taken. C:\System Volume Information\_restore{518D3577-F666-41D3-AAFD-0E325CE00446}\RP113\A0013437.exe -> Adware.SaveNow : No action taken. C:\System Volume Information\_restore{518D3577-F666-41D3-AAFD-0E325CE00446}\RP114\A0013504.exe -> Adware.SaveNow : No action taken. D:\System Volume Information\_restore{518D3577-F666-41D3-AAFD-0E325CE00446}\RP114\A0013498.exe -> Adware.SaveNow : No action taken. C:\QooBox\Quarantine\C\WINDOWS\b122.exe.vir -> Adware.Softomate : No action taken. C:\System Volume Information\_restore{518D3577-F666-41D3-AAFD-0E325CE00446}\RP125\A0015934.exe -> Adware.Softomate : No action taken. C:\WINDOWS\b116.exe -> Adware.Softomate : No action taken. C:\System Volume Information\_restore{518D3577-F666-41D3-AAFD-0E325CE00446}\RP116\A0013611.exe -> Backdoor.IRCBot.aak : No action taken. C:\System Volume Information\_restore{518D3577-F666-41D3-AAFD-0E325CE00446}\RP125\A0015969.exe -> Backdoor.IRCBot.aak : No action taken. C:\System Volume Information\_restore{518D3577-F666-41D3-AAFD-0E325CE00446}\RP125\A0015980.exe -> Backdoor.IRCBot.aak : No action taken. C:\System Volume Information\_restore{518D3577-F666-41D3-AAFD-0E325CE00446}\RP108\A0013237.exe -> Downloader.Age : No action taken. C:\QooBox\Quarantine\C\WINDOWS\retadpu41.exe.vir -> Downloader.Agent.bls : No action taken. C:\QooBox\Quarantine\C\WINDOWS\updater.exe.vir -> Downloader.Agent.bls : No action taken. C:\System Volume Information\_restore{518D3577-F666-41D3-AAFD-0E325CE00446}\RP103\A0011069.exe -> Downloader.Agent.bls : No action taken. C:\System Volume Information\_restore{518D3577-F666-41D3-AAFD-0E325CE00446}\RP118\A0013677.exe -> Downloader.Agent.bls : No action taken. C:\System Volume Information\_restore{518D3577-F666-41D3-AAFD-0E325CE00446}\RP124\A0015819.exe -> Downloader.Agent.bls : No action taken. C:\System Volume Information\_restore{518D3577-F666-41D3-AAFD-0E325CE00446}\RP125\A0015927.exe -> Downloader.Agent.bls : No action taken. C:\System Volume Information\_restore{518D3577-F666-41D3-AAFD-0E325CE00446}\RP125\A0015928.exe -> Downloader.Agent.bls : No action taken. D:\System Volume Information\_restore{518D3577-F666-41D3-AAFD-0E325CE00446}\RP45\A0008737.exe -> Downloader.Agent.bls : No action taken. D:\System Volume Information\_restore{518D3577-F666-41D3-AAFD-0E325CE00446}\RP44\A0008683.exe -> Downloader.Harnig.bq : No action taken. C:\System Volume Information\_restore{518D3577-F666-41D3-AAFD-0E325CE00446}\RP105\A0012153.exe -> Downloader.PurityScan.eh : No action taken. C:\Documents and Settings\Johnny\3.exe -> Proxy.Slaper.e : No action taken. C:\System Volume Information\_restore{518D3577-F666-41D3-AAFD-0E325CE00446}\RP120\A0014712.exe -> Proxy.Slaper.e : No action taken. C:\System Volume Information\_restore{518D3577-F666-41D3-AAFD-0E325CE00446}\RP120\A0014726.exe -> Proxy.Slaper.e : No action taken. C:\System Volume Information\_restore{518D3577-F666-41D3-AAFD-0E325CE00446}\RP120\A0015706.exe -> Proxy.Slaper.e : No action taken. C:\System Volume Information\_restore{518D3577-F666-41D3-AAFD-0E325CE00446}\RP120\A0015711.exe -> Proxy.Slaper.e : No action taken. C:\System Volume Information\_restore{518D3577-F666-41D3-AAFD-0E325CE00446}\RP125\A0015970.exe -> Proxy.Slaper.e : No action taken. C:\System Volume Information\_restore{518D3577-F666-41D3-AAFD-0E325CE00446}\RP125\A0015971.exe -> Proxy.Slaper.e : No action taken. C:\System Volume Information\_restore{518D3577-F666-41D3-AAFD-0E325CE00446}\RP125\A0015981.exe -> Proxy.Slaper.e : No action taken. C:\System Volume Information\_restore{518D3577-F666-41D3-AAFD-0E325CE00446}\RP125\A0015982.exe -> Proxy.Slaper.e : No action taken. C:\System Volume Information\_restore{518D3577-F666-41D3-AAFD-0E325CE00446}\RP46\A0008752.exe -> Proxy.Slaper.e : No action taken. C:\Program Files\Alcohol Soft\Alcohol 120\crack.exe -> Trojan.Feutel.av : No action taken. C:\System Volume Information\_restore{518D3577-F666-41D3-AAFD-0E325CE00446}\RP25\A0004020.exe -> Trojan.Feutel.av : No action taken. C:\QooBox\Quarantine\C\Program Files\Ipwindows\UnInstall.exe.vir -> Trojan.Rond : No action taken. C:\QooBox\Quarantine\C\Program Files\Ipwindows\ipwins.dll.vir -> Trojan.Rond : No action taken. C:\QooBox\Quarantine\C\Program Files\Ipwindows\ipwins.exe.vir -> Trojan.Rond : No action taken. C:\System Volume Information\_restore{518D3577-F666-41D3-AAFD-0E325CE00446}\RP125\A0015929.dll -> Trojan.Rond : No action taken. C:\System Volume Information\_restore{518D3577-F666-41D3-AAFD-0E325CE00446}\RP125\A0015930.exe -> Trojan.Rond : No action taken. C:\System Volume Information\_restore{518D3577-F666-41D3-AAFD-0E325CE00446}\RP125\A0015931.exe -> Trojan.Rond : No action taken. C:\System Volume Information\_restore{518D3577-F666-41D3-AAFD-0E325CE00446}\RP126\A0016127.exe -> Trojan.Small : No action taken. ::Report end