Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page qwintdmt.exe and brbr program
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 08-28-2007, 02:28 AM   #1 (permalink)
Registered User
 
Join Date: May 2007
Location: New Zealand
Posts: 164
OS: Windows 7 Ultimate 64x


Send a message via MSN to confrontation
qwintdmt.exe and brbr program
i keep getting this everytime i restart or turn off computer, i have walked back into my room after a few hours and seen my computer is still running, and it shows what i have taken a screen shot of (cant give anymore info about that sorry)


[img=http://img214.imageshack.us/img214/3107/brbrcq9.th.png]


and also my anti-virus is picking up an adware every time i log on, i delete it when my anti-virus finds it and have also gone into system32 folder and deleted it from there but it still comes back.
I have ran ad-aware pro and it hasnt done a thing (ran it cos my anti-virus (avast pro) said its adware).

I have fellowed your 5 steps before posting a log this is what has come up

Activescan.txt

extra.txt

main.txt

moved.txt

hijackthis.log.txt

Deckard's System Scanner v20070826.66
Run by Admin on 2007-08-28 20:04:47
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
39: 2007-08-29 03:04:52 UTC - RP39 - Deckard's System Scanner Restore Point
38: 2007-08-28 04:00:55 UTC - RP38 - Removed Jitbit Macro Recorder
37: 2007-08-28 03:19:35 UTC - RP37 - Installed Jitbit Macro Recorder
36: 2007-08-28 01:33:19 UTC - RP36 - Software Distribution Service 3.0
35: 2007-08-28 00:41:05 UTC - RP35 - System Checkpoint


-- First Restore Point --
1: 2007-07-26 02:38:25 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Admin.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 811 PM, on 8/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Laser Center\Laser Sensor Mouse\Panel.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\lsdsrngr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Admin\My Documents\Downloads\Programs\dss.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Admin.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rwk2.racewarkingdoms.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://update.microsoft.com/microsoftupdate
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Laser mouse] "C:\Program Files\Laser Center\Laser Sensor Mouse\Panel.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [{4D-D6-6B-BE-ZN}] C:\WINDOWS\system32\lsdsrngr.exe CHA001
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide1] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide2] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,L,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\lsdsrngr.exe
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...1.0.0.15-3.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

--
End of file - 6786 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 giveio - c:\windows\system32\giveio.sys
R0 speedfan - c:\windows\system32\speedfan.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>
R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
R3 GMFilter Filter - c:\windows\system32\drivers\gmfilter.sys <Not Verified; Game; Gaming Mouse>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Multimedia Controller
Device ID: PCI\VEN_1131&DEV_7133&SUBSYS_00001131&REV_D0\3&13C0B0C5&0&50
Manufacturer:
Name: Multimedia Controller
PNP Device ID: PCI\VEN_1131&DEV_7133&SUBSYS_00001131&REV_D0\3&13C0B0C5&0&50
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: USB Camera
Device ID: USB\VID_05A9&PID_A518&MI_00\6&27624C&0&0000
Manufacturer:
Name: USB Camera
PNP Device ID: USB\VID_05A9&PID_A518&MI_00\6&27624C&0&0000
Service:


-- Scheduled Tasks -------------------------------------------------------------

2007-08-28 18:48:26 438 --a------ C:\WINDOWS\Tasks\RegCure Program Check.job
2007-08-20 18:26:16 372 --a------ C:\WINDOWS\Tasks\RegCure.job
2007-07-25 19:37:18 390 --a------ C:\WINDOWS\Tasks\1-Click Maintenance.job


-- Files created between 2007-07-28 and 2007-08-28 -----------------------------

2007-08-28 2001 0 d-------- C:\Program Files\Trend Micro
2007-08-28 20:00:32 0 d-------- C:\ie-spyad_zo
2007-08-28 19:59:08 118784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL <Not Verified; Microsoft Corporation; MSSTDFMT Object Library>
2007-08-28 19:59:08 0 d-------- C:\Program Files\SpywareBlaster
2007-08-28 19:17:18 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-08-28 19:17:16 0 d-------- C:\WINDOWS\LastGood
2007-08-28 19:04:33 0 --a------ C:\WINDOWS\system32\qwintmdt.exe
2007-08-27 21:28:43 0 d--hs---- C:\Documents and Settings\Admin\Recent
2007-08-27 21:15:32 36864 --a------ C:\WINDOWS\system32\onoyb.dll
2007-08-27 21:15:31 66048 --a------ C:\WINDOWS\QMDispatch.dll
2007-08-27 21:15:26 0 d-------- C:\Program Files\QMacro
2007-08-27 20:19:37 0 d-------- C:\Program Files\JitBit
2007-08-27 20:15:04 0 d-------- C:\Documents and Settings\All Users\Application Data\Macro Mania
2007-08-27 20:14:58 0 d-------- C:\Program Files\Macro Mania
2007-08-27 20:05:20 0 d-------- C:\Documents and Settings\Admin\Application Data\Grasssoft
2007-08-27 20:01:12 0 d-------- C:\Documents and Settings\All Users\Application Data\Grasssoft
2007-08-25 16:25:43 0 d-------- C:\Program Files\vLite
2007-08-25 15:50:50 0 d-------- C:\Program Files\nLite
2007-08-22 19:32:19 0 d-------- C:\Program Files\Yahoo!
2007-08-21 18:55:59 0 d-------- C:\Documents and Settings\LocalService\Start Menu
2007-08-20 18:25:18 0 d-------- C:\Program Files\RegCure
2007-08-20 18:10:26 0 d-------- C:\Documents and Settings\Admin\Application Data\Uniblue
2007-08-15 19:42:04 0 d-------- C:\Program Files\MSXML 6.0
2007-08-15 19:41:00 0 d-------- C:\Program Files\MSXML 4.0
2007-08-13 20:13:20 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-08-13 20:13:05 592402 --a------ C:\WINDOWS\system32\x264vfw.dll
2007-08-13 20:13:04 217088 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-08-13 20:13:04 856064 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-08-13 20:13:04 1415680 --a------ C:\WINDOWS\system32\WMV9VCM.dll <Not Verified; Microsoft Corporation; Windows Media Video 9 VCM>
2007-08-13 20:13:03 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-08-13 20:13:03 620180 --a------ C:\WINDOWS\system32\divx.dll <Not Verified; DivX, Inc.; DivX®>
2007-08-13 20:13:02 5120 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-08-13 20:13:00 0 d-------- C:\Program Files\K-Lite Codec Pack
2007-08-13 20:13:00 0 d-------- C:\Documents and Settings\All Users\Application Data\Real
2007-08-13 20:13:00 0 d-------- C:\Documents and Settings\Admin\Application Data\Real
2007-08-13 20:12:27 0 d-------- C:\Documents and Settings\Admin\Application Data\Media Player Classic
2007-08-13 19:48:57 57365 --a------ C:\WINDOWS\system32\lsdsrngr.exe <Not Verified; ; Browser Driver>
2007-08-13 19:44:47 934 --a------ C:\WINDOWS\system32\winpfz32.sys
2007-08-13 19:44:32 57362 --a------ C:\WINDOWS\system32\dwdsrngt.exe <Not Verified; ; Browser Driver>
2007-08-13 18:58:29 0 d-------- C:\WINDOWS\pss
2007-08-12 1636 0 d-------- C:\Program Files\Final Fantasy VII
2007-08-12 15:37:45 0 d-------- C:\Program Files\Microsoft Silverlight
2007-08-11 12:52:17 0 d-------- C:\Program Files\Internet Download Manager
2007-08-11 12:48:45 0 d-------- C:\Documents and Settings\Admin\Application Data\IDM
2007-08-06 19:22:16 0 d-------- C:\Program Files\SpeedFan
2007-08-04 21:38:51 141612 --a------ C:\WINDOWS\system32\drivers\dump_wmimmc.sys
2007-08-04 21:38:42 4682 --a------ C:\WINDOWS\system32\npptNT2.sys <Not Verified; INCA Internet Co., Ltd.; nProtect NPSC Kernel Mode Driver for NT>
2007-08-04 19:30:50 0 d-------- C:\WINDOWS\Sun
2007-08-04 19:30:49 0 d-------- C:\Documents and Settings\Admin\Application Data\Sun
2007-08-04 14:30:48 0 d-------- C:\Program Files\Fast AVI MPEG Joiner
2007-08-04 13:54:58 0 d-------- C:\Program Files\Common Files\Ahead
2007-08-04 13:54:58 0 d-------- C:\Documents and Settings\All Users\Application Data\Nero
2007-08-04 13:43:02 0 d-------- C:\Documents and Settings\Admin\Application Data\Adobe
2007-08-04 13:39:36 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2007-08-04 13:39:24 0 d-------- C:\Program Files\Common Files\Adobe
2007-08-01 18:00:43 0 d-------- C:\WINDOWS\system32\appmgmt
2007-07-30 21:56:03 0 d-------- C:\Documents and Settings\Admin\Incomplete
2007-07-30 20:42:06 0 d-------- C:\Documents and Settings\Admin\Application Data\FrostWire
2007-07-30 20:38:00 0 d-------- C:\Program Files\Java
2007-07-30 20:37:58 0 d-------- C:\Program Files\Common Files\Java
2007-07-28 13:52:44 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-07-28 13:52:11 11264 --a------ C:\WINDOWS\system32\SpOrder.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows NT(TM) Operating System>
2007-07-28 13:45:13 1089536 --a------ C:\WINDOWS\system32\XWheel.dll <Not Verified; ; XWheel Dynamic Link Library>
2007-07-28 13:45:13 25088 --a------ C:\WINDOWS\system32\drivers\GMFilter.sys <Not Verified; Game; Gaming Mouse>
2007-07-28 13:45:13 0 d-------- C:\Program Files\Laser Center
2007-07-28 13:45:12 450560 --a------ C:\WINDOWS\system32\MousePage.dll <Not Verified; ; MousePage Module>
2007-07-28 13:45:12 114688 --a------ C:\WINDOWS\system32\Hook.dll


-- Find3M Report ---------------------------------------------------------------

2007-08-28 19:58:13 0 d-------- C:\Documents and Settings\Admin\Application Data\DMCache
2007-08-28 19:50:21 0 d-------- C:\Program Files\PowerISO
2007-08-28 19:49:58 0 d-------- C:\Program Files\MSN Messenger
2007-08-28 19:49:51 0 d-------- C:\Program Files\Messenger
2007-08-25 16:58:40 0 d-------- C:\Program Files\UltraISO
2007-08-13 19:19:09 0 d-------- C:\Program Files\Windows NT
2007-08-13 19:19:09 0 d-------- C:\Program Files\Movie Maker
2007-08-11 14:34:43 0 d-------- C:\Documents and Settings\Admin\Application Data\Ahead
2007-08-04 13:54:58 0 d-------- C:\Program Files\Common Files
2007-07-28 13:45:12 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-07-26 18:31:18 0 d-------- C:\Documents and Settings\Admin\Application Data\Identities
2007-07-26 17:51:32 0 d-------- C:\Program Files\Nero
2007-07-25 20:28:00 0 d-------- C:\Program Files\Windows Media Connect 2
2007-07-25 20:19:58 0 d-------- C:\Documents and Settings\Admin\Application Data\Lavasoft
2007-07-25 20:19:41 0 d-------- C:\Program Files\Lavasoft
2007-07-25 20:18:22 0 d-------- C:\Documents and Settings\Admin\Application Data\WinRAR
2007-07-25 20:14:28 0 d-------- C:\Program Files\Realtek AC97
2007-07-25 20:14:17 0 d-------- C:\Program Files\Common Files\InstallShield
2007-07-25 19:53:18 0 --a------ C:\WINDOWS\nsreg.dat
2007-07-25 19:53:01 0 d-------- C:\Documents and Settings\Admin\Application Data\Mozilla
2007-07-25 19:50:52 0 d-------- C:\Documents and Settings\Admin\Application Data\Macromedia
2007-07-25 19:50:30 0 d-------- C:\Program Files\Alwil Software
2007-07-25 19:37:12 0 d-------- C:\Documents and Settings\Admin\Application Data\TuneUp Software
2007-07-25 19:24:22 0 -rahs---- C:\MSDOS.SYS
2007-07-25 19:24:22 0 -rahs---- C:\IO.SYS
2007-07-25 19:24:22 0 --a------ C:\CONFIG.SYS
2007-07-25 19:24:22 0 --a------ C:\AUTOEXEC.BAT
2007-07-25 19:22:42 0 d--h----- C:\Program Files\WindowsUpdate
2007-07-25 19:21:53 0 d-------- C:\Program Files\Common Files\MSSoap
2007-07-25 19:20:57 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2007-07-25 19:20:38 0 d-------- C:\Program Files\Online Services
2007-07-25 19:18:50 0 d-------- C:\Program Files\MSN Gaming Zone
2007-07-25 12:12:44 0 d-------- C:\Program Files\Common Files\ODBC
2007-07-25 12:12:42 0 d-------- C:\Program Files\Common Files\SpeechEngines
2007-07-25 12:12:23 62 --ahs---- C:\Documents and Settings\Admin\Application Data\desktop.ini


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [07/27/2007 03:03 PM]
"AGRSMMSG"="AGRSMMSG.exe" [06/29/2004 09:06 AM C:\WINDOWS\AGRSMMSG.exe]
"Laser mouse"="C:\Program Files\Laser Center\Laser Sensor Mouse\Panel.exe" [05/03/2005 09:05 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [07/12/2007 04:00 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [05/11/2007 03:06 AM]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [03/01/2007 03:57 PM]
"{4D-D6-6B-BE-ZN}"="C:\WINDOWS\system32\lsdsrngr.exe" [08/13/2007 07:48 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [01/19/2007 12:54 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/03/2004 09:00 PM]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [05/16/2007 09:27 AM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [01/06/2007 05:03 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"nltide3"=cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N

C:\Documents and Settings\Admin\Start Menu\Programs\Startup\
TA_Start.lnk - C:\WINDOWS\system32\lsdsrngr.exe [8/13/2007 7:48:57 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"=1 (0x1)
"NoResolveTrack"=1 (0x1)
"LinkResolveIgnoreLinkInfo"=1 (0x1)
"NoResolveSearch"=1 (0x1)
"NoLowDiskSpaceChecks"=1 (0x1)
"ClearRecentDocsOnExit"=1 (0x1)
"NoRecentDocsMenu"=1 (0x1)
"NoRecentDocsHistory"=1 (0x1)
"NoStartBanner"=1 (0x1)
"NoSMHelp"=1 (0x1)
"StartMenuLogoff"=1 (0x1)
"ForceStartMenuLogoff"=0 (0x0)
"NoStartMenuPinnedList"=1 (0x1)
"NoSMConfigurePrograms"=1 (0x1)
"NoUserNameInStartMenu"=1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"=1 (0x1)
"NoResolveTrack"=1 (0x1)
"LinkResolveIgnoreLinkInfo"=1 (0x1)
"NoResolveSearch"=1 (0x1)
"NoLowDiskSpaceChecks"=1 (0x1)
"ClearRecentDocsOnExit"=1 (0x1)
"NoRecentDocsMenu"=1 (0x1)
"NoRecentDocsHistory"=1 (0x1)
"NoStartBanner"=1 (0x1)
"NoSMHelp"=1 (0x1)
"StartMenuLogoff"=1 (0x1)
"ForceStartMenuLogoff"=0 (0x0)
"NoStartMenuPinnedList"=1 (0x1)
"NoSMConfigurePrograms"=1 (0x1)
"NoUserNameInStartMenu"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Admin^Start Menu^Programs^Startup^Think-Adz.lnk]
backup=C:\WINDOWS\pss\Think-Adz.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan]
C:\Program Files\Internet Download Manager\IDMan.exe /onboot




-- End of Deckard's System Scanner: finished at 2007-08-28 2048 ------------
Last edited by tetonbob; 08-31-2007 at 12:21 PM.
confrontation is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 08-30-2007, 11:49 PM   #2 (permalink)
Registered User
 
Join Date: May 2007
Location: New Zealand
Posts: 164
OS: Windows 7 Ultimate 64x


Send a message via MSN to confrontation
Re: qwintdmt.exe and brbr program
BUMP bump
confrontation is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-31-2007, 12:26 PM   #3 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,697
OS: 2000 Pro; XP Pro; XP Home


Re: qwintdmt.exe and brbr program
I see you have an entire folder dedicated to keygens

C:\Documents and Settings\All Users\Desktop\KEYGENS FOR PROGRAMS

We do not support the use of illegal software here.

It is through the use of such software many people become infected.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-31-2007, 09:20 PM   #4 (permalink)
Registered User
 
Join Date: May 2007
Location: New Zealand
Posts: 164
OS: Windows 7 Ultimate 64x


Send a message via MSN to confrontation
Re: qwintdmt.exe and brbr program
no i dont use any programs like that......its just a folder i have no idea where it came from it has 4 keygens in it i dont even use the programs they are for.
Last edited by confrontation; 08-31-2007 at 09:22 PM.
confrontation is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-31-2007, 09:54 PM   #5 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,697
OS: 2000 Pro; XP Pro; XP Home


Re: qwintdmt.exe and brbr program
Ok, I'll be glad to help you remove those which Panda did not, and the infections.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------
  1. Download combofix.exe to your desktop.
  2. Disconnect from the internet....pull the plug!
  3. Disable your real time protection of your Anti-Virus. Exit the program via the SystemTray icon.
  4. Double click on combofix.exe & follow the prompts. Type "1" and press Enter to begin the scan.
  5. When finished, it shall produce a log for you. Post that log in your next reply.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall

    ---------------------------------------------------------------------------------------------
  6. Re-enable your Anti-Virus if it is not active...a reboot should have re-activated it.
  7. Re-establish an internet connection.
  8. Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

    ---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-01-2007, 02:56 AM   #6 (permalink)
Registered User
 
Join Date: May 2007
Location: New Zealand
Posts: 164
OS: Windows 7 Ultimate 64x


Send a message via MSN to confrontation
Re: qwintdmt.exe and brbr program
here is the combofix and hijackthis logs

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:49:05 PM, on 9/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Laser Center\Laser Sensor Mouse\Panel.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rwk2.racewarkingdoms.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://update.microsoft.com/microsoftupdate
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Laser mouse] "C:\Program Files\Laser Center\Laser Sensor Mouse\Panel.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide1] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide2] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,L,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...1.0.0.15-3.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

--
End of file - 6006 bytes



ComboFix 07-08-30.3 - "Admin" 2007-09-01 20:38:57.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.674 [GMT -7:00]
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\Admin\APPLIC~1\macromedia\Flash Player\#SharedObjects\ZXE9ZS5T\iforex.com
C:\DOCUME~1\Admin\APPLIC~1\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com
C:\DOCUME~1\Admin\Desktop\internet explorer.lnk
C:\DOCUME~1\Admin\STARTM~1\Programs\Startup.\TA_Start.lnk
C:\DOCUME~1\Admin\STARTM~1\Programs\Startup\ta_start.lnk
C:\WINDOWS\qmdispatch.dll
C:\WINDOWS\system32\dwdsrngt.exe
C:\WINDOWS\system32\lsdsrngr.exe
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\winpfz32.sys
C:\WINDOWS\system32\zxdnt3d.cfg


((((((((((((((((((((((((( Files Created from 2007-08-02 to 2007-09-02 )))))))))))))))))))))))))))))))


2007-09-01 20:38 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-28 20:06 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-28 20:04 <DIR> d-------- C:\Deckard
2007-08-28 20:00 <DIR> d-------- C:\ie-spyad_zo
2007-08-28 19:59 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2007-08-28 19:59 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-08-28 19:17 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-08-27 21:15 36,864 --a------ C:\WINDOWS\system32\onoyb.dll
2007-08-27 21:15 <DIR> d-------- C:\Program Files\QMacro
2007-08-27 20:19 <DIR> d-------- C:\Program Files\JitBit
2007-08-27 20:15 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Macro Mania
2007-08-27 20:05 <DIR> d-------- C:\DOCUME~1\Admin\APPLIC~1\Grasssoft
2007-08-27 20:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Grasssoft
2007-08-25 16:25 128,104 --a------ C:\WINDOWS\system32\drivers\WimFltr.sys
2007-08-25 16:25 <DIR> d-------- C:\Program Files\vLite
2007-08-25 15:50 <DIR> d-------- C:\Program Files\nLite
2007-08-22 19:32 <DIR> d-------- C:\Program Files\Yahoo!
2007-08-20 18:25 <DIR> d-------- C:\Program Files\RegCure
2007-08-20 18:10 <DIR> d-------- C:\DOCUME~1\Admin\APPLIC~1\Uniblue
2007-08-15 19:42 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-08-15 19:41 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-08-15 19:40 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-08-15 19:28 1,104,896 --------- C:\WINDOWS\system32\dllcache\msxml3.dll
2007-08-15 19:27 1,033,216 --------- C:\WINDOWS\system32\dllcache\explorer.exe
2007-08-15 19:23 549,376 --------- C:\WINDOWS\system32\dllcache\oleaut32.dll
2007-08-13 20:13 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2007-08-13 20:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Real
2007-08-13 20:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-08-13 20:13 <DIR> d-------- C:\DOCUME~1\Admin\APPLIC~1\Real
2007-08-13 20:12 <DIR> d-------- C:\DOCUME~1\Admin\APPLIC~1\Media Player Classic
2007-08-13 18:58 <DIR> d-------- C:\WINDOWS\pss
2007-08-12 16:06 <DIR> d-------- C:\Program Files\Final Fantasy VII
2007-08-12 15:37 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2007-08-11 12:52 <DIR> d-------- C:\Program Files\Internet Download Manager
2007-08-11 12:48 <DIR> d-------- C:\DOCUME~1\Admin\APPLIC~1\IDM
2007-08-06 19:22 <DIR> d-------- C:\Program Files\SpeedFan
2007-08-04 21:38 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys
2007-08-04 21:38 141,612 --a------ C:\WINDOWS\system32\drivers\dump_wmimmc.sys
2007-08-04 14:30 <DIR> d-------- C:\Program Files\Fast AVI MPEG Joiner
2007-08-04 13:54 <DIR> d-------- C:\Program Files\Common Files\Ahead
2007-08-04 13:54 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Nero


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-09-01 20:37 --------- d-------- C:\DOCUME~1\Admin\APPLIC~1\DMCache
2007-08-28 19:50 --------- d-------- C:\Program Files\PowerISO
2007-08-28 19:49 --------- d-------- C:\Program Files\MSN Messenger
2007-08-25 16:58 --------- d-------- C:\Program Files\UltraISO
2007-08-13 19:38 --------- d-------- C:\DOCUME~1\Admin\APPLIC~1\FrostWire
2007-08-11 14:34 --------- d-------- C:\DOCUME~1\Admin\APPLIC~1\Ahead
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-28 13:45 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-28 13:45 --------- d-------- C:\Program Files\Laser Center
2007-07-27 15:07 783224 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-07-27 15:02 94416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-07-27 15:02 92848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-07-27 15:00 23152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-07-27 14:59 42912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-07-27 14:58 26624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-07-27 14:57 95608 --a------ C:\WINDOWS\system32\AVASTSS.scr
2007-07-26 17:52 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Ahead
2007-07-26 17:51 --------- d-------- C:\Program Files\Nero
2007-07-25 20:28 --------- d-------- C:\Program Files\Windows Media Connect 2
2007-07-25 20:19 --------- d-------- C:\Program Files\Lavasoft
2007-07-25 20:19 --------- d-------- C:\DOCUME~1\Admin\APPLIC~1\Lavasoft
2007-07-25 20:18 --------- d-------- C:\DOCUME~1\Admin\APPLIC~1\WinRAR
2007-07-25 20:14 --------- d-------- C:\Program Files\Realtek AC97
2007-07-25 20:14 --------- d-------- C:\Program Files\Common Files\InstallShield
2007-07-25 19:50 --------- d-------- C:\Program Files\Alwil Software
2007-07-25 19:37 --------- d-------- C:\DOCUME~1\Admin\APPLIC~1\TuneUp Software
2007-07-19 00:00 3583488 --a------ C:\WINDOWS\system32\dllcache\mshtml.dll
2007-07-12 16:31 765952 --------- C:\WINDOWS\system32\dllcache\vgx.dll
2007-06-27 07:34 823808 --a------ C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-27 07:34 671232 --------- C:\WINDOWS\system32\dllcache\mstime.dll
2007-06-27 07:34 6058496 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-06-27 07:34 52224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-06-27 07:34 477696 --------- C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-06-27 07:34 459264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-06-27 07:34 44544 --------- C:\WINDOWS\system32\dllcache\iernonce.dll
2007-06-27 07:34 384512 --------- C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-06-27 07:34 383488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-06-27 07:34 27648 --------- C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-06-27 07:34 267776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-06-27 07:34 232960 --a------ C:\WINDOWS\system32\dllcache\webcheck.dll
2007-06-27 07:34 230400 --a------ C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-06-27 07:34 193024 --------- C:\WINDOWS\system32\dllcache\msrating.dll
2007-06-27 07:34 153088 --------- C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-06-27 07:34 132608 --------- C:\WINDOWS\system32\dllcache\extmgr.dll
2007-06-27 07:34 124928 --------- C:\WINDOWS\system32\dllcache\advpack.dll
2007-06-27 07:34 1152000 --a------ C:\WINDOWS\system32\dllcache\urlmon.dll
2007-06-27 07:34 105984 --a------ C:\WINDOWS\system32\dllcache\url.dll
2007-06-27 07:34 102400 --a------ C:\WINDOWS\system32\dllcache\occache.dll
2007-06-27 01:27 63488 --------- C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-06-27 01:27 625152 --a------ C:\WINDOWS\system32\dllcache\iexplore.exe
2007-06-27 01:27 13824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-06-27 00:00 161792 --------- C:\WINDOWS\system32\dllcache\ieakui.dll
2007-06-25 23:06 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-19 06:37 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-19 06:37 282112 --------- C:\WINDOWS\system32\dllcache\gdi32.dll
2007-06-13 04:26 1033216 --a------ C:\WINDOWS\explorer.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-07-27 15:03]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 09:06 C:\WINDOWS\AGRSMMSG.exe]
"Laser mouse"="C:\Program Files\Laser Center\Laser Sensor Mouse\Panel.exe" [2005-05-03 21:05]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 21:00]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-05-16 09:27]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2007-01-06 05:03]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"nltide3"=cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"=1 (0x1)
"NoResolveTrack"=1 (0x1)
"NoResolveSearch"=1 (0x1)
"NoRecentDocsMenu"=1 (0x1)
"NoRecentDocsHistory"=1 (0x1)
"NoSMHelp"=1 (0x1)
"ForceStartMenuLogoff"=0 (0x0)
"NoStartMenuPinnedList"=1 (0x1)
"NoSMConfigurePrograms"=1 (0x1)
"NoUserNameInStartMenu"=1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"=1 (0x1)
"NoResolveTrack"=1 (0x1)
"NoResolveSearch"=1 (0x1)
"NoRecentDocsMenu"=1 (0x1)
"NoRecentDocsHistory"=1 (0x1)
"NoSMHelp"=1 (0x1)
"StartMenuLogoff"=1 (0x1)
"ForceStartMenuLogoff"=0 (0x0)
"NoStartMenuPinnedList"=1 (0x1)
"NoSMConfigurePrograms"=1 (0x1)
"NoUserNameInStartMenu"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Admin^Start Menu^Programs^Startup^Think-Adz.lnk]
backup=C:\WINDOWS\pss\Think-Adz.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan]
C:\Program Files\Internet Download Manager\IDMan.exe /onboot

R3 GMFilter Filter;GMFilter Filter;C:\WINDOWS\system32\Drivers\GMFilter.sys
S3 WimFltr;WimFltr;C:\WINDOWS\system32\DRIVERS\wimfltr.sys


Contents of the 'Scheduled Tasks' folder
2007-07-26 02:37:18 C:\WINDOWS\Tasks\1-Click Maintenance.job - C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
2007-09-02 03:41:54 C:\WINDOWS\Tasks\RegCure Program Check.job - C:\Program Files\RegCure\RegCure.exe
2007-08-21 01:26:16 C:\WINDOWS\Tasks\RegCure.job - C:\Program Files\RegCure\RegCure.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-01 20:42:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-09-01 20:43:05 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-01 20:42

--- E O F ---



Code:
2007-04-24 22:08      66048    --a------    C:\Qoobox\Quarantine\C\WINDOWS\QMDispatch.dll.vir
2007-07-08 21:23      15399    --a------    C:\Qoobox\Quarantine\C\ComboFix\FProps.vbs.vir
2007-07-25 20:10      803    --a------    C:\Qoobox\Quarantine\C\DOCUME~1\Admin\Desktop\Internet Explorer.lnk.vir
2007-08-13 19:44      118    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\msnav32.ax.vir
2007-08-13 19:44      57362    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\dwdsrngt.exe.vir
2007-08-13 19:48      57365    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\lsdsrngr.exe.vir
2007-08-15 18:41      934    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\winpfz32.sys.vir
2007-08-15 19:09      21    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\zxdnt3d.cfg.vir
2007-09-01 15:15      642    --a------    C:\Qoobox\Quarantine\C\DOCUME~1\Admin\STARTM~1\Programs\Startup\TA_Start.lnk.vir
2007-09-01 20:38      107    --a------    C:\Qoobox\BackEnv\profiles.folder.cf
2007-09-01 20:38      156    --a------    C:\Qoobox\BackEnv\STARTUP.folder.cf
2007-09-01 20:38      157    --a------    C:\Qoobox\BackEnv\CACHE.folder.cf
2007-09-01 20:38      157    --a------    C:\Qoobox\BackEnv\LOCAL APPDATA.folder.cf
2007-09-01 20:38      167    --a------    C:\Qoobox\BackEnv\LOCAL SETTINGS.folder.cf
2007-09-01 20:38      172    --a------    C:\Qoobox\BackEnv\PROGRAMS.folder.cf
2007-09-01 20:38      198    --a------    C:\Qoobox\BackEnv\APPDATA.folder.cf
2007-09-01 20:38      2899    --a------    C:\Qoobox\BackEnv\setpath.bat
2007-09-01 20:38      37    --a------    C:\Qoobox\BackEnv\MY PICTURES.folder.cf
2007-09-01 20:38      57    --a------    C:\Qoobox\BackEnv\DESKTOP.folder.cf
2007-09-01 20:38      59    --a------    C:\Qoobox\BackEnv\FAVORITES.folder.cf
2007-09-01 20:38      59    --a------    C:\Qoobox\BackEnv\PERSONAL.folder.cf
2007-09-01 20:38      59    --a------    C:\Qoobox\BackEnv\TEMPLATES.folder.cf
2007-09-01 20:38      90    --a------    C:\Qoobox\BackEnv\START MENU.folder.cf
2007-09-01 20:42      312488    --a------    C:\Qoobox\snapshot_2007-09-01_204232.60.cf


Folder PATH listing
Volume serial number is DCE4-D6BE
C:\QOOBOX
|   snapshot_2007-09-01_204232.60.cf
|   
+---BackEnv
|       APPDATA.folder.cf
|       CACHE.folder.cf
|       DESKTOP.folder.cf
|       FAVORITES.folder.cf
|       LOCAL APPDATA.folder.cf
|       LOCAL SETTINGS.folder.cf
|       MY PICTURES.folder.cf
|       PERSONAL.folder.cf
|       profiles.folder.cf
|       PROGRAMS.folder.cf
|       setpath.bat
|       START MENU.folder.cf
|       STARTUP.folder.cf
|       TEMPLATES.folder.cf
|       
\---Quarantine
    +---C
    |   +---ComboFix
    |   |       FProps.vbs.vir
    |   |       
    |   +---DOCUME~1
    |   |   \---Admin
    |   |       +---Desktop
    |   |       |       Internet Explorer.lnk.vir
    |   |       |       
    |   |       \---STARTM~1
    |   |           \---Programs
    |   |               \---Startup
    |   |                       TA_Start.lnk.vir
    |   |                       
    |   \---WINDOWS
    |       |   QMDispatch.dll.vir
    |       |   
    |       \---system32
    |               dwdsrngt.exe.vir
    |               lsdsrngr.exe.vir
    |               msnav32.ax.vir
    |               winpfz32.sys.vir
    |               zxdnt3d.cfg.vir
    |               
    \---Registry_backups



thanks for the help
confrontation is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-01-2007, 08:54 AM   #7 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,697
OS: 2000 Pro; XP Pro; XP Home


Re: qwintdmt.exe and brbr program
Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Open notepad and copy/paste the text in the quotebox below into it:

Quote:
http://www.techsupportforum.com/security-center/hijackthis-log-help/177732-qwintdmt-exe-brbr-program.html

File::
C:\WINDOWS\pss\Think-Adz.lnkStartup
C:\Documents and Settings\Admin\Local Settings\Temp\whCC-TRAFE5.exe
C:\WINDOWS\system32\qwintmdt.exe
c:\windows\downloaded program files\f3initialsetup1.0.0.15-3.inf
C:\Documents and Settings\Admin\Local Settings\Temp\NER2E.tmp
C:\Documents and Settings\Admin\Local Settings\Temp\NERA.tmp
C:\Documents and Settings\Admin\Local Settings\Temp\setup_rightonadz.exe
C:\Documents and Settings\Admin\Local Settings\Temp\TICHA001.exe

Folder::
C:\Documents and Settings\All Users\Desktop\KEYGENS FOR PROGRAMS


Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Admin^Start Menu^Programs^Startup^Think-Adz.lnk]

Collect::
C:\WINDOWS\system32\onoyb.dll
Save this as CFScript.txt




Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK. A browser will open. Simply follow the instructions to copy/paste/send the requested file.

---------------------------------------------------------------------------------------------


Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the licence, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

---------------------------------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-01-2007, 05:23 PM   #8 (permalink)
Registered User
 
Join Date: May 2007
Location: New Zealand
Posts: 164
OS: Windows 7 Ultimate 64x


Send a message via MSN to confrontation
Re: qwintdmt.exe and brbr program
hello i have gone back to the first steps you asked me to do as i seen i had done it wrong and have now done it the way you said to..here are the logs


ComboFix 07-08-30.3 - "Admin" 2007-09-02 11:14:11.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.722 [GMT -7:00]


((((((((((((((((((((((((( Files Created from 2007-08-02 to 2007-09-02 )))))))))))))))))))))))))))))))


2007-09-01 20:38 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-28 20:06 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-28 20:04 <DIR> d-------- C:\Deckard
2007-08-28 19:59 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2007-08-28 19:59 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-08-28 19:17 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-08-27 21:15 <DIR> d-------- C:\Program Files\QMacro
2007-08-27 20:19 <DIR> d-------- C:\Program Files\JitBit
2007-08-27 20:15 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Macro Mania
2007-08-27 20:05 <DIR> d-------- C:\DOCUME~1\Admin\APPLIC~1\Grasssoft
2007-08-27 20:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Grasssoft
2007-08-25 16:25 128,104 --a------ C:\WINDOWS\system32\drivers\WimFltr.sys
2007-08-22 19:32 <DIR> d-------- C:\Program Files\Yahoo!
2007-08-20 18:25 <DIR> d-------- C:\Program Files\RegCure
2007-08-20 18:10 <DIR> d-------- C:\DOCUME~1\Admin\APPLIC~1\Uniblue
2007-08-15 19:42 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-08-15 19:41 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-08-15 19:40 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-08-15 19:28 1,104,896 --------- C:\WINDOWS\system32\dllcache\msxml3.dll
2007-08-15 19:27 1,033,216 --------- C:\WINDOWS\system32\dllcache\explorer.exe
2007-08-15 19:23 549,376 --------- C:\WINDOWS\system32\dllcache\oleaut32.dll
2007-08-13 20:13 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2007-08-13 20:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Real
2007-08-13 20:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-08-13 20:13 <DIR> d-------- C:\DOCUME~1\Admin\APPLIC~1\Real
2007-08-13 20:12 <DIR> d-------- C:\DOCUME~1\Admin\APPLIC~1\Media Player Classic
2007-08-13 18:58 <DIR> d-------- C:\WINDOWS\pss
2007-08-12 16:06 <DIR> d-------- C:\Program Files\Final Fantasy VII
2007-08-12 15:37 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2007-08-11 12:52 <DIR> d-------- C:\Program Files\Internet Download Manager
2007-08-11 12:48 <DIR> d-------- C:\DOCUME~1\Admin\APPLIC~1\IDM
2007-08-06 19:22 <DIR> d-------- C:\Program Files\SpeedFan
2007-08-04 21:38 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys
2007-08-04 21:38 141,612 --a------ C:\WINDOWS\system32\drivers\dump_wmimmc.sys
2007-08-04 14:30 <DIR> d-------- C:\Program Files\Fast AVI MPEG Joiner
2007-08-04 13:54 <DIR> d-------- C:\Program Files\Common Files\Ahead
2007-08-04 13:54 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Nero


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-09-01 20:37 --------- d-------- C:\DOCUME~1\Admin\APPLIC~1\DMCache
2007-08-28 19:50 --------- d-------- C:\Program Files\PowerISO
2007-08-28 19:49 --------- d-------- C:\Program Files\MSN Messenger
2007-08-25 16:58 --------- d-------- C:\Program Files\UltraISO
2007-08-13 19:38 --------- d-------- C:\DOCUME~1\Admin\APPLIC~1\FrostWire
2007-08-11 14:34 --------- d-------- C:\DOCUME~1\Admin\APPLIC~1\Ahead
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-28 13:45 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-28 13:45 --------- d-------- C:\Program Files\Laser Center
2007-07-27 15:07 783224 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-07-27 15:02 94416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-07-27 15:02 92848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-07-27 15:00 23152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-07-27 14:59 42912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-07-27 14:58 26624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-07-27 14:57 95608 --a------ C:\WINDOWS\system32\AVASTSS.scr
2007-07-26 17:52 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Ahead
2007-07-26 17:51 --------- d-------- C:\Program Files\Nero
2007-07-25 20:28 --------- d-------- C:\Program Files\Windows Media Connect 2
2007-07-25 20:19 --------- d-------- C:\Program Files\Lavasoft
2007-07-25 20:19 --------- d-------- C:\DOCUME~1\Admin\APPLIC~1\Lavasoft
2007-07-25 20:18 --------- d-------- C:\DOCUME~1\Admin\APPLIC~1\WinRAR
2007-07-25 20:14 --------- d-------- C:\Program Files\Realtek AC97
2007-07-25 20:14 --------- d-------- C:\Program Files\Common Files\InstallShield
2007-07-25 19:50 --------- d-------- C:\Program Files\Alwil Software
2007-07-25 19:37 --------- d-------- C:\DOCUME~1\Admin\APPLIC~1\TuneUp Software
2007-07-19 00:00 3583488 --a------ C:\WINDOWS\system32\dllcache\mshtml.dll
2007-07-12 16:31 765952 --------- C:\WINDOWS\system32\dllcache\vgx.dll
2007-06-27 07:34 823808 --a------ C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-27 07:34 671232 --------- C:\WINDOWS\system32\dllcache\mstime.dll
2007-06-27 07:34 6058496 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-06-27 07:34 52224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-06-27 07:34 477696 --------- C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-06-27 07:34 459264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-06-27 07:34 44544 --------- C:\WINDOWS\system32\dllcache\iernonce.dll
2007-06-27 07:34 384512 --------- C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-06-27 07:34 383488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-06-27 07:34 27648 --------- C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-06-27 07:34 267776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-06-27 07:34 232960 --a------ C:\WINDOWS\system32\dllcache\webcheck.dll
2007-06-27 07:34 230400 --a------ C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-06-27 07:34 193024 --------- C:\WINDOWS\system32\dllcache\msrating.dll
2007-06-27 07:34 153088 --------- C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-06-27 07:34 132608 --------- C:\WINDOWS\system32\dllcache\extmgr.dll
2007-06-27 07:34 124928 --------- C:\WINDOWS\system32\dllcache\advpack.dll
2007-06-27 07:34 1152000 --a------ C:\WINDOWS\system32\dllcache\urlmon.dll
2007-06-27 07:34 105984 --a------ C:\WINDOWS\system32\dllcache\url.dll
2007-06-27 07:34 102400 --a------ C:\WINDOWS\system32\dllcache\occache.dll
2007-06-27 01:27 63488 --------- C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-06-27 01:27 625152 --a------ C:\WINDOWS\system32\dllcache\iexplore.exe
2007-06-27 01:27 13824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-06-27 00:00 161792 --------- C:\WINDOWS\system32\dllcache\ieakui.dll
2007-06-25 23:06 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-19 06:37 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-19 06:37 282112 --------- C:\WINDOWS\system32\dllcache\gdi32.dll
2007-06-13 04:26 1033216 --a------ C:\WINDOWS\explorer.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-07-27 15:03]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 09:06 C:\WINDOWS\AGRSMMSG.exe]
"Laser mouse"="C:\Program Files\Laser Center\Laser Sensor Mouse\Panel.exe" [2005-05-03 21:05]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 21:00]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-05-16 09:27]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2007-01-06 05:03]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"nltide3"=cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"=1 (0x1)
"NoResolveTrack"=1 (0x1)
"NoResolveSearch"=1 (0x1)
"NoRecentDocsMenu"=1 (0x1)
"NoRecentDocsHistory"=1 (0x1)
"NoSMHelp"=1 (0x1)
"ForceStartMenuLogoff"=0 (0x0)
"NoStartMenuPinnedList"=1 (0x1)
"NoSMConfigurePrograms"=1 (0x1)
"NoUserNameInStartMenu"=1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"=1 (0x1)
"NoResolveTrack"=1 (0x1)
"NoResolveSearch"=1 (0x1)
"NoRecentDocsMenu"=1 (0x1)
"NoRecentDocsHistory"=1 (0x1)
"NoSMHelp"=1 (0x1)
"StartMenuLogoff"=1 (0x1)
"ForceStartMenuLogoff"=0 (0x0)
"NoStartMenuPinnedList"=1 (0x1)
"NoSMConfigurePrograms"=1 (0x1)
"NoUserNameInStartMenu"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan]
C:\Program Files\Internet Download Manager\IDMan.exe /onboot

R3 GMFilter Filter;GMFilter Filter;C:\WINDOWS\system32\Drivers\GMFilter.sys
S3 WimFltr;WimFltr;C:\WINDOWS\system32\DRIVERS\wimfltr.sys


Contents of the 'Scheduled Tasks' folder
2007-07-26 02:37:18 C:\WINDOWS\Tasks\1-Click Maintenance.job - C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
2007-09-02 17:57:20 C:\WINDOWS\Tasks\RegCure Program Check.job - C:\Program Files\RegCure\RegCure.exe
2007-08-21 01:26:16 C:\WINDOWS\Tasks\RegCure.job - C:\Program Files\RegCure\RegCure.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-02 11:14:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-09-02 11:15:04
C:\ComboFix-quarantined-files.txt ... 2007-09-02 11:15

--- E O F ---



Code:
2007-09-02 11:06      107    --a------    C:\Qoobox\BackEnv\profiles.folder.cf
2007-09-02 11:06      156    --a------    C:\Qoobox\BackEnv\STARTUP.folder.cf
2007-09-02 11:06      157    --a------    C:\Qoobox\BackEnv\LOCAL APPDATA.folder.cf
2007-09-02 11:06      167    --a------    C:\Qoobox\BackEnv\LOCAL SETTINGS.folder.cf
2007-09-02 11:06      172    --a------    C:\Qoobox\BackEnv\PROGRAMS.folder.cf
2007-09-02 11:06      198    --a------    C:\Qoobox\BackEnv\APPDATA.folder.cf
2007-09-02 11:06      2899    --a------    C:\Qoobox\BackEnv\setpath.bat
2007-09-02 11:06      37    --a------    C:\Qoobox\BackEnv\MY PICTURES.folder.cf
2007-09-02 11:06      57    --a------    C:\Qoobox\BackEnv\DESKTOP.folder.cf
2007-09-02 11:06      59    --a------    C:\Qoobox\BackEnv\FAVORITES.folder.cf
2007-09-02 11:06      59    --a------    C:\Qoobox\BackEnv\PERSONAL.folder.cf
2007-09-02 11:06      59    --a------    C:\Qoobox\BackEnv\TEMPLATES.folder.cf
2007-09-02 11:06      77    --a------    C:\Qoobox\BackEnv\CACHE.folder.cf
2007-09-02 11:06      90    --a------    C:\Qoobox\BackEnv\START MENU.folder.cf
2007-09-02 11:07      311606    --a------    C:\Qoobox\snapshot_2007-09-02_110722.78.cf


Folder PATH listing
Volume serial number is DCE4-D6BE
C:\QOOBOX
|   snapshot_2007-09-02_110722.78.cf
|   
+---BackEnv
|       APPDATA.folder.cf
|       CACHE.folder.cf
|       DESKTOP.folder.cf
|       FAVORITES.folder.cf
|       LOCAL APPDATA.folder.cf
|       LOCAL SETTINGS.folder.cf
|       MY PICTURES.folder.cf
|       PERSONAL.folder.cf
|       profiles.folder.cf
|       PROGRAMS.folder.cf
|       setpath.bat
|       START MENU.folder.cf
|       STARTUP.folder.cf
|       TEMPLATES.folder.cf
|       
\---Quarantine
    +---C
    |   \---ComboFix
    \---Registry_backups

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:15:56 AM, on 9/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Laser Center\Laser Sensor Mouse\Panel.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rwk2.racewarkingdoms.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://update.microsoft.com/microsoftupdate
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Laser mouse] "C:\Program Files\Laser Center\Laser Sensor Mouse\Panel.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide1] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide2] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,L,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...1.0.0.15-3.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

--
End of file - 5704 bytes




I subscribed to the tread but i dont get notified when the tread has a reply
confrontation is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-01-2007, 06:04 PM   #9 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,697
OS: 2000 Pro; XP Pro; XP Home


Re: qwintdmt.exe and brbr program
Quote:
hello i have gone back to the first steps you asked me to do as i seen i had done it wrong and have now done it the way you said to..here are the logs
Why did you think you did anything wrong? And why did you not follow my instructions as I had posted them? My last post was a continuation of the instructions....
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-01-2007, 06:21 PM   #10 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,697
OS: 2000 Pro; XP Pro; XP Home


Re: qwintdmt.exe and brbr program
Please do the online scan at Kaspersky as instructed.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-02-2007, 02:27 AM   #11 (permalink)
Registered User
 
Join Date: May 2007
Location: New Zealand
Posts: 164
OS: Windows 7 Ultimate 64x


Send a message via MSN to confrontation
Re: qwintdmt.exe and brbr program
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, September 02, 2007 8:24:51 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 2/09/2007
Kaspersky Anti-Virus database records: 402437
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: false

Scan Target - My Computer:
C:\
D:\
E:\
G:\
H:\
I:\
J:\

Scan Statistics:
Total number of scanned objects: 37824
Number of viruses found: 20
Number of infected objects: 70
Number of suspicious objects: 0
Duration of the scan process: 01:03:38

Infected Object Name / Virus Name / Last Action
C:\Deckard\System Scanner\backup\DOCUME~1\Admin\LOCALS~1\Temp\NER2E.tmp\Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Deckard\System Scanner\backup\DOCUME~1\Admin\LOCALS~1\Temp\NERA.tmp\Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Deckard\System Scanner\backup\DOCUME~1\Admin\LOCALS~1\Temp\setup.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.Agent.dy skipped
C:\Deckard\System Scanner\backup\DOCUME~1\Admin\LOCALS~1\Temp\setup.exe/stream Infected: not-a-virus:AdWare.Win32.Agent.dy skipped
C:\Deckard\System Scanner\backup\DOCUME~1\Admin\LOCALS~1\Temp\setup.exe NSIS: infected - 2 skipped
C:\Deckard\System Scanner\backup\DOCUME~1\Admin\LOCALS~1\Temp\setup_rightonadz.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.TrafficSol.h skipped
C:\Deckard\System Scanner\backup\DOCUME~1\Admin\LOCALS~1\Temp\setup_rightonadz.exe/stream Infected: not-a-virus:AdWare.Win32.TrafficSol.h skipped
C:\Deckard\System Scanner\backup\DOCUME~1\Admin\LOCALS~1\Temp\setup_rightonadz.exe NSIS: infected - 2 skipped
C:\Deckard\System Scanner\backup\DOCUME~1\Admin\LOCALS~1\Temp\TICHA001.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\Deckard\System Scanner\backup\DOCUME~1\Admin\LOCALS~1\Temp\whCC-TRAFE5.exe/data.rar/whAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Deckard\System Scanner\backup\DOCUME~1\Admin\LOCALS~1\Temp\whCC-TRAFE5.exe/data.rar/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Deckard\System Scanner\backup\DOCUME~1\Admin\LOCALS~1\Temp\whCC-TRAFE5.exe/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Deckard\System Scanner\backup\DOCUME~1\Admin\LOCALS~1\Temp\whCC-TRAFE5.exe/data.rar/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Deckard\System Scanner\backup\DOCUME~1\Admin\LOCALS~1\Temp\whCC-TRAFE5.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Deckard\System Scanner\backup\DOCUME~1\Admin\LOCALS~1\Temp\whCC-TRAFE5.exe RarSFX: infected - 5 skipped
C:\Documents and Settings\Admin\Application Data\IDM\DwnlData\Admin\P_728\P.zip3 Object is locked skipped
C:\Documents and Settings\Admin\Application Data\IDM\DwnlData\Admin\P_728\P.zip5 Object is locked skipped
C:\Documents and Settings\Admin\Application Data\IDM\DwnlData\Admin\P_728\P.zip6 Object is locked skipped
C:\Documents and Settings\Admin\Application Data\IDM\DwnlData\Admin\P_728\P.zip7 Object is locked skipped
C:\Documents and Settings\Admin\Application Data\IDM\DwnlData\Admin\P_728\P.zip8 Object is locked skipped
C:\Documents and Settings\Admin\Application Data\IDM\DwnlData\Admin\P_728\P.zip9 Object is locked skipped
C:\Documents and Settings\Admin\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Application Data\Ahead\Nero Home\bl.db Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Application Data\Ahead\Nero Home\is2.db Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Application Data\Identities\{AE46E60E-C74B-4FCD-8188-B1DFC17FBEA8}\Microsoft\Outlook Express\Folders.dbx Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Application Data\Identities\{AE46E60E-C74B-4FCD-8188-B1DFC17FBEA8}\Microsoft\Outlook Express\Offline.dbx Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\History\History.IE5\MSHist012007090220070903\index.dat Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Temp\~DF3247.tmp Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Temp\~DFC865.tmp Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Temp\~DFC871.tmp Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Admin\My Documents\Appz\Mac_Os_X_Tiger_For_Win_XP_Special.rar/Mac Os X Tiger For Win XP Special.exe/stream/data0023 Infected: not-a-virus:RiskTool.Win32.WFPDisabler.a skipped
C:\Documents and Settings\Admin\My Documents\Appz\Mac_Os_X_Tiger_For_Win_XP_Special.rar/Mac Os X Tiger For Win XP Special.exe/stream Infected: not-a-virus:RiskTool.Win32.WFPDisabler.a skipped
C:\Documents and Settings\Admin\My Documents\Appz\Mac_Os_X_Tiger_For_Win_XP_Special.rar/Mac Os X Tiger For Win XP Special.exe Infected: not-a-virus:RiskTool.Win32.WFPDisabler.a skipped
C:\Documents and Settings\Admin\My Documents\Appz\Mac_Os_X_Tiger_For_Win_XP_Special.rar RAR: infected - 3 skipped
C:\Documents and Settings\Admin\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Admin\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{EFABBA73-D2B1-462C-B5F2-37715887E8F7}\RP24\A0008178.DLL Infected: not-a-virus:AdWare.Win32.FunWeb.e skipped
C:\System Volume Information\_restore{EFABBA73-D2B1-462C-B5F2-37715887E8F7}\RP26\A0008355.exe/WISE0004.BIN Infected: not-a-virus:RiskTool.Win32.CloseApp.a skipped
C:\System Volume Information\_restore{EFABBA73-D2B1-462C-B5F2-37715887E8F7}\RP26\A0008355.exe WiseSFX: infected - 1 skipped
C:\System Volume Information\_restore{EFABBA73-D2B1-462C-B5F2-37715887E8F7}\RP26\A0008378.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped
C:\System Volume Information\_restore{EFABBA73-D2B1-462C-B5F2-37715887E8F7}\RP26\A0008379.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{EFABBA73-D2B1-462C-B5F2-37715887E8F7}\RP26\A0008380.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{EFABBA73-D2B1-462C-B5F2-37715887E8F7}\RP26\A0008381.scr Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{EFABBA73-D2B1-462C-B5F2-37715887E8F7}\RP26\A0008388.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.at skipped
C:\System Volume Information\_restore{EFABBA73-D2B1-462C-B5F2-37715887E8F7}\RP26\A0008390.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{EFABBA73-D2B1-462C-B5F2-37715887E8F7}\RP26\A0008391.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{EFABBA73-D2B1-462C-B5F2-37715887E8F7}\RP26\A0008392.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.l skipped
C:\System Volume Information\_restore{EFABBA73-D2B1-462C-B5F2-37715887E8F7}\RP26\A0008393.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.af skipped
C:\System Volume Information\_restore{EFABBA73-D2B1-462C-B5F2-37715887E8F7}\RP26\A0008394.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{EFABBA73-D2B1-462C-B5F2-37715887E8F7}\RP26\A0008395.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{EFABBA73-D2B1-462C-B5F2-37715887E8F7}\RP26\A0008396.SCR Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{EFABBA73-D2B1-462C-B5F2-37715887E8F7}\RP26\A0008397.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{EFABBA73-D2B1-462C-B5F2-37715887E8F7}\RP26\A0008399.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.an skipped
C:\System Volume Information\_restore{EFABBA73-D2B1-462C-B5F2-37715887E8F7}\RP26\A0008400.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.aq skipped
C:\System Volume Information\_restore{EFABBA73-D2B1-462C-B5F2-37715887E8F7}\RP26\A0008401.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{EFABBA73-D2B1-462C-B5F2-37715887E8F7}\RP26\A0008403.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{EFABBA73-D2B1-462C-B5F2-37715887E8F7}\RP26\A0008404.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ax skipped
C:\System Volume Information\_restore{EFABBA73-D2B1-462C-B5F2-37715887E8F7}\RP26\A0008406.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{EFABBA73-D2B1-462C-B5F2-37715887E8F7}\RP26\A0008408.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{EFABBA73-D2B1-462C-B5F2-37715887E8F7}\RP26\A0008409.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped
C:\System Volume Information\_restore{EFABBA73-D2B1-462C-B5F2-37715887E8F7}\RP26\A0008410.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ad skipped
C:\System Volume Information\_restore{EFABBA73-D2B1-462C-B5F2-37715887E8F7}\RP26\A0008414.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped
C:\System Volume Information\_restore{EFABBA73-D2B1-462C-B5F2-37715887E8F7}\RP26\A0008529.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{EFABBA73-D2B1-462C-B5F2-37715887E8F7}\RP26\A0008530.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{EFABBA73-D2B1-462C-B5F2-37715887E8F7}\RP26\A0008531.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{EFABBA73-D2B1-462C-B5F2-37715887E8F7}\RP26\A0008532.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{EFABBA73-D2B1-462C-B5F2-37715887E8F7}\RP26\A0008533.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{EFABBA73-D2B1-462C-B5F2-37715887E8F7}\RP26\A0008534.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{EFABBA73-D2B1-462C-B5F2-37715887E8F7}\RP26\A0008544.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{EFABBA73-D2B1-462C-B5F2-37715887E8F7}\RP27\A0010462.exe Infected: not-a-virus:RiskTool.Win32.WFPDisabler.a skipped
C:\System Volume Information\_restore{EFABBA73-D2B1-462C-B5F2-37715887E8F7}\RP27\A0010488.dll Infected: not-a-virus:AdWare.Win32.TrafficSol.h skipped
C:\System Volume Information\_restore{EFABBA73-D2B1-462C-B5F2-37715887E8F7}\RP27\A0010498.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{EFABBA73-D2B1-462C-B5F2-37715887E8F7}\RP27\A0010499.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{EFABBA73-D2B1-462C-B5F2-37715887E8F7}\RP27\A0010702.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{EFABBA73-D2B1-462C-B5F2-37715887E8F7}\RP27\A0010703.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{EFABBA73-D2B1-462C-B5F2-37715887E8F7}\RP29\A0010822.dll Infected: not-a-virus:AdWare.Win32.TrafficSol.h skipped
C:\System Volume Information\_restore{EFABBA73-D2B1-462C-B5F2-37715887E8F7}\RP32\A0010969.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.r skipped
C:\System Volume Information\_restore{EFABBA73-D2B1-462C-B5F2-37715887E8F7}\RP33\A0011023.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.r skipped
C:\System Volume Information\_restore{EFABBA73-D2B1-462C-B5F2-37715887E8F7}\RP33\A0011036.dll Infected: not-a-virus:AdWare.Win32.Agent.dy skipped
C:\System Volume Information\_restore{EFABBA73-D2B1-462C-B5F2-37715887E8F7}\RP33\A0011589.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\System Volume Information\_restore{EFABBA73-D2B1-462C-B5F2-37715887E8F7}\RP33\A0011967.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\System Volume Information\_restore{EFABBA73-D2B1-462C-B5F2-37715887E8F7}\RP34\A0015419.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.r skipped
C:\System Volume Information\_restore{EFABBA73-D2B1-462C-B5F2-37715887E8F7}\RP35\A0015433.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.r skipped
C:\System Volume Information\_restore{EFABBA73-D2B1-462C-B5F2-37715887E8F7}\RP37\A0015758.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.r skipped
C:\System Volume Information\_restore{EFABBA73-D2B1-462C-B5F2-37715887E8F7}\RP39\A0015810.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.r skipped
C:\System Volume Information\_restore{EFABBA73-D2B1-462C-B5F2-37715887E8F7}\RP44\A0015923.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\System Volume Information\_restore{EFABBA73-D2B1-462C-B5F2-37715887E8F7}\RP44\A0015924.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\System Volume Information\_restore{EFABBA73-D2B1-462C-B5F2-37715887E8F7}\RP45\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{FB6944E7-9324-4DB2-8204-5800A7AFAD68}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\Perflib_Perfdata_574.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
confrontation is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-02-2007, 07:41 AM   #12 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,697
OS: 2000 Pro; XP Pro; XP Home


Re: qwintdmt.exe and brbr program
Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

J2SE Runtime Environment 5.0 Update 11


These are all outdated, and security risks by having them installed still. Unfortunately, Java does not uninstall previous version when you update, nor tell you that you should.

Leave Java(TM) 6 Update 2 alone, as it is the most recent.

---------------------------------------------------------------------------------------------

Delete the following:

C:\Deckard

---------------------------------------------------------------------------------------------

CLEAR & RESET SYSTEM RESTORE'S CACHE

Go to Start >> Run - type or copy/paste control sysdm.cpl,,4 & press Enter

* Tick on the checkbox - Turn off System Restore on all drives
* Click Apply

Turn it back 'On' by unticking the same checkbox & click Apply, and then OK

---------------------------------------------------------------------------------------------

Download AVG Anti Spyware
  • Install AVG Anti Spyware
  • Double-click the icon on Desktop to launch AVG
  • On the main Status screen, under Your Computer's Security, click Resident Shield
  • Click the word active to change it to inactive
  • On the top of the main screen click Update.
  • Then click on Start Update. The update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Do Not Automatically generate report after every scan"
When you have finished updating, EXIT AVG Anti Spyware. Do Not run a scan just yet, we will shortly.

---------------------------------------------------------------------------------------------

Restart your computer and boot into Safe Mode by tapping the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers.

---------------------------------------------------------------------------------------------

Run AVG Anti-Spyware with it's updated definitions:(...it's important that all windows must be closed)
  • Click Scanner
  • Click on the Scan tab
  • Click Complete System Scan to begin scanning.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important).

Restart in normal mode.

---------------------------------------------------------------------------------------------

Post the log from AVG Anti-Spyware, and a new HijackThis log. How is your system behaving, please?
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-03-2007, 03:00 AM   #13 (permalink)
Registered User
 
Join Date: May 2007
Location: New Zealand
Posts: 164
OS: Windows 7 Ultimate 64x


Send a message via MSN to confrontation
Re: qwintdmt.exe and brbr program
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 8:51:17 PM 9/3/2007

+ Scan result:



C:\Documents and Settings\Admin\My Documents\Appz\Xilisoft-kg.rar/XiliSoftKeygen.exe -> Downloader.Zlob.bke : No action taken.
C:\Documents and Settings\Admin\Cookies\admin@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Admin\Cookies\admin@pandasoftware.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Admin\Cookies\admin@paypal.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Admin\Cookies\admin@3.adbrite[2].txt -> TrackingCookie.Adbrite : No action taken.
C:\Documents and Settings\Admin\Cookies\admin@4.adbrite[2].txt -> TrackingCookie.Adbrite : No action taken.
C:\Documents and Settings\Admin\Cookies\admin@adbrite[2].txt -> TrackingCookie.Adbrite : No action taken.
C:\Documents and Settings\Admin\Cookies\admin@ads.adbrite[2].txt -> TrackingCookie.Adbrite : No action taken.
C:\Documents and Settings\Admin\Cookies\admin@rotator.its.adjuggler[1].txt -> TrackingCookie.Adjuggler : No action taken.
C:\Documents and Settings\Admin\Cookies\admin@adtech[2].txt -> TrackingCookie.Adtech : No action taken.
C:\Documents and Settings\Admin\Cookies\admin@advertising[1].txt -> TrackingCookie.Advertising : No action taken.
C:\Documents and Settings\Admin\Cookies\admin@atdmt[2].txt -> TrackingCookie.Atdmt : No action taken.
C:\Documents and Settings\Admin\Cookies\admin@burstnet[2].txt -> TrackingCookie.Burstnet : No action taken.
C:\Documents and Settings\Admin\Cookies\admin@casalemedia[2].txt -> TrackingCookie.Casalemedia : No action taken.
C:\Documents and Settings\Admin\Cookies\admin@com[1].txt -> TrackingCookie.Com : No action taken.
C:\Documents and Settings\Admin\Cookies\admin@e-2dj6wjk4shc5mlo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\Admin\Cookies\admin@e-2dj6wjkyeocjgdo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\Admin\Cookies\admin@fastclick[2].txt -> TrackingCookie.Fastclick : No action taken.
C:\Documents and Settings\Admin\Cookies\admin@searchportal.information[1].txt -> TrackingCookie.Information : No action taken.
C:\Documents and Settings\Admin\Cookies\admin@ssl-hints.netflame[1].txt -> TrackingCookie.Netflame : No action taken.
C:\Documents and Settings\Admin\Cookies\admin@www.paypal[1].txt -> TrackingCookie.Paypal : No action taken.
C:\Documents and Settings\Admin\Cookies\admin@questionmarket[1].txt -> TrackingCookie.Questionmarket : No action taken.
C:\Documents and Settings\Admin\Cookies\admin@revenue[2].txt -> TrackingCookie.Revenue : No action taken.
C:\Documents and Settings\Admin\Cookies\admin@revsci[2].txt -> TrackingCookie.Revsci : No action taken.
C:\Documents and Settings\Admin\Cookies\admin@statcounter[1].txt -> TrackingCookie.Statcounter : No action taken.
C:\Documents and Settings\Admin\Cookies\admin@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : No action taken.
C:\Documents and Settings\Admin\Cookies\admin@m.webtrends[1].txt -> TrackingCookie.Webtrends : No action taken.
C:\Documents and Settings\Admin\Cookies\admin@yadro[2].txt -> TrackingCookie.Yadro : No action taken.
C:\Documents and Settings\Admin\Cookies\admin@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : No action taken.
C:\Documents and Settings\Admin\Cookies\admin@zedo[1].txt -> TrackingCookie.Zedo : No action taken.


::Report end


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:58:33 PM, on 9/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Laser Center\Laser Sensor Mouse\Panel.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rwk2.racewarkingdoms.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://update.microsoft.com/microsoftupdate
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Laser mouse] "C:\Program Files\Laser Center\Laser Sensor Mouse\Panel.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide1] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide2] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,L,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...1.0.0.15-3.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

--
End of file - 6490 bytes
confrontation is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-03-2007, 08:41 AM   #14 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,697
OS: 2000 Pro; XP Pro; XP Home


Re: qwintdmt.exe and brbr program
Quote:
C:\Documents and Settings\Admin\My Documents\Appz\Xilisoft-kg.rar/XiliSoftKeygen.exe ->
Quote:
C:\Documents and Settings\All Users\Desktop\KEYGENS FOR PROGRAMS
Not one, but two locations for keygens.

Are you the only user of this machine?
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-04-2007, 12:46 AM   #15 (permalink)
Registered User
 
Join Date: May 2007
Location: New Zealand
Posts: 164
OS: Windows 7 Ultimate 64x


Send a message via MSN to confrontation
Re: qwintdmt.exe and brbr program
im not the only user on this computer and it only has 1 user account, as for
"C:\Documents and Settings\All Users\Desktop\KEYGENS FOR PROGRAMS" it has been deleted the other 1 will soon be done
confrontation is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-04-2007, 12:56 AM   #16 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,697
OS: 2000 Pro; XP Pro; XP Home


Re: qwintdmt.exe and brbr program
Ok....

I notice that the AVG log reads No Action Taken

Example:

Quote:
C:\Documents and Settings\Admin\Cookies\admin@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : No action taken.
C:\Documents and Settings\Admin\Cookies\admin@zedo[1].txt -> TrackingCookie.Zedo : No action taken.
Did you save the log before Applying all actions? If so, it should be fine, otherwise you'd need to run the scan again, and be sure to Apply All Actions.

How is the system behaving?
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-04-2007, 11:43 PM   #17 (permalink)
Registered User
 
Join Date: May 2007
Location: New Zealand
Posts: 164
OS: Windows 7 Ultimate 64x


Send a message via MSN to confrontation
Re: qwintdmt.exe and brbr program
i will run the scan again again just to make sure.
and the computer is running better,thanks.Im not getting the 2 problems i was at the start.

so what programs that i have downloaded since the start of all this should i be keeping on here?

and many thanks for the help
confrontation is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-05-2007, 09:14 AM   #18 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,697
OS: 2000 Pro; XP Pro; XP Home


Re: qwintdmt.exe and brbr program
Your logs appear clean.You should be good to go. We still have a few items to address.

AVG Anti-Spyware would be a good program to keep, update and run a scan with once a week or so. It adds another layer of protection to your system's security tools.

C:\QooBox\ is ComboFix's quarantine folder. You can safely delete it

Please also delete ComboFix.exe

C:\Deckard is DSS working folder. It can be safely deleted. Also delete dss.exe

C:\System Volume Information\ is where System Restore's cache is stored. Whatever is in there can't harm you unless you choose to perform a manual restore. Nevertheless, we shall be reseting/clearing the cache in a little while.


Reset hidden/system files and folders
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Deselect the Show hidden files and folders option.
  • Select the Hide file extensions for known types option.
  • Select the Hide protected operating system files option.
  • Click Yes to confirm.
  • Click OK.

Clear & Reset System Restore's Cache
  • click Start >> Run - type SYSDM.CPL & press Enter
  • select the System Restore Tab
  • tick on the checkbox - "Turn off System Restore on all drives"
  • click Apply
  • then untick the same checkbox & click OK


Enable Windows Auto Update
  • Go to Start>Run - type wuaucpl.cpl
  • tick on the checkbox - "Automatically download the updates, and install them on the schedule that I specify".
  • Click on "OK".

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs if you don't have them already:
  • SpywareBlaster to help prevent spyware from installing in the first place.
    • Install & update SpywareBlaster with the latest definitions.
      After you have updated, click the button - enable protection for all unprotected items
  • SpywareGuard to catch and block spyware before it can execute.
  • SPYBOT - SEARCH & DESTROY
    Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here

    IE-SpyAd - IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impairs attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.

  • MVPS HOST FILE
    The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
    • Download Host.zip to your desktop.
    • From your Desktop right-click (hosts.zip) and select:
      Extract All from the menu.
    • Click Next, click Next, select the option:
      "Show Extracted files", click Finish
    • This will open the newly created hosts folder on your Desktop.
    • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
    • Once updated you should see another prompt that the task was completed.

  • FIREWALL
    If you do not have a firewall, here are a couple of great free ones available for personal use. Using a third-party firewall will allow you to give/deny access for applications that want to go online. Select one of these, or another of your choice:

    Do not install more than one firewall program because they will conflict with each other.


In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles
If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-06-2007, 12:15 AM   #19 (permalink)
Registered User
 
Join Date: May 2007
Location: New Zealand
Posts: 164
OS: Windows 7 Ultimate 64x


Send a message via MSN to confrontation
Re: qwintdmt.exe and brbr program
thanks for the help
confrontation is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 05:43 PM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85