|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
10-16-2007, 09:22 PM
|
#1 (permalink) |
|
TSF Supporter
Join Date: Oct 2007
Location: Minnesota, USA
Posts: 101
OS: Windows XP
|
Cannot Boot System After Finding Trojan (2)
I already have a thread here, but I was advised to start a thread here with log information.
Panda ActiveScan Report: Incident Status Location Adware:Adware/DriveCleaner Not disinfected c:\windows\avp.exe Virus:Generic Malware Disinfected Operating system Adware:Adware/SecurityToolbar Not disinfected C:\WINDOWS\system32\berkehpm.dll Adware:adware/bravesentry Not disinfected Windows Registry Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.doubleclick.net/] Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[statse.webtrendslive.com/] Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.did-it.com/] Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.apmebf.com/] Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.advertising.com/] Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.atdmt.com/] Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.tribalfusion.com/] Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.casalemedia.com/] Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.realmedia.com/] Spyware:Cookie/Bridgetrack Not disinfected C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[citi.bridgetrack.com/] Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[ad.yieldmanager.com/] Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.ad.yieldmanager.com/] Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.fastclick.net/] Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.adrevolver.com/] Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.trafficmp.com/] Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.bluestreak.com/] Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.questionmarket.com/] Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.burstnet.com/] Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.mediaplex.com/] Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.ads.pointroll.com/] Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.zedo.com/] Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.com.com/] Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.2o7.net/] Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.statcounter.com/] Spyware:Cookie/HotLog Not disinfected C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.hotlog.ru/] Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.overture.com/] Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.perf.overture.com/] Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[server.iad.liveperson.net/hc/33069911] Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[server.iad.liveperson.net/] Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.serving-sys.com/] Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.bs.serving-sys.com/] Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[www.burstbeacon.com/] Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.target.com/] Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[stat.onestat.com/] Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.bravenet.com/] Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.atwola.com/] Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Wheezy\Cookies\Wheezy@atdmt[1].txt Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Wheezy\Cookies\Wheezy@bs.serving-sys[2].txt Spyware:Cookie/Barelylegal Not disinfected C:\Documents and Settings\Wheezy\Cookies\Wheezy@c.fsx[1].txt Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Wheezy\Cookies\Wheezy@cgi-bin[12].txt Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Wheezy\Cookies\Wheezy@cgi-bin[1].txt Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Wheezy\Cookies\Wheezy@cgi-bin[5].txt Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\Wheezy\Cookies\Wheezy@counter10.sextracker[1].txt Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Wheezy\Cookies\Wheezy@doubleclick[1].txt Spyware:Cookie/Entrepreneur Not disinfected C:\Documents and Settings\Wheezy\Cookies\Wheezy@entrepreneur[2].txt Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Wheezy\Cookies\Wheezy@fastclick[1].txt Spyware:Cookie/fe.lea.lycos Not disinfected C:\Documents and Settings\Wheezy\Cookies\Wheezy@fe.lea.lycos[2].txt Spyware:Cookie/fe.lea.lycos Not disinfected C:\Documents and Settings\Wheezy\Cookies\Wheezy@fe.lea.lycos[4].txt Spyware:Cookie/fe.lea.lycos Not disinfected C:\Documents and Settings\Wheezy\Cookies\Wheezy@fe.lea.lycos[5].txt Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\Wheezy\Cookies\Wheezy@fortunecity[2].txt Spyware:Cookie/GoClick Not disinfected C:\Documents and Settings\Wheezy\Cookies\Wheezy@goclick[1].txt Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Wheezy\Cookies\Wheezy@klik.klikadvertising[2].txt Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Wheezy\Cookies\Wheezy@searchportal.information[2].txt Spyware:Cookie/Seeq Not disinfected C:\Documents and Settings\Wheezy\Cookies\Wheezy@seeq[1].txt Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\Wheezy\Cookies\Wheezy@sextracker[1].txt Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Wheezy\Cookies\Wheezy@stat.onestat[2].txt Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Wheezy\Cookies\Wheezy@statse.webtrendslive[1].txt Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Wheezy\Cookies\Wheezy@target[2].txt Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Wheezy\Cookies\Wheezy@toplist[1].txt Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Wheezy\Cookies\Wheezy@tribalfusion[2].txt Spyware:Cookie/RealTracker Not disinfected C:\Documents and Settings\Wheezy\Cookies\Wheezy@web2.realtracker[1].txt Spyware:Cookie/Weborama Not disinfected C:\Documents and Settings\Wheezy\Cookies\Wheezy@weborama[1].txt Spyware:Cookie/Seeq Not disinfected C:\Documents and Settings\Wheezy\Cookies\Wheezy@www48.seeq[1].txt Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Wheezy\Cookies\Wheezy@xiti[1].txt Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Wheezy\Cookies\Wheezy@yadro[2].txt Adware:Adware/DriveCleaner Not disinfected C:\Documents and Settings\Wheezy\Local Settings\Temp\1632.exe Adware:Adware/DriveCleaner Not disinfected C:\Documents and Settings\Wheezy\Local Settings\Temp\hostagent.exe Adware:Adware/DriveCleaner Not disinfected C:\Documents and Settings\Wheezy\Local Settings\Temp\hostsyn.exe Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Wheezy\Local Settings\Temp\jar_cache8198.tmp[MagicApplet.class] Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Wheezy\Local Settings\Temp\jar_cache8198.tmp[OwnClassLoader.class] Virus:Trj/ClassLoader.AF Disinfected C:\Documents and Settings\Wheezy\Local Settings\Temp\jar_cache8198.tmp[Installer.class] Potentially unwanted tool:Application/AVSystemCare Not disinfected C:\Documents and Settings\Wheezy\Local Settings\Temp\mofugclq.exe Potentially unwanted tool:Application/AVSystemCare Not disinfected C:\Documents and Settings\Wheezy\Local Settings\Temp\qrjatydi.exe Adware:Adware/DriveCleaner Not disinfected C:\Documents and Settings\Wheezy\Local Settings\Temp\server32.exe Virus:Generic Malware Not disinfected C:\Documents and Settings\Wheezy\Local Settings\Temp\snapsnet.exe[vMW02a1065.exe] Virus:Generic Trojan Disinfected C:\Documents and Settings\Wheezy\Local Settings\Temp\uf148.exe Potentially unwanted tool:Application/AVSystemCare Not disinfected C:\Documents and Settings\Wheezy\Local Settings\Temp\urclqecd.exe Virus:Generic Malware Disinfected C:\Program Files\DIGStream\digstream.exe Adware:Adware/SecurityToolbar Not disinfected C:\Program Files\Hammer.dll Adware:Adware/DriveCleaner Not disinfected C:\Program Files\hlpsrv.exe Potentially unwanted tool:Application/MagicAntiSpy Not disinfected C:\Program Files\MalwareAlarm\Uninstall.exe Potentially unwanted tool:Application/UltimateDefender Not disinfected C:\Program Files\ucleaner_setup.exe Adware:Adware/TTC Not disinfected C:\Program Files\Windows Plus\satec4444.dll Adware:Adware/TTC Not disinfected C:\Program Files\Windows Plus\satec83122.dll Virus:Trj/Downloader.MDW Disinfected C:\WINDOWS\b122.exe Adware:Adware/DriveCleaner Not disinfected C:\WINDOWS\mgrs.exe Spyware:Spyware/SafeSurf Not disinfected C:\WINDOWS\system32\k1\IKtzudll2.exe[ExtractDLL.dll] Virus:Generic Malware Disinfected C:\WINDOWS\system32\mljjjkk.dll Virus:Generic Malware Disinfected C:\WINDOWS\system32\pd2\y21drll.exe Adware:Adware/WinAntiVirus2007 Not disinfected C:\WINDOWS\system32\sulimo.dat Adware:Adware/TTC Not disinfected C:\WINDOWS\system32\ue1\aded83122.exe Virus:Generic Malware Disinfected C:\WINDOWS\system32\vMW02a\vMW02a1065.exe Adware:Adware/SecurityToolbar Not disinfected C:\WINDOWS\system32\waocxuea.exe Virus:Generic Malware Disinfected C:\WINDOWS\system32\xxywuuu.dll Virus:Trj/Downloader.MDW Disinfected C:\WINDOWS\tsitra572.exe Adware:Adware/TTC Not disinfected C:\WINDOWS\TTC-4444.exe DSS Main Text: Deckard's System Scanner v20071014.68 Run by Wheezy on 2007-10-16 21:07:13 Computer is in Safe Mode. -------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- Failed to create restore point; computer is in safe mode. -- Last 5 Restore Point(s) -- 104: 2007-10-16 00:46:28 UTC - RP419 - Installed Trend Micro Internet Security 103: 2007-10-16 00:40:35 UTC - RP418 - Removed TMASOLDL 102: 2007-10-16 00:40:29 UTC - RP417 - Removed TMASOEDL 101: 2007-10-16 00:39:42 UTC - RP416 - Removed Trend Micro PC-cillin Internet Security 12 100: 2007-10-15 08:00:58 UTC - RP415 - Software Distribution Service 3.0 -- First Restore Point -- 1: 2007-10-15 07:56:26 UTC - RP316 - Software Distribution Service 3.0 Backed up registry hives. Performed disk cleanup. -- HijackThis Clone ------------------------------------------------------------ Emulating logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2007-10-16 21:08:50 Platform: Windows XP Service Pack 2 (5.01.2600) MSIE: Internet Explorer (6.00.2900.2180) Boot mode: Safe mode Running processes: C:\WINDOWS\system32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\explorer.exe C:\Documents and Settings\Wheezy\Desktop\dss.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...inc&channel=us R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/hws/sb/dell-in...tml?channel=us R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com/hws/sb/dell-in...tml?channel=us R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.com/ig/dell?hl=en&...inc&channel=us R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/hws/sb/dell-in...tml?channel=us R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...inc&channel=us F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\system32\printer.exe F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\printer.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {178D4E6A-BA5A-4ECB-8521-F7B8393FDB97} - C:\WINDOWS\system32\xxywuuu.dll (file missing) O2 - BHO: (no name) - {3456F02A-F5FE-41F2-BD01-C89C9B5990FD} - C:\WINDOWS\system32\vturs.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Downloads\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\DLA\DLASHX_W.DLL O2 - BHO: (no name) - {797953c7-37f7-4da2-829a-392bb64a0b4f} - C:\WINDOWS\system32\bydqykb.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: (no name) - {8795ADD2-6E6F-4D6B-81A0-6DC5ABE4607F} - C:\Program Files\Windows Plus\satec83122.dll O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - C:\WINDOWS\system32\lpsllgbj.dll (file missing) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\berkehpm.dll O2 - BHO: IEHlprObj Class - {ABCDECF0-4B15-11D1-ABED-709549C10000} - C:\WINDOWS\system32\vtr.dll (file missing) O2 - BHO: (no name) - {C52F6A23-3CFA-40B5-A417-10272479E05A} - C:\Program Files\Windows Plus\satec4444.dll O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll O2 - BHO: (no name) - {D27987B8-7244-4DE0-AE10-39B826B492F1} - C:\WINDOWS\system32\msxml9r.dll O2 - BHO: IKatzu Class - {EA5159DF-E413-4878-8AE2-D921D41BB942} - C:\WINDOWS\system32\bkinxvmh.dll O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\berkehpm.dll O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\qttask.exe" -atboottime O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [runner1] C:\WINDOWS\tsitra1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310 O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\euqneqby.dll",sitypnow O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\BestsellerAntivirus\bm.exe" dm=http://bestsellerantivirus.com; ad=http://bestsellerantivirus.com O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" O4 - HKLM\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe O4 - HKCU\..\Run: [ares] "C:\Downloads\Ares\Ares.exe" -h O4 - HKCU\..\Run: [Wise-FTP Scheduler] C:\Program Files\AceBIT\WISE-FTP\WF_Scheduler.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [ArtChk] C:\WINDOWS\system32\artchker.exe O4 - HKCU\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file) O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing) O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL O20 - AppInit_DLLs: C:\WINDOWS\system32\sulimo.dat O20 - Winlogon Notify: berkehpm - C:\WINDOWS\system32\berkehpm.dll O20 - Winlogon Notify: xxywuuu - C:\WINDOWS\system32\xxywuuu.dll (file missing) O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\exayrspv.exe /service O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe O24 - Desktop Component 0: - C:\Program Files\Messenger\baprykuk.html -- End of file - 9195 bytes -- File Associations ----------------------------------------------------------- All associations okay. -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- R1 ELhid - c:\windows\system32\drivers\elhid.sys <Not Verified; Intel Corporation; Intel(R) Quick Resume Technology> R1 ELkbd - c:\windows\system32\drivers\elkbd.sys <Not Verified; Intel Corporation; Intel(R) Quick Resume Technology> R1 ELmou - c:\windows\system32\drivers\elmou.sys <Not Verified; Intel Corporation; Intel(R) Quick Resume Technology> S1 ELmon - c:\windows\system32\drivers\elmon.sys <Not Verified; Intel Corporation; Intel(R) Quick Resume Technology> S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing) -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- S2 DomainService - c:\windows\system32\exayrspv.exe /service (file missing) S2 ELService (Intel® Quick Resume Technology Drivers) - "c:\program files\intel\inteldh\intel(r) quick resume technology\elservice.exe" <Not Verified; Intel Corporation; Intel(R) Quick Resume Technology> -- Device Manager: Disabled ---------------------------------------------------- No disabled devices found. -- Scheduled Tasks ------------------------------------------------------------- 2007-09-13 10:09:00 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job -- Files created between 2007-09-16 and 2007-10-16 ----------------------------- 2007-10-16 21:03:13 7432 --a------ C:\WINDOWS\xlavra3.exe 2007-10-16 21:03:12 426199 ---hs---- C:\WINDOWS\system32\srutv.bak2 2007-10-16 21:03:12 75328 --a------ C:\WINDOWS\system32\hdgxurfn.exe <Not Verified; ; DDC> 2007-10-16 01:59:00 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2007-10-16 01:44:32 94384 --a------ C:\WINDOWS\system32\msxml9r.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System> 2007-10-15 23:04:33 0 d-------- C:\WINDOWS\system32\ActiveScan 2007-10-15 23:00:34 0 d--hs---- C:\WINDOWS\CSC 2007-10-15 19:52:41 7849 --a------ C:\WINDOWS\system32\sulimo.dat 2007-10-15 19:49:13 0 d-------- C:\Program Files\Ultimate Cleaner 2007-10-15 19:49:12 28679 -----n--- C:\Program Files\c_setup.exe <Not Verified; Microsoft; Project1> 2007-10-15 19:48:35 0 d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro 2007-10-15 19:45:26 9728 --a------ C:\Program Files\hlpsrv.exe <Not Verified; NoName Corp.; NNC module> 2007-10-15 19:44:19 20992 --a------ C:\WINDOWS\avp.exe <Not Verified; MskSoftStudy Corp.; Anti-Virus Project (AVP) spyware removal module> 2007-10-15 19:43:23 0 d-------- C:\Documents and Settings\Wheezy\Application Data\BestsellerAntivirus 2007-10-15 19:43:20 0 dr------- C:\Documents and Settings\All Users\Application Data\SalesMonitor 2007-10-15 18:56:10 339968 --a------ C:\WINDOWS\system32\berkehpm.dll 2007-10-15 18:56:10 339968 --a------ C:\Program Files\Hammer.dll 2007-10-15 18:55:46 389184 --a------ C:\WINDOWS\system32\waocxuea.exe 2007-10-15 02:59:23 0 d-------- C:\Program Files\WinAble 2007-10-15 02:59:23 0 d-------- C:\Program Files\Temporary 2007-10-15 02:58:00 424028 ---hs---- C:\WINDOWS\system32\srutv.bak1 2007-10-15 02:56:09 308832 --a------ C:\WINDOWS\system32\vturs.dll 2007-10-15 02:51:32 169147 --a------ C:\WINDOWS\TTC-4444.exe 2007-10-15 02:51:26 44922 --a------ C:\WINDOWS\system32\IKatzuUninstall.exe 2007-10-15 02:51:24 45056 --a------ C:\WINDOWS\system32\katzppd.exe <Not Verified; Upads.Biz; IKatzu App> 2007-10-15 02:51:23 45056 --a------ C:\WINDOWS\system32\katzpawnp.exe <Not Verified; Upads.Biz; IKatzu App> 2007-10-15 02:51:20 421888 --a------ C:\WINDOWS\system32\bkinxvmh.dll <Not Verified; ; IKatzu Search Ads> 2007-10-15 02:51:16 24576 --a------ C:\WINDOWS\system32\msxml3a.dll <Not Verified; Microsoft Corporation; Microsoft XML Core Services> 2007-10-15 02:51:14 171520 --a------ C:\WINDOWS\system32\bydqykb.dll 2007-10-15 02:51:11 0 d-------- C:\WINDOWS\system32\z8 2007-10-15 02:51:11 0 d-------- C:\WINDOWS\system32\pd2 2007-10-15 02:51:11 0 d-------- C:\WINDOWS\system32\k1 2007-10-15 02:51:10 0 d-------- C:\WINDOWS\system32\ue1 2007-10-15 02:51:09 0 d-------- C:\WINDOWS\system32\cos2 2007-10-15 02:51:05 0 d-------- C:\WINDOWS\system32\vMW02a 2007-10-15 02:51:04 0 d-------- C:\Temp 2007-09-27 18:02:14 0 d-------- C:\Program Files\Common Files\xing shared 2007-09-27 18:01:20 0 d-------- C:\Documents and Settings\Wheezy\Application Data\Real -- Find3M Report --------------------------------------------------------------- 2007-10-15 23:33:07 0 d-------- C:\Program Files\DIGStream 2007-10-15 22:47:05 0 d-------- C:\Program Files\Common Files 2007-10-15 20:49:24 0 d-------- C:\Program Files\Windows Plus 2007-10-15 19:57:37 0 d-------- C:\Program Files\Messenger 2007-10-15 19:49:10 0 d-------- C:\Program Files\Trend Micro 2007-10-15 19:03:14 1146852 --a------ C:\Documents and Settings\Wheezy\Application Data\Install.xat 2007-09-30 17:47:12 0 d-------- C:\Program Files\MSN Messenger 2007-09-27 18:02:33 3638 --a----c- C:\WINDOWS\mozver.dat 2007-09-27 18:02:12 0 d-------- C:\Program Files\Common Files\Real 2007-09-06 18:05:23 0 d-------- C:\Program Files\EA GAMES 2007-09-01 23:36:59 0 d-------- C:\Program Files\Plugins 2007-09-01 23:36:37 0 d-------- C:\Program Files\QTSystem 2007-09-01 23:36:33 0 d-------- C:\Program Files\QuickTimePlayer.Resources 2007-09-01 23:36:24 0 d-------- C:\Program Files\PropertyPanels 2007-09-01 23:36:24 0 d-------- C:\Program Files\PictureViewer.Resources 2007-09-01 23:36:11 0 d-------- C:\Program Files\QTComponents 2007-09-01 23:35:37 0 d-------- C:\Program Files\Apple Software Update 2007-08-18 23:45:11 6606 --a----c- C:\WINDOWS\unins000.dat 2007-08-18 23:45:01 667978 --a------ C:\WINDOWS\unins000.exe <Not Verified; ; Inno Setup> 2007-08-14 15:09:32 112 --a------ C:\WINDOWS\HOSTK100.DAT -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{178D4E6A-BA5A-4ECB-8521-F7B8393FDB97}] C:\WINDOWS\system32\xxywuuu.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3456F02A-F5FE-41F2-BD01-C89C9B5990FD}] 10/15/2007 02:56 AM 308832 --a------ C:\WINDOWS\system32\vturs.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{797953c7-37f7-4da2-829a-392bb64a0b4f}] 10/15/2007 02:51 AM 171520 --a------ C:\WINDOWS\system32\bydqykb.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8795ADD2-6E6F-4D6B-81A0-6DC5ABE4607F}] 08/02/2007 08:43 AM 282624 --a------ C:\Program Files\Windows Plus\satec83122.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{89AD4D75-2429-462e-BD4E-443F233F6033}] C:\WINDOWS\system32\lpsllgbj.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}] 10/15/2007 06:56 PM 339968 --a------ C:\WINDOWS\system32\berkehpm.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ABCDECF0-4B15-11D1-ABED-709549C10000}] C:\WINDOWS\system32\vtr.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C52F6A23-3CFA-40B5-A417-10272479E05A}] 08/02/2007 08:43 AM 282624 --a------ C:\Program Files\Windows Plus\satec4444.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D27987B8-7244-4DE0-AE10-39B826B492F1}] 10/16/2007 02:16 AM 94384 --a------ C:\WINDOWS\system32\msxml9r.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EA5159DF-E413-4878-8AE2-D921D41BB942}] 10/15/2007 02:51 AM 421888 --a------ C:\WINDOWS\system32\bkinxvmh.dll [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser] "{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\berkehpm.dll [10/15/2007 06:56 PM 339968] [-HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="C:\WINDOWS\ehome\ehtray.exe" [09/29/2005 02:01 PM] "SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [11/19/2003 05:48 PM] "SigmatelSysTrayApp"="stsystra.exe" [03/22/2005 11:20 PM C:\WINDOWS\stsystra.exe] "IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [06/17/2005 07:56 AM] "DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [10/05/2005 03:12 AM] "ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [06/10/2005 10:44 AM] "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [06/10/2005 10:44 AM] "DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [09/08/2005 05:20 AM] "Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [04/11/2006 03:07 AM] "Wise-FTP Scheduler"="" [] "QuickTime Task"="C:\Program Files\qttask.exe" [06/29/2007 06:24 AM] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [06/29/2007 12:43 AM] "nwiz"="nwiz.exe" [] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [06/29/2007 12:43 AM] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [09/27/2007 06:02 PM] "runner1"="C:\WINDOWS\tsitra1000106.exe" [] "SearchIndexer"="C:\WINDOWS\system32\euqneqby.dll" [] "Salestart"="C:\Program Files\Common Files\BestsellerAntivirus\bm.exe" [] "avp"="C:\WINDOWS\avp.exe" [10/15/2007 07:44 PM] "UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [09/18/2007 12:29 AM] "WinAVX"="C:\WINDOWS\system32\WinAvXX.exe" [] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ares"="C:\Downloads\Ares\Ares.exe" [] "Wise-FTP Scheduler"="C:\Program Files\AceBIT\WISE-FTP\WF_Scheduler.exe" [08/29/2003 04:35 PM] "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [01/19/2007 12:54 PM] "ArtChk"="C:\WINDOWS\system32\artchker.exe" [] "WinAVX"="C:\WINDOWS\system32\WinAvXX.exe" [] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [10/3/2006 9:50:26 PM] Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [4/11/2006 2:58:39 AM] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles "InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "Wallpaper"= [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoActiveDesktop"=0 (0x0) "ForceActiveDesktopOn"=0 (0x0) [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0] Source= C:\Program Files\Messenger\baprykuk.html FriendlyName= [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{178D4E6A-BA5A-4ECB-8521-F7B8393FDB97}"= C:\WINDOWS\system32\xxywuuu.dll [ ] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "Shell"="Explorer.exe C:\WINDOWS\system32\printer.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\berkehpm] berkehpm.dll 10/15/2007 06:56 PM 339968 C:\WINDOWS\system32\berkehpm.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxywuuu] xxywuuu.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "appinit_dlls"=C:\WINDOWS\system32\sulimo.dat [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] "Authentication Packages"= msv1_0 C:\WINDOWS\system32\vturs.dll [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}] AutoRun\command- E:\setup.exe -- End of Deckard's System Scanner: finished at 2007-10-16 21:09:47 ------------ DSS Extra Text: Deckard's System Scanner v20071014.68 Extra logfile - please post this as an attachment with your post. -------------------------------------------------------------------------------- -- System Information ---------------------------------------------------------- Microsoft Windows XP Professional (build 2600) SP 2.0 Architecture: X86; Language: English CPU 0: Intel(R) Pentium(R) D CPU 2.80GHz CPU 1: Intel(R) Pentium(R) D CPU 2.80GHz Percentage of Memory in Use: 23% Physical Memory (total/avail): 1022.09 MiB / 780.52 MiB Pagefile Memory (total/avail): 2459.45 MiB / 2357.51 MiB Virtual Memory (total/avail): 2047.88 MiB / 1932.65 MiB C: is Fixed (NTFS) - 144.33 GiB total, 119.16 GiB free. D: is CDROM (No Media) \\.\PHYSICALDRIVE0 - ST3160828AS - 149.01 GiB - 3 partitions \PARTITION0 - Unknown - 39.19 MiB \PARTITION1 (bootable) - Installable File System - 144.33 GiB - C: \PARTITION2 - Unknown - 4.64 GiB -- Security Center ------------------------------------------------------------- AUOptions is scheduled to auto-install. Windows Internal Firewall is disabled. FW: Trend Micro Personal Firewall v5.0 (Trend Micro Inc.) AV: Trend Micro Internet Security v16.00.1447 () [HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL" "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL" "C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL" "C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)" "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1" "C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)" [HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL" "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL" "C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL" "C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)" "C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox" "C:\\Program Files\\AceBIT\\WISE-FTP\\wise_ftp.exe"="C:\\Program Files\\AceBIT\\WISE-FTP\\wise_ftp.exe:*:Enabled:WISE-FTP application executable" "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1" "C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)" "C:\\WINDOWS\\system32\\exayrspv.exe"="C:\\WINDOWS\\system32\\exa" "C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer" -- Environment Variables ------------------------------------------------------- ALLUSERSPROFILE=C:\Documents and Settings\All Users APPDATA=C:\Documents and Settings\Wheezy\Application Data CLASSPATH=.;C:\Program Files\Java\j2re1.4.2_03\lib\ext\QTJava.zip CLIENTNAME=Console CommonProgramFiles=C:\Program Files\Common Files COMPUTERNAME=Wheezy ComSpec=C:\WINDOWS\system32\cmd.exe FP_NO_HOST_CHECK=NO HOMEDRIVE=C: HOMEPATH=\Documents and Settings\Wheezy LOGONSERVER=\\WHEEZY NUMBER_OF_PROCESSORS=2 OS=Windows_NT Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\QTSystem\ PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH PROCESSOR_ARCHITECTURE=x86 PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 4, GenuineIntel PROCESSOR_LEVEL=15 PROCESSOR_REVISION=0404 ProgramFiles=C:\Program Files PROMPT=$P$G QTJAVA=C:\Program Files\Java\j2re1.4.2_03\lib\ext\QTJava.zip SAFEBOOT_OPTION=MINIMAL SESSIONNAME=Console SystemDrive=C: SystemRoot=C:\WINDOWS TEMP=C:\DOCUME~1\Wheezy~1\LOCALS~1\Temp TMP=C:\DOCUME~1\Wheezy~1\LOCALS~1\Temp USERDOMAIN=Wheezy USERNAME=Wheezy USERPROFILE=C:\Documents and Settings\Wheezy windir=C:\WINDOWS -- User Profiles --------------------------------------------------------------- Wheezy (admin) Administrator (admin) -- Add/Remove Programs --------------------------------------------------------- --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0 --> C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6} --> MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095} --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf Adobe Acrobat - Reader 6.0.2 Update --> MsiExec.exe /I{AC76BA86-0000-0000-0000-6028747ADE01} Adobe Photoshop 7.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Downloads\AresPhotoShop\Photoshop 7.0 Installation\Uninst.isu" -c"C:\Downloads\AresPhotoShop\Photoshop 7.0 Installation\Uninst.dll" Adobe Reader 6.0.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A00000000001} AOLIcon --> MsiExec.exe /I{62BD0AE0-4EB1-4BBB-8F43-B6400C8FEB2C} Apple Software Update --> MsiExec.exe /I{74EC78BC-B379-4E29-9006-8F161DCAABA6} CEP - Color Enable Package --> "C:\PROGRA~1\EAGAME~1\zCEP_Uninstaller\unins000.exe" Conexant D850 56K V.9x DFVc Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1\HXFSETUP.EXE -U -Idel200fk.inf Dell CinePlayer --> MsiExec.exe /I{43CAC9A1-1993-4F65-9096-7C9AFC2BBF54} Dell Digital Jukebox Driver --> C:\Program Files\Dell\Digital Jukebox Drivers\DrvUnins.exe /s Dell Driver Reset Tool --> MsiExec.exe /I{5905F42D-3F5F-4916-ADA6-94A3646AEE76} Dell Game Console --> "C:\Program Files\WildTangent\Apps\Dell Game Console\Uninstall.exe" Dell Support 3.1 --> MsiExec.exe /X{548EEA8E-8299-497F-8057-811D2D7097DC} DH Driver Cleaner Professional Edition --> C:\Documents and Settings\Wheezy\Desktop\nv4loopfix\Driver Cleaner\Driver Cleaner Pro\Uninstall.exe Digital Content Portal --> MsiExec.exe /I{6D5FCA42-1486-4E32-AFE8-1B7E2AA59D33} Digital Line Detect --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E646DCF0-5A68-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText EarthLink setup files --> MsiExec.exe /X{728278A1-0BB7-45E4-AC5E-91D7C0FD1EDE} EducateU --> MsiExec.exe /I{A683A2C0-821C-486F-858C-FA634DB5E864} ELIcon --> MsiExec.exe /I{4667B940-BB01-428B-986E-A0CC46497BF7} ESPNMotion --> C:\PROGRA~1\ESPNMO~1\UNWISE.EXE /u C:\PROGRA~1\ESPNMO~1\INSTALL.LOG GemMaster Mystic --> "C:\Program Files\GemMaster\uninstallgemmaster.exe" Google Desktop --> C:\Program Files\Google\Google Desktop Search\GoogleDesktopSetup.exe -uninstall High Definition Audio Driver Package - KB835221 --> C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe IKatzu --> C:\WINDOWS\system32\IKatzuUninstall.exe Intel Matrix Storage Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}\setup.exe" -l0409 -INTELUNINST Intel(R) PRO Network Connections Drivers --> Prounstl.exe Intel(R) PROSet for Wired Connections --> MsiExec.exe /I{4CEA6811-DFAD-4892-828D-49941FE3B779} Intel(R) Quick Resume Technology Drivers --> MsiExec.exe /I{8C22F265-DE76-44D1-8A79-A71D819137DA} Intel(R) Quick Resume Technology Drivers --> MsiExec.exe /X{8C22F265-DE76-44D1-8A79-A71D819137DA} /qb! Intel® Viiv™ --> MsiExec.exe /X{903CE8F7-6C7B-41E6-A1CF-3BF1176264EC} Java 2 Runtime Environment, SE v1.4.2_03 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142030} Learn2 Player (Uninstall Only) --> C:\Program Files\Learn2.com\StRunner\stuninst.exe Microsoft Base Smart Card Cryptographic Service Provider Package --> "C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe" Microsoft Digital Image Suite 2006 --> "C:\Program Files\Common Files\Microsoft Shared\Picture It!\RmvSuite.exe" ADDREMOVE=1 SKU=SUITE VERSION=11 Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9} Microsoft Plus! Digital Media Edition Installer --> MsiExec.exe /X{6E45BA47-383C-4C1E-8ED0-0D4845C293D7} Microsoft Plus! Photo Story 2 LE --> MsiExec.exe /X{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B} Modem Helper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel Mozilla Firefox (2.0.0.7) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe NetWaiting --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText NetZeroInstallers --> MsiExec.exe /X{352310C3-E46B-42D3-8F32-54721FDD72D9} NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI Otto --> "C:\Program Files\EnglishOtto\uninstallotto.exe" Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan QuickTime --> MsiExec.exe /I{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC} RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0 Roxio DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6} Roxio MyDVD LE --> MsiExec.exe /I{21657574-BD54-48A2-9450-EB03B2C7FC29} Search Assist --> MsiExec.exe /X{DF6A589A-7A1A-430C-9FF2-A0BDB42669DC} SimPE 0.62 (alpha, light) --> "C:\Program Files\SimPE.62\unins000.exe" SimPE PhotoStudio Templates 3.0 --> "C:\WINDOWS\unins000.exe" Sims2Pack Clean Installer --> C:\Program Files\Sims2Pack Clean Installer\uninstall.exe Sonic Activation Module --> MsiExec.exe /I{5B6BE547-21E2-49CA-B2E2-6A5F470593B1} Sonic Encoders --> MsiExec.exe /I{9941F0AA-B903-4AF4-A055-83A9815CC011} Spybot - Search & Destroy 1.4 --> "C:\Downloads\Spybot - Search & Destroy\unins000.exe" The Sims 2 --> C:\Program Files\EA GAMES\The Sims 2\EAUninstall.exe The Sims 2 Glamour Life Stuff --> C:\Program Files\EA GAMES\The Sims 2 Glamour Life Stuff\EAUninstall.exe The Sims 2 Nightlife --> C:\Program Files\EA GAMES\The Sims 2 Nightlife\EAUninstall.exe The Sims 2 Open For Business --> C:\Program Files\EA GAMES\The Sims 2 Open For Business\EAUninstall.exe The Sims 2 Pets --> C:\Program Files\EA GAMES\The Sims 2 Pets\EAUninstall.exe The Sims 2 University --> C:\Program Files\EA GAMES\The Sims 2 University\EAUninstall.exe The Sims™ 2 Bon Voyage --> C:\Program Files\EA GAMES\The Sims 2 Bon Voyage\EAUninstall.exe The Sims™ 2 H&M® Fashion Stuff --> C:\Program Files\EA GAMES\The Sims 2 H&M® Fashion Stuff\EAUninstall.exe The Sims™ 2 Seasons --> C:\Program Files\EA GAMES\The Sims 2 Seasons\EAUninstall.exe Trend Micro Internet Security --> C:\Program Files\Trend Micro\Internet Security\remove.exe Trend Micro Internet Security --> MsiExec.exe /X{A621B45A-D138-4A95-BE10-7CABA05EF94E} TSR Wizard Manager --> MsiExec.exe /I{FD78E9A3-0016-4F5E-900F-FFFB5DC1835E} Ulead GIF Animator 5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8AF3E926-ED59-11D4-A44B-0000E86D2305}\Setup.exe" Update Rollup 2 for Windows XP Media Center Edition 2005 --> C:\WINDOWS\$NtUninstallKB900325$\spuninst\spuninst.exe URL Assistant --> regsvr32 /u /s "c:\Program Files\BAE\BAE.dll" VIA Register Tool --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Your Company Name\VIA Register Tool\Uninst.isu" Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u WebCyberCoach 3.2 Dell --> "C:\Program Files\WebCyberCoach\b_Dell\WCC_Wipe.exe" "WebCyberCoach ext\wtrb" /inf "engine.inf,RealUninstallSection,,4" /infcfg "enginecf.inf,RealUninstallSection,,4" WildTangent Web Driver --> C:\Program Files\WildTangent\Apps\CDA\CDAUninstall.exe WinAble --> "C:\Program Files\WinAble\winable.exe" -uninstall Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F} Windows Live Sign-in Assistant --> MsiExec.exe /I{22B3CC30-77B8-419C-AA4B-F571FDF5D66D} Windows XP Media Center Edition 2005 KB908246 --> "C:\WINDOWS\$NtUninstallKB908246$\spuninst\spuninst.exe" Windows XP Media Center Edition 2005 KB925766 --> "C:\WINDOWS\$NtUninstallKB925766$\spuninst\spuninst.exe" WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe Wise-FTP --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F22C63FE-DBA4-4FDA-9306-55AA627CE6C7}\Setup.exe" -l0x9 -- Application Event Log ------------------------------------------------------- Event Record #/Type1193 / Error Event Submitted/Written: 10/16/2007 09:08:59 PM Event ID/Source: 8 / crypt32 Event Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist. Event Record #/Type1192 / Error Event Submitted/Written: 10/16/2007 09:08:59 PM Event ID/Source: 8 / crypt32 Event Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist. Event Record #/Type1191 / Error Event Submitted/Written: 10/16/2007 09:08:58 PM Event ID/Source: 8 / crypt32 Event Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The server name or address could not be resolved Event Record #/Type1185 / Warning Event Submitted/Written: 10/16/2007 02:55:37 PM Event ID/Source: 1001 / MsiInstaller Event Description: Detection of product '{5B6BE547-21E2-49CA-B2E2-6A5F470593B1}', feature 'SoleFeature' failed during request for component '{D2D7B4BF-6CCA-11D5-8B3F-00105A9846E9}' Event Record #/Type1184 / Warning Event Submitted/Written: 10/16/2007 02:55:37 PM Event ID/Source: 1004 / MsiInstaller Event Description: Detection of product '{5B6BE547-21E2-49CA-B2E2-6A5F470593B1}', feature 'SoleFeature', component '{B7195B4D-220F-4055-B216-675DFB956538}' failed. The resource 'C:\Program Files\Common Files\InstallShield\UpdateService\_ispmres.dll' does not exist. -- Security Event Log ---------------------------------------------------------- No Errors/Warnings found. -- System Event Log ------------------------------------------------------------ Event Record #/Type699 / Error Event Submitted/Written: 10/16/2007 09:07:58 PM Event ID/Source: 7026 / Service Control Manager Event Description: The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip tmtdi Event Record #/Type698 / Error Event Submitted/Written: 10/16/2007 09:07:58 PM Event ID/Source: 7001 / Service Control Manager Event Description: The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: %%31 Event Record #/Type697 / Error Event Submitted/Written: 10/16/2007 09:07:58 PM Event ID/Source: 7001 / Service Control Manager Event Description: The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: %%31 Event Record #/Type696 / Error Event Submitted/Written: 10/16/2007 09:07:58 PM Event ID/Source: 7001 / Service Control Manager Event Description: The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: %%31 Event Record #/Type695 / Error Event Submitted/Written: 10/16/2007 09:07:58 PM Event ID/Source: 7001 / Service Control Manager Event Description: The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: %%31 -- End of Deckard's System Scanner: finished at 2007-10-16 21:09:47 ------------ I couldnt get the Extra.txt to wrap right, so I just pasted it. Last edited by sUBs; 10-17-2007 at 10:19 PM. |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
10-16-2007, 10:31 PM
|
#2 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,900
OS: WinXP and Vista
|
Re: Cannot Boot System After Finding Trojan (2)
Hello Wheezy,
Using the same method as you did to obtain Deckard's System Scanner (dss.exe), and save it to your desktop, I'd like you to do the following: Download Combofix and save it to your desktop. **Note: It is important that it is saved directly to your desktop** -------------------------------------------------------------------- From Safe Mode: Double click on combofix.exe & follow the prompts.
Note: Do not mouseclick combofix's window while it's running. That may cause it to stall **Also, please let me know if you are now able to log into Normal Mode or not. |
|
|
|
|
10-16-2007, 11:43 PM
|
#3 (permalink) |
|
TSF Supporter
Join Date: Oct 2007
Location: Minnesota, USA
Posts: 101
OS: Windows XP
|
Re: Cannot Boot System After Finding Trojan (2)
ComboFix Log:
ComboFix 07-10-17.8 - Wheezy 2007-10-17 0:15:53.2 - NTFSx86 MINIMAL Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.810 [GMT -5:00] Running from: C:\Documents and Settings\ Wheezy \Desktop\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ---- Previous Run ------- . C:\Documents and Settings\All Users\Application Data.\salesmonitor C:\Documents and Settings\ Wheezy \ResErrors.log C:\Program Files\Hammer.dll C:\Program Files\Messenger\baprykuk.html C:\Program Files\Temporary C:\Program Files\Temporary\wininstall.exe C:\Program Files\Temporary\wininstall.exe C:\Program Files\Ultimate Cleaner C:\Program Files\WinAble C:\Program Files\Windows Plus\satec4444.dll C:\Program Files\Windows Plus\satec83122.dll C:\Temp\1cb C:\Temp\1cb\syscheck.log C:\Temp\xOe C:\Temp\xOe\tOasF.log C:\WINDOWS\avp.exe C:\WINDOWS\cookies.ini C:\WINDOWS\Spyware Remover.ico C:\WINDOWS\system32\bydqykb.dll C:\WINDOWS\system32\hdgxurfn.exe C:\WINDOWS\system32\k1 C:\WINDOWS\system32\k1\IKtzudll2.exe C:\WINDOWS\system32\srutv.bak1 C:\WINDOWS\system32\srutv.bak1 C:\WINDOWS\system32\srutv.bak2 C:\WINDOWS\system32\srutv.bak2 C:\WINDOWS\system32\srutv.ini C:\WINDOWS\system32\srutv.ini C:\WINDOWS\system32\vMW02a C:\WINDOWS\system32\z8 C:\WINDOWS\TTC-4444.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\LEGACY_DOMAINSERVICE -------\DomainService ((((((((((((((((((((((((( Files Created from 2007-09-17 to 2007-10-17 ))))))))))))))))))))))))))))))) . 2007-10-16 23:44 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-10-16 21:06 <DIR> d-------- C:\Deckard 2007-10-16 21:03 7,432 --a------ C:\WINDOWS\xlavra3.exe 2007-10-16 01:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2007-10-16 01:44 94,384 --a------ C:\WINDOWS\system32\msxml9r.dll 2007-10-15 23:04 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2007-10-15 19:52 7,849 --a------ C:\WINDOWS\system32\sulimo.dat 2007-10-15 19:49 138,512 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys 2007-10-15 19:49 52,496 --a------ C:\WINDOWS\system32\drivers\tmactmon.sys 2007-10-15 19:49 52,368 --a------ C:\WINDOWS\system32\drivers\tmevtmgr.sys 2007-10-15 19:49 28,679 --------- C:\Program Files\c_setup.exe 2007-10-15 19:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro 2007-10-15 19:45 9,728 --a------ C:\Program Files\hlpsrv.exe 2007-10-15 19:43 <DIR> d-------- C:\Documents and Settings\ Wheezy \Application Data\BestsellerAntivirus 2007-10-15 19:30 73,177,656 --a------ C:\TIS16-S.exe 2007-10-15 18:56 339,968 --a------ C:\WINDOWS\system32\berkehpm.dll 2007-10-15 18:55 389,184 --a------ C:\WINDOWS\system32\waocxuea.exe 2007-10-15 02:51 <DIR> d-------- C:\WINDOWS\system32\ue1 2007-10-15 02:51 <DIR> d-------- C:\WINDOWS\system32\pd2 2007-10-15 02:51 <DIR> d-------- C:\WINDOWS\system32\cos2 2007-10-15 02:51 <DIR> d-------- C:\Temp 2007-10-15 02:51 421,888 --a------ C:\WINDOWS\system32\bkinxvmh.dll 2007-10-15 02:51 45,056 --a------ C:\WINDOWS\system32\katzppd.exe 2007-10-15 02:51 45,056 --a------ C:\WINDOWS\system32\katzpawnp.exe 2007-10-15 02:51 44,922 --a------ C:\WINDOWS\system32\IKatzuUninstall.exe 2007-10-15 02:51 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll 2007-10-09 13:11 584,192 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll 2007-09-27 18:02 <DIR> d-------- C:\Program Files\Common Files\xing shared 2007-09-18 00:29 1,126,328 --a------ C:\WINDOWS\system32\drivers\vsapint.sys 2007-09-18 00:29 333,328 --a------ C:\WINDOWS\system32\drivers\TM_CFW.sys 2007-09-18 00:29 203,024 --a------ C:\WINDOWS\system32\drivers\tmxpflt.sys 2007-09-18 00:29 65,936 --a------ C:\WINDOWS\system32\drivers\tmtdi.sys 2007-09-18 00:29 36,112 --a------ C:\WINDOWS\system32\drivers\tmpreflt.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-10-17 04:48 --------- d-----w C:\Program Files\Windows Plus 2007-10-16 04:33 --------- d-----w C:\Program Files\DIGStream 2007-10-16 00:49 --------- d-----w C:\Program Files\Trend Micro 2007-09-30 22:47 --------- d-----w C:\Program Files\MSN Messenger 2007-09-27 23:02 --------- d-----w C:\Program Files\Common Files\Real 2007-09-06 23:05 --------- d-----w C:\Program Files\EA GAMES 2007-09-02 04:36 --------- d-----w C:\Program Files\QuickTimePlayer.Resources 2007-09-02 04:36 --------- d-----w C:\Program Files\QTSystem 2007-09-02 04:36 --------- d-----w C:\Program Files\QTComponents 2007-09-02 04:36 --------- d-----w C:\Program Files\PropertyPanels 2007-09-02 04:36 --------- d-----w C:\Program Files\Plugins 2007-09-02 04:36 --------- d-----w C:\Program Files\PictureViewer.Resources 2007-09-02 04:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer 2007-09-02 04:35 --------- d-----w C:\Program Files\Apple Software Update 2007-09-02 04:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple 2007-08-22 12:55 96,256 ----a-w C:\WINDOWS\system32\dllcache\inseng.dll 2007-08-22 12:55 665,600 ------w C:\WINDOWS\system32\dllcache\wininet.dll 2007-08-22 12:55 617,984 ------w C:\WINDOWS\system32\dllcache\urlmon.dll 2007-08-22 12:55 55,808 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll 2007-08-22 12:55 532,480 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll 2007-08-22 12:55 474,112 ------w C:\WINDOWS\system32\dllcache\shlwapi.dll 2007-08-22 12:55 449,024 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll 2007-08-22 12:55 39,424 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll 2007-08-22 12:55 357,888 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll 2007-08-22 12:55 3,064,832 ------w C:\WINDOWS\system32\dllcache\mshtml.dll 2007-08-22 12:55 251,904 ------w C:\WINDOWS\system32\dllcache\iepeers.dll 2007-08-22 12:55 205,824 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll 2007-08-22 12:55 16,384 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll 2007-08-22 12:55 151,040 ------w C:\WINDOWS\system32\dllcache\cdfview.dll 2007-08-22 12:55 146,432 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll 2007-08-22 12:55 1,498,112 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll 2007-08-22 12:55 1,054,208 ----a-w C:\WINDOWS\system32\dllcache\danim.dll 2007-08-22 12:55 1,022,976 ------w C:\WINDOWS\system32\dllcache\browseui.dll 2007-08-21 10:19 18,432 ----a-w C:\WINDOWS\system32\dllcache\iedw.exe 2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll 2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\dllcache\inetcomm.dll 2007-08-19 04:45 667,978 ----a-w C:\WINDOWS\unins000.exe 2007-07-31 00:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll 2007-07-31 00:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll 2007-07-31 00:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe 2007-07-31 00:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll 2007-07-31 00:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll 2007-07-31 00:19 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll 2007-07-31 00:19 207,736 ----a-w C:\WINDOWS\system32\muweb.dll 2007-07-31 00:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll 2007-07-31 00:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll 2007-07-31 00:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll 2007-07-31 00:18 33,624 ----a-w C:\WINDOWS\system32\dllcache\wups.dll 2007-06-29 11:25 8,612 ----a-w C:\Program Files\QuickTime Read Me.htm 2007-06-29 11:25 749,568 ----a-w C:\Program Files\QTOControl.dll 2007-06-29 11:25 684,032 ----a-w C:\Program Files\QTOLibrary.dll 2007-06-29 11:25 618,496 ----a-w C:\Program Files\QTInfo.exe 2007-06-29 11:25 6,124,864 ----a-w C:\Program Files\QuickTimePlayer.exe 2007-06-29 11:25 574,784 ----a-w C:\Program Files\QTPlugin.ocx 2007-06-29 11:25 303,104 ----a-w C:\Program Files\QTUIPanelControl.dll 2007-06-29 11:24 55,622 ----a-w C:\Program Files\Sample.mov 2007-06-29 11:24 483,328 ----a-w C:\Program Files\PictureViewer.exe 2007-06-29 11:24 286,720 ----a-w C:\Program Files\QTTask.exe 2007-06-29 11:24 18,663 ----a-w C:\Program Files\Sample.qtif 2006-10-21 21:54:47 152 --sh--r C:\WINDOWS\system32\11D43EA203.sys 2006-10-21 21:54:47 7,520 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}] 2007-10-15 18:56 339968 --a------ C:\WINDOWS\system32\berkehpm.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D27987B8-7244-4DE0-AE10-39B826B492F1}] 2007-10-16 02:16 94384 --a------ C:\WINDOWS\system32\msxml9r.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EA5159DF-E413-4878-8AE2-D921D41BB942}] 2007-10-15 02:51 421888 --a------ C:\WINDOWS\system32\bkinxvmh.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\berkehpm.dll [2007-10-15 18:56 339968] [HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 14:01] "SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 17:48] "SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 23:20 C:\WINDOWS\stsystra.exe] "IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 07:56] "DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 03:12] "ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 10:44] "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 10:44] "DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 05:20] "Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-04-11 03:07] "Wise-FTP Scheduler"="" [] "QuickTime Task"="C:\Program Files\qttask.exe" [2007-06-29 06:24] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-29 00:43] "nwiz"="nwiz.exe" [] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-06-29 00:43] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-27 18:02] "UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2007-09-18 00:29] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ares"="C:\Downloads\Ares\Ares.exe" [] "Wise-FTP Scheduler"="C:\Program Files\AceBIT\WISE-FTP\WF_Scheduler.exe" [2003-08-29 16:35] "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54] "ArtChk"="C:\WINDOWS\system32\artchker.exe" [] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-10-03 21:50:26] Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-04-11 02:58:39] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles "InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\berkehpm] berkehpm.dll 2007-10-15 18:56 339968 C:\WINDOWS\system32\berkehpm.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxywuuu] xxywuuu.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "appinit_dlls"=C:\WINDOWS\system32\sulimo.dat S3 SaiH8000;SaiH8000;C:\WINDOWS\system32\DRIVERS\SaiH8000.sys [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}] AutoRun\command - E:\setup.exe . Contents of the 'Scheduled Tasks' folder "2007-09-13 15:09:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" . ************************************************************************** catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-10-17 00:18:49 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-10-17 0:19:47 . --- E O F ---[/quote] New HijackThis Log: [quote]Deckard's System Scanner v20071014.68 Run by Wheezy on 2007-10-17 00:26:09 Computer is in Safe Mode. -------------------------------------------------------------------------------- -- HijackThis Clone ------------------------------------------------------------ Emulating logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2007-10-17 00:26:20 Platform: Windows XP Service Pack 2 (5.01.2600) MSIE: Internet Explorer (6.00.2900.2180) Boot mode: Safe mode Running processes: C:\WINDOWS\system32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\explorer.exe C:\Documents and Settings\ Wheezy \Desktop\dss.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.com/ig/dell?hl=en&...inc&channel=us R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...inc&channel=us O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Downloads\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\DLA\DLASHX_W.DLL O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\berkehpm.dll O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll O2 - BHO: (no name) - {D27987B8-7244-4DE0-AE10-39B826B492F1} - C:\WINDOWS\system32\msxml9r.dll O2 - BHO: IKatzu Class - {EA5159DF-E413-4878-8AE2-D921D41BB942} - C:\WINDOWS\system32\bkinxvmh.dll O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\berkehpm.dll O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\qttask.exe" -atboottime O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" O4 - HKCU\..\Run: [ares] "C:\Downloads\Ares\Ares.exe" -h O4 - HKCU\..\Run: [Wise-FTP Scheduler] C:\Program Files\AceBIT\WISE-FTP\WF_Scheduler.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [ArtChk] C:\WINDOWS\system32\artchker.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file) O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing) O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL O20 - AppInit_DLLs: C:\WINDOWS\system32\sulimo.dat O20 - Winlogon Notify: berkehpm - C:\WINDOWS\system32\berkehpm.dll O20 - Winlogon Notify: xxywuuu - C:\WINDOWS\system32\xxywuuu.dll (file missing) O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe -- End of file - 7071 bytes -- Files created between 2007-09-17 and 2007-10-17 ----------------------------- 2007-10-16 21:03:13 7432 --a------ C:\WINDOWS\xlavra3.exe 2007-10-16 01:59:00 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2007-10-16 01:44:32 94384 --a------ C:\WINDOWS\system32\msxml9r.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System> 2007-10-15 23:04:33 0 d-------- C:\WINDOWS\system32\ActiveScan 2007-10-15 23:00:34 0 d--hs---- C:\WINDOWS\CSC 2007-10-15 19:52:41 7849 --a------ C:\WINDOWS\system32\sulimo.dat 2007-10-15 19:49:12 28679 -----n--- C:\Program Files\c_setup.exe <Not Verified; Microsoft; Project1> 2007-10-15 19:48:35 0 d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro 2007-10-15 19:45:26 9728 --a------ C:\Program Files\hlpsrv.exe <Not Verified; NoName Corp.; NNC module> 2007-10-15 19:43:23 0 d-------- C:\Documents and Settings\ Wheezy \Application Data\BestsellerAntivirus 2007-10-15 18:56:10 339968 --a------ C:\WINDOWS\system32\berkehpm.dll 2007-10-15 18:55:46 389184 --a------ C:\WINDOWS\system32\waocxuea.exe 2007-10-15 02:51:26 44922 --a------ C:\WINDOWS\system32\IKatzuUninstall.exe 2007-10-15 02:51:24 45056 --a------ C:\WINDOWS\system32\katzppd.exe <Not Verified; Upads.Biz; IKatzu App> 2007-10-15 02:51:23 45056 --a------ C:\WINDOWS\system32\katzpawnp.exe <Not Verified; Upads.Biz; IKatzu App> 2007-10-15 02:51:20 421888 --a------ C:\WINDOWS\system32\bkinxvmh.dll <Not Verified; ; IKatzu Search Ads> 2007-10-15 02:51:16 24576 --a------ C:\WINDOWS\system32\msxml3a.dll <Not Verified; Microsoft Corporation; Microsoft XML Core Services> 2007-10-15 02:51:11 0 d-------- C:\WINDOWS\system32\pd2 2007-10-15 02:51:10 0 d-------- C:\WINDOWS\system32\ue1 2007-10-15 02:51:09 0 d-------- C:\WINDOWS\system32\cos2 2007-10-15 02:51:04 0 d-------- C:\Temp 2007-09-27 18:02:14 0 d-------- C:\Program Files\Common Files\xing shared 2007-09-27 18:01:20 0 d-------- C:\Documents and Settings\ Wheezy \Application Data\Real -- Find3M Report --------------------------------------------------------------- 2007-10-16 23:48:24 0 d-------- C:\Program Files\Windows Plus 2007-10-16 23:48:23 0 d-------- C:\Program Files\Messenger 2007-10-15 23:33:07 0 d-------- C:\Program Files\DIGStream 2007-10-15 22:47:05 0 d-------- C:\Program Files\Common Files 2007-10-15 19:49:10 0 d-------- C:\Program Files\Trend Micro 2007-10-15 19:03:14 1146852 --a------ C:\Documents and Settings\ Wheezy \Application Data\Install.xat 2007-09-30 17:47:12 0 d-------- C:\Program Files\MSN Messenger 2007-09-27 18:02:33 3638 --a----c- C:\WINDOWS\mozver.dat 2007-09-27 18:02:12 0 d-------- C:\Program Files\Common Files\Real 2007-09-06 18:05:23 0 d-------- C:\Program Files\EA GAMES 2007-09-01 23:36:59 0 d-------- C:\Program Files\Plugins 2007-09-01 23:36:37 0 d-------- C:\Program Files\QTSystem 2007-09-01 23:36:33 0 d-------- C:\Program Files\QuickTimePlayer.Resources 2007-09-01 23:36:24 0 d-------- C:\Program Files\PropertyPanels 2007-09-01 23:36:24 0 d-------- C:\Program Files\PictureViewer.Resources 2007-09-01 23:36:11 0 d-------- C:\Program Files\QTComponents 2007-09-01 23:35:37 0 d-------- C:\Program Files\Apple Software Update 2007-08-18 23:45:11 6606 --a----c- C:\WINDOWS\unins000.dat 2007-08-18 23:45:01 667978 --a------ C:\WINDOWS\unins000.exe <Not Verified; ; Inno Setup> 2007-08-14 15:09:32 112 --a------ C:\WINDOWS\HOSTK100.DAT -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}] 10/15/2007 06:56 PM 339968 --a------ C:\WINDOWS\system32\berkehpm.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D27987B8-7244-4DE0-AE10-39B826B492F1}] 10/16/2007 02:16 AM 94384 --a------ C:\WINDOWS\system32\msxml9r.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EA5159DF-E413-4878-8AE2-D921D41BB942}] 10/15/2007 02:51 AM 421888 --a------ C:\WINDOWS\system32\bkinxvmh.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="C:\WINDOWS\ehome\ehtray.exe" [09/29/2005 02:01 PM] "SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [11/19/2003 05:48 PM] "SigmatelSysTrayApp"="stsystra.exe" [03/22/2005 11:20 PM C:\WINDOWS\stsystra.exe] "IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [06/17/2005 07:56 AM] "DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [10/05/2005 03:12 AM] "ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [06/10/2005 10:44 AM] "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [06/10/2005 10:44 AM] "DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [09/08/2005 05:20 AM] "Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [04/11/2006 03:07 AM] "Wise-FTP Scheduler"="" [] "QuickTime Task"="C:\Program Files\qttask.exe" [06/29/2007 06:24 AM] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [06/29/2007 12:43 AM] "nwiz"="nwiz.exe" [] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [06/29/2007 12:43 AM] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [09/27/2007 06:02 PM] "UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [09/18/2007 12:29 AM] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ares"="C:\Downloads\Ares\Ares.exe" [] "Wise-FTP Scheduler"="C:\Program Files\AceBIT\WISE-FTP\WF_Scheduler.exe" [08/29/2003 04:35 PM] "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [01/19/2007 12:54 PM] "ArtChk"="C:\WINDOWS\system32\artchker.exe" [] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [10/3/2006 9:50:26 PM] Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [4/11/2006 2:58:39 AM] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles "InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\berkehpm] berkehpm.dll 10/15/2007 06:56 PM 339968 C:\WINDOWS\system32\berkehpm.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxywuuu] xxywuuu.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "appinit_dlls"=C:\WINDOWS\system32\sulimo.dat [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}] AutoRun\command- E:\setup.exe -- End of Deckard's System Scanner: finished at 2007-10-17 00:26:49 ------------ No, I cannot log in/boot up in regular mode. Im still having to use Safe Mode. Last edited by sUBs; 10-17-2007 at 10:25 PM. |
|
|
|
|
10-17-2007, 12:13 AM
|
#4 (permalink) | |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,900
OS: WinXP and Vista
|
Re: Cannot Boot System After Finding Trojan (2)
Hello Wheezy,
Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. *************************************************** Please download SmitfraudFix (by S!Ri) to your Desktop. Do not run it yet. -------------------------------------------------------------------- Close any open browsers. -------------------------------------------------------------------- From Safe Mode: Double-click on SmitfraudFix.exe to start the tool. Select option #2 - Clean by typing 2 and press Enter. Wait for the tool to complete and disk cleanup to finish. You will be prompted : " Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and hit Enter. The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question " Replace infected file?" by typing Y and hit Enter. A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. (into Normal Mode if you are able.) The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: (C:\rapport.txt) or partition where your operating system is installed. Please post that log along with all others requested in your next reply. -------------------------------------------------------------------- Next go to Control Panel click Display>Desktop>Customize Desktop>Web> Now, Uncheck Everything and delete if present: · "Security Info" · "Warning Message" · "Security Desktop" · "Warning Homepage" · "Desktop Uninstall" Also make sure the 'Lock desktop items' box is unticked. Click OK, and then Click Apply, then OK. -------------------------------------------------------------------- Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin. -------------------------------------------------------------------- Run AVG Anti-Spyware with it's updated definitions:(...it's important that all windows must be closed)
Double-click on SmitfraudFix.exe to start the tool. Select option #3 - Delete Trusted zone by typing 3 and press Enter Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter. Note If you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection. -------------------------------------------------------------------- From Normal Mode if possible: Open notepad and copy/paste the text in the quotebox below into it: Quote:
 Refering to the picture above, drag CFScript into ComboFix.exe When finished, it shall produce a log for you at C:\ComboFix.txt Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall -------------------------------------------------------------------- Please include the following in your next reply: C:\rapport.txt C:\ComboFix.txt Update on system behavior **Please do not wrap the logs in quote or code tags as it makes them more difficult to read. 
|
|
|
|
|
|
10-17-2007, 05:55 PM
|
#5 (permalink) |
|
TSF Supporter
Join Date: Oct 2007
Location: Minnesota, USA
Posts: 101
OS: Windows XP
|
Re: Cannot Boot System After Finding Trojan (2)
Rapport.txt Log:
SmitFraudFix v2.240 Scan done at 1:30:36.25, Wed 10/17/2007 Run from C:\Documents and Settings\Wheezy\Desktop\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in safe mode »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» hosts 127.0.0.1 localhost »»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix S!Ri's WS2Fix: LSP not Found. »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files »»»»»»»»»»»»»»»»»»»»»»»» DNS HKLM\SYSTEM\CCS\Services\Tcpip\..\{827130BE-3F9F-4771-ABAE-4B7029321371}: DhcpNameServer=192.168.0.1 HKLM\SYSTEM\CS1\Services\Tcpip\..\{827130BE-3F9F-4771-ABAE-4B7029321371}: DhcpNameServer=192.168.0.1 HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "System"="" »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» Reboot C:\WINDOWS\system32\sulimo.dat Please, Reboot and Run SmitfraudFix option 2 once again. »»»»»»»»»»»»»»»»»»»»»»»» End ComboFix.txt Log: ComboFix 07-10-17.8 - Wheezy 2007-10-17 18:27:54.5 - NTFSx86 MINIMAL Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.824 [GMT -5:00] Running from: C:\Documents and Settings\Wheezy\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Wheezy\Desktop\CFScript.txt FILE:: C:\TIS16-S.exe C:\WINDOWS\system32\berkehpm.dll C:\WINDOWS\system32\bkinxvmh.dll C:\WINDOWS\system32\IKatzuUninstall.exe C:\WINDOWS\system32\katzpawnp.exe C:\WINDOWS\system32\katzppd.exe C:\WINDOWS\system32\msxml9r.dll C:\WINDOWS\system32\waocxuea.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\berkehpm.dll . ((((((((((((((((((((((((( Files Created from 2007-09-17 to 2007-10-17 ))))))))))))))))))))))))))))))) . 2007-10-17 01:38 <DIR> d-------- C:\Documents and Settings\Wheezy\Application Data\AVG7 2007-10-17 01:38 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7 2007-10-17 01:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft 2007-10-17 01:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7 2007-10-17 01:30 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe 2007-10-17 01:30 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe 2007-10-17 01:30 53,248 --a------ C:\WINDOWS\system32\Process.exe 2007-10-17 01:30 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe 2007-10-17 01:30 3,370 --a------ C:\WINDOWS\system32\tmp.reg 2007-10-16 23:44 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-10-16 21:06 <DIR> d-------- C:\Deckard 2007-10-16 21:03 7,432 --a------ C:\WINDOWS\xlavra3.exe 2007-10-16 01:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2007-10-15 23:04 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2007-10-15 19:52 1,536 --a------ C:\WINDOWS\system32\Delete_Me_Dummy_sulimo.dat 2007-10-15 19:49 138,512 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys 2007-10-15 19:49 52,496 --a------ C:\WINDOWS\system32\drivers\tmactmon.sys 2007-10-15 19:49 52,368 --a------ C:\WINDOWS\system32\drivers\tmevtmgr.sys 2007-10-15 19:49 28,679 --------- C:\Program Files\c_setup.exe 2007-10-15 19:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro 2007-10-15 19:45 9,728 --a------ C:\Program Files\hlpsrv.exe 2007-10-15 19:43 <DIR> d-------- C:\Documents and Settings\Wheezy\Application Data\BestsellerAntivirus 2007-10-15 02:51 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll 2007-10-09 13:11 584,192 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll 2007-09-27 18:02 <DIR> d-------- C:\Program Files\Common Files\xing shared 2007-09-18 00:29 1,126,328 --a------ C:\WINDOWS\system32\drivers\vsapint.sys 2007-09-18 00:29 333,328 --a------ C:\WINDOWS\system32\drivers\TM_CFW.sys 2007-09-18 00:29 203,024 --a------ C:\WINDOWS\system32\drivers\tmxpflt.sys 2007-09-18 00:29 65,936 --a------ C:\WINDOWS\system32\drivers\tmtdi.sys 2007-09-18 00:29 36,112 --a------ C:\WINDOWS\system32\drivers\tmpreflt.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-10-17 04:48 --------- d-----w C:\Program Files\Windows Plus 2007-10-16 04:33 --------- d-----w C:\Program Files\DIGStream 2007-10-16 00:49 --------- d-----w C:\Program Files\Trend Micro 2007-09-30 22:47 --------- d-----w C:\Program Files\MSN Messenger 2007-09-27 23:02 --------- d-----w C:\Program Files\Common Files\Real 2007-09-06 23:05 --------- d-----w C:\Program Files\EA GAMES 2007-09-02 04:36 --------- d-----w C:\Program Files\QuickTimePlayer.Resources 2007-09-02 04:36 --------- d-----w C:\Program Files\QTSystem 2007-09-02 04:36 --------- d-----w C:\Program Files\QTComponents 2007-09-02 04:36 --------- d-----w C:\Program Files\PropertyPanels 2007-09-02 04:36 --------- d-----w C:\Program Files\Plugins 2007-09-02 04:36 --------- d-----w C:\Program Files\PictureViewer.Resources 2007-09-02 04:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer 2007-09-02 04:35 --------- d-----w C:\Program Files\Apple Software Update 2007-09-02 04:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple 2007-08-22 12:55 96,256 ----a-w C:\WINDOWS\system32\dllcache\inseng.dll 2007-08-22 12:55 665,600 ------w C:\WINDOWS\system32\dllcache\wininet.dll 2007-08-22 12:55 617,984 ------w C:\WINDOWS\system32\dllcache\urlmon.dll 2007-08-22 12:55 55,808 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll 2007-08-22 12:55 532,480 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll 2007-08-22 12:55 474,112 ------w C:\WINDOWS\system32\dllcache\shlwapi.dll 2007-08-22 12:55 449,024 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll 2007-08-22 12:55 39,424 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll 2007-08-22 12:55 357,888 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll 2007-08-22 12:55 3,064,832 ------w C:\WINDOWS\system32\dllcache\mshtml.dll 2007-08-22 12:55 251,904 ------w C:\WINDOWS\system32\dllcache\iepeers.dll 2007-08-22 12:55 205,824 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll 2007-08-22 12:55 16,384 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll 2007-08-22 12:55 151,040 ------w C:\WINDOWS\system32\dllcache\cdfview.dll 2007-08-22 12:55 146,432 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll 2007-08-22 12:55 1,498,112 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll 2007-08-22 12:55 1,054,208 ----a-w C:\WINDOWS\system32\dllcache\danim.dll 2007-08-22 12:55 1,022,976 ------w C:\WINDOWS\system32\dllcache\browseui.dll 2007-08-21 10:19 18,432 ----a-w C:\WINDOWS\system32\dllcache\iedw.exe 2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll 2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\dllcache\inetcomm.dll 2007-08-19 04:45 667,978 ----a-w C:\WINDOWS\unins000.exe 2007-07-31 00:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll 2007-07-31 00:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll 2007-07-31 00:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe 2007-07-31 00:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll 2007-07-31 00:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll 2007-07-31 00:19 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll 2007-07-31 00:19 207,736 ----a-w C:\WINDOWS\system32\muweb.dll 2007-07-31 00:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll 2007-07-31 00:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll 2007-07-31 00:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll 2007-07-31 00:18 33,624 ----a-w C:\WINDOWS\system32\dllcache\wups.dll 2007-06-29 11:25 8,612 ----a-w C:\Program Files\QuickTime Read Me.htm 2007-06-29 11:25 749,568 ----a-w C:\Program Files\QTOControl.dll 2007-06-29 11:25 684,032 ----a-w C:\Program Files\QTOLibrary.dll 2007-06-29 11:25 618,496 ----a-w C:\Program Files\QTInfo.exe 2007-06-29 11:25 6,124,864 ----a-w C:\Program Files\QuickTimePlayer.exe 2007-06-29 11:25 574,784 ----a-w C:\Program Files\QTPlugin.ocx 2007-06-29 11:25 303,104 ----a-w C:\Program Files\QTUIPanelControl.dll 2007-06-29 11:24 55,622 ----a-w C:\Program Files\Sample.mov 2007-06-29 11:24 483,328 ----a-w C:\Program Files\PictureViewer.exe 2007-06-29 11:24 286,720 ----a-w C:\Program Files\QTTask.exe 2007-06-29 11:24 18,663 ----a-w C:\Program Files\Sample.qtif 2006-10-21 21:54:47 152 --sh--r C:\WINDOWS\system32\11D43EA203.sys 2006-10-21 21:54:47 7,520 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((( snapshot@2007-10-17_ 0.19.06.53 ))))))))))))))))))))))))))))))))))))))))) . + 2007-10-17 06:38:38 821,728 ----a-w C:\WINDOWS\system32\drivers\avg7core.sys + 2007-10-17 06:38:40 4,224 ----a-w C:\WINDOWS\system32\drivers\avg7rsw.sys + 2007-10-17 06:38:40 27,776 ----a-w C:\WINDOWS\system32\drivers\avg7rsxp.sys + 2007-10-17 06:38:40 3,968 ----a-w C:\WINDOWS\system32\drivers\avgclean.sys + 2007-10-17 06:38:40 19,904 ----a-w C:\WINDOWS\system32\drivers\avgmfx86.sys + 2007-10-17 06:38:40 4,960 ----a-w C:\WINDOWS\system32\drivers\avgtdi.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ares"="C:\Downloads\Ares\Ares.exe" [] "Wise-FTP Scheduler"="C:\Program Files\AceBIT\WISE-FTP\WF_Scheduler.exe" [2003-08-29 16:35] "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54] "ArtChk"="C:\WINDOWS\system32\artchker.exe" [] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-10-03 21:50:26] Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-04-11 02:58:39] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\berkehpm] berkehpm.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxywuuu] xxywuuu.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL S3 SaiH8000;SaiH8000;C:\WINDOWS\system32\DRIVERS\SaiH8000.sys [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}] AutoRun\command - E:\setup.exe . Contents of the 'Scheduled Tasks' folder "2007-09-13 15:09:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" . ************************************************************************** catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-10-17 18:32:05 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-10-17 18:36:00 - machine was rebooted . --- E O F --- I can now log into my computer in normal mode, but I had to execute the steps to acquire the ComboFix.txt log in Safe Mode. Im no longer getting any pop-ups or virus warnings, and I can access the internet in normal mode. However my Recycle Bin is gone, and I cannot get into the All Programs menu via the Start Menu. |
|
|
|
|
10-17-2007, 06:55 PM
|
#6 (permalink) | |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,900
OS: WinXP and Vista
|
Re: Cannot Boot System After Finding Trojan (2)
Hello Wheezy,
Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions. It's IMPORTANT to carry out the instructions in the sequence listed below. *************************************************** Close any open browsers. --------------------------------------------------------------------- During the course of running SmitfraudFix, the tool instructed you to run Option 2 again---did you run Option 2 a second time? Quote:
---------------------------------------------------------------- From Normal Mode: Open notepad and copy/paste the text in the code box below into it: Code:
File:: C:\WINDOWS\xlavra3.exe C:\WINDOWS\system32\Delete_Me_Dummy_sulimo.dat C:\Program Files\c_setup.exe C:\Program Files\hlpsrv.exe Folder:: C:\Documents and Settings\Wheezy\Application Data\BestsellerAntivirus Registry:: [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ares"=- "Wise-FTP Scheduler"=- "ArtChk"=- [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\berkehpm] [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxywuuu] Refering to the picture above, drag CFScript into ComboFix.exe When finished, it shall produce a log for you at C:\ComboFix.txt Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall -------------------------------------------------------------------- Please run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course: Perform an online scan with Internet Explorer with Panda ActiveScan
* Turn off the real time scanner of any existing antivirus program while performing the online scan -------------------------------------------------------------------- Run a new scan with HijackThis and save the log. -------------------------------------------------------------------- Please include the following in your next reply: C:\rapport.txt (if you ran Option 2 this round) C:\ComboFix.txt Panda results New HijackThis log Last edited by Ried; 10-17-2007 at 06:57 PM. Reason: changed to code box |
|
|
|
|
|
10-17-2007, 09:18 PM
|
#7 (permalink) |
|
TSF Supporter
Join Date: Oct 2007
Location: Minnesota, USA
Posts: 101
OS: Windows XP
|
Re: Cannot Boot System After Finding Trojan (2)
Rapport.txt Log (ran option 2 again as asked):
SmitFraudFix v2.240 Scan done at 20:03:25.56, Wed 10/17/2007 Run from C:\Documents and Settings\Wheezy\Desktop\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in safe mode »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» hosts 127.0.0.1 localhost »»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix S!Ri's WS2Fix: LSP not Found. »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files C:\WINDOWS\system32\Delete_Me_Dummy_sulimo.dat Deleted »»»»»»»»»»»»»»»»»»»»»»»» DNS HKLM\SYSTEM\CCS\Services\Tcpip\..\{827130BE-3F9F-4771-ABAE-4B7029321371}: DhcpNameServer=192.168.0.1 HKLM\SYSTEM\CS1\Services\Tcpip\..\{827130BE-3F9F-4771-ABAE-4B7029321371}: DhcpNameServer=192.168.0.1 HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "System"="" »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» End Combofix.txt Log: ComboFix 07-10-17.8 - Wheezy 2007-10-17 20:14:26.6 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.567 [GMT -5:00] Running from: C:\Documents and Settings\Wheezy\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Wheezy\Desktop\CFScript.txt FILE:: C:\Program Files\c_setup.exe C:\Program Files\hlpsrv.exe C:\WINDOWS\system32\Delete_Me_Dummy_sulimo.dat C:\WINDOWS\xlavra3.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Program Files\c_setup.exe C:\Program Files\hlpsrv.exe C:\WINDOWS\xlavra3.exe . ((((((((((((((((((((((((( Files Created from 2007-09-18 to 2007-10-18 ))))))))))))))))))))))))))))))) . 2007-10-17 20:07 <DIR> d-------- C:\WINDOWS\system32\%programfiles% 2007-10-17 20:07 <DIR> d-------- C:\WINDOWS\system32\%commonprogramfiles% 2007-10-17 20:07 1,071,812,608 C:\ComboFix\=\hiberfil.sys 2007-10-17 20:07 1,071,812,608 C:\ComboFix\=\hiberfil.sys 2007-10-17 01:38 <DIR> d-------- C:\Documents and Settings\Wheezy\Application Data\AVG7 2007-10-17 01:38 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7 2007-10-17 01:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7 2007-10-17 01:30 214 --a------ C:\WINDOWS\system32\tmp.reg 2007-10-16 23:44 <DIR> C:\ComboFix\=\qoobox 2007-10-16 23:44 <DIR> C:\ComboFix\=\qoobox 2007-10-16 23:44 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-10-16 21:06 <DIR> d-------- C:\Deckard 2007-10-16 21:06 <DIR> C:\ComboFix\=\Deckard 2007-10-16 21:06 <DIR> C:\ComboFix\=\Deckard 2007-10-15 23:04 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2007-10-15 19:49 138,512 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys 2007-10-15 19:49 52,496 --a------ C:\WINDOWS\system32\drivers\tmactmon.sys 2007-10-15 19:49 52,368 --a------ C:\WINDOWS\system32\drivers\tmevtmgr.sys 2007-10-15 19:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro 2007-10-15 19:43 <DIR> d-------- C:\Documents and Settings\Wheezy\Application Data\BestsellerAntivirus 2007-10-15 02:51 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll 2007-10-09 13:11 584,192 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll 2007-09-18 00:29 1,126,328 --a------ C:\WINDOWS\system32\drivers\vsapint.sys 2007-09-18 00:29 333,328 --a------ C:\WINDOWS\system32\drivers\TM_CFW.sys 2007-09-18 00:29 203,024 --a------ C:\WINDOWS\system32\drivers\tmxpflt.sys 2007-09-18 00:29 65,936 --a------ C:\WINDOWS\system32\drivers\tmtdi.sys 2007-09-18 00:29 36,112 --a------ C:\WINDOWS\system32\drivers\tmpreflt.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-09-02 04:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer 2007-09-02 04:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple 2007-08-22 12:55 96,256 ----a-w C:\WINDOWS\system32\dllcache\inseng.dll 2007-08-22 12:55 665,600 ------w C:\WINDOWS\system32\dllcache\wininet.dll 2007-08-22 12:55 617,984 ------w C:\WINDOWS\system32\dllcache\urlmon.dll 2007-08-22 12:55 55,808 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll 2007-08-22 12:55 532,480 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll 2007-08-22 12:55 474,112 ------w C:\WINDOWS\system32\dllcache\shlwapi.dll 2007-08-22 12:55 449,024 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll 2007-08-22 12:55 39,424 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll 2007-08-22 12:55 357,888 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll 2007-08-22 12:55 3,064,832 ------w C:\WINDOWS\system32\dllcache\mshtml.dll 2007-08-22 12:55 251,904 ------w C:\WINDOWS\system32\dllcache\iepeers.dll 2007-08-22 12:55 205,824 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll 2007-08-22 12:55 16,384 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll 2007-08-22 12:55 151,040 ------w C:\WINDOWS\system32\dllcache\cdfview.dll 2007-08-22 12:55 146,432 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll 2007-08-22 12:55 1,498,112 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll 2007-08-22 12:55 1,054,208 ----a-w C:\WINDOWS\system32\dllcache\danim.dll 2007-08-22 12:55 1,022,976 ------w C:\WINDOWS\system32\dllcache\browseui.dll 2007-08-21 10:19 18,432 ----a-w C:\WINDOWS\system32\dllcache\iedw.exe 2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll 2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\dllcache\inetcomm.dll 2007-08-19 04:45 667,978 ----a-w C:\WINDOWS\unins000.exe 2007-07-31 00:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll 2007-07-31 00:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll 2007-07-31 00:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe 2007-07-31 00:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll 2007-07-31 00:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll 2007-07-31 00:19 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll 2007-07-31 00:19 207,736 ----a-w C:\WINDOWS\system32\muweb.dll 2007-07-31 00:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll 2007-07-31 00:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll 2007-07-31 00:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll 2007-07-31 00:18 33,624 ----a-w C:\WINDOWS\system32\dllcache\wups.dll 2006-10-21 21:54:47 152 --sh--r C:\WINDOWS\system32\11D43EA203.sys 2006-10-21 21:54:47 7,520 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((( snapshot@2007-10-17_ 0.19.06.53 ))))))))))))))))))))))))))))))))))))))))) . + 2007-10-17 06:38:38 821,728 ----a-w C:\WINDOWS\system32\drivers\avg7core.sys + 2007-10-17 06:38:40 4,224 ----a-w C:\WINDOWS\system32\drivers\avg7rsw.sys + 2007-10-17 06:38:40 27,776 ----a-w C:\WINDOWS\system32\drivers\avg7rsxp.sys + 2007-10-17 06:38:40 3,968 ----a-w C:\WINDOWS\system32\drivers\avgclean.sys + 2007-10-17 06:38:40 19,904 ----a-w C:\WINDOWS\system32\drivers\avgmfx86.sys + 2007-10-17 06:38:40 4,960 ----a-w C:\WINDOWS\system32\drivers\avgtdi.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL S3 SaiH8000;SaiH8000;C:\WINDOWS\system32\DRIVERS\SaiH8000.sys [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}] AutoRun\command - E:\setup.exe . Contents of the 'Scheduled Tasks' folder "2007-09-13 15:09:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" . ************************************************************************** catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-10-17 20:23:19 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-10-17 20:25:08 . --- E O F --- Panda Scan: Incident Status Location Adware:Adware/DriveCleaner Not disinfected C:\Deckard\System Scanner\20071017002223\backup\DOCUME~1\WHEEZY~1\LOCALS~1\Temp\1632.exe Adware:Adware/DriveCleaner Not disinfected C:\Deckard\System Scanner\20071017002223\backup\DOCUME~1\WHEEZY~1\LOCALS~1\Temp\hostagent.exe Adware:Adware/DriveCleaner Not disinfected C:\Deckard\System Scanner\20071017002223\backup\DOCUME~1\WHEEZY~1\LOCALS~1\Temp\hostsyn.exe Potentially unwanted tool:Application/AVSystemCare Not disinfected C:\Deckard\System Scanner\20071017002223\backup\DOCUME~1\WHEEZY~1\LOCALS~1\Temp\mofugclq.exe Potentially unwanted tool:Application/AVSystemCare Not disinfected C:\Deckard\System Scanner\20071017002223\backup\DOCUME~1\WHEEZY~1\LOCALS~1\Temp\qrjatydi.exe Adware:Adware/DriveCleaner Not disinfected C:\Deckard\System Scanner\20071017002223\backup\DOCUME~1\WHEEZY~1\LOCALS~1\Temp\server32.exe Virus:Generic Malware Not disinfected C:\Deckard\System Scanner\20071017002223\backup\DOCUME~1\WHEEZY~1\LOCALS~1\Temp\snapsnet.exe[vMW02a1065.exe] Potentially unwanted tool:Application/AVSystemCare Not disinfected C:\Deckard\System Scanner\20071017002223\backup\DOCUME~1\WHEEZY~1\LOCALS~1\Temp\urclqecd.exe Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.2o7.net/] Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.ad.yieldmanager.com/] Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.adrevolver.com/] Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.ads.pointroll.com/] Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.advertising.com/] Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.apmebf.com/] Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.atdmt.com/] Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.atwola.com/] Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.bravenet.com/] Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.bs.serving-sys.com/] Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.burstnet.com/] Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.casalemedia.com/] Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.com.com/] Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.did-it.com/] Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.doubleclick.net/] Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.fastclick.net/] Spyware:Cookie/HotLog Not disinfected C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.hotlog.ru/] Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.mediaplex.com/] Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.overture.com/] Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.perf.overture.com/] Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.questionmarket.com/] Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.realmedia.com/] Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.serving-sys.com/] Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.statcounter.com/] Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.target.com/] Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.trafficmp.com/] Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.tribalfusion.com/] Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.zedo.com/] Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[ad.yieldmanager.com/] Spyware:Cookie/Bridgetrack Not disinfected C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[citi.bridgetrack.com/] Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[server.iad.liveperson.net/] Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[server.iad.liveperson.net/hc/33069911] Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[stat.onestat.com/] Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[statse.webtrendslive.com/] Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[www.burstbeacon.com/] Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Wheezy\Cookies\Wheezy@atdmt[2].txt Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Wheezy\Cookies\Wheezy@bs.serving-sys[2].txt Spyware:Cookie/Barelylegal Not disinfected C:\Documents and Settings\Wheezy\Cookies\Wheezy@c.fsx[1].txt Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Wheezy\Cookies\Wheezy@cgi-bin[12].txt Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Wheezy\Cookies\Wheezy@cgi-bin[1].txt Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Wheezy\Cookies\Wheezy@cgi-bin[5].txt Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\Wheezy\Cookies\Wheezy@counter10.sextracker[1].txt Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Wheezy\Cookies\Wheezy@doubleclick[1].txt Spyware:Cookie/Entrepreneur Not disinfected C:\Documents and Settings\Wheezy\Cookies\Wheezy@entrepreneur[2].txt Spyware:Cookie/fe.lea.lycos Not disinfected C:\Documents and Settings\Wheezy\Cookies\Wheezy@fe.lea.lycos[2].txt Spyware:Cookie/fe.lea.lycos Not disinfected C:\Documents and Settings\Wheezy\Cookies\Wheezy@fe.lea.lycos[4].txt Spyware:Cookie/fe.lea.lycos Not disinfected C:\Documents and Settings\Wheezy\Cookies\Wheezy@fe.lea.lycos[5].txt Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\Wheezy\Cookies\Wheezy@fortunecity[2].txt Spyware:Cookie/GoClick Not disinfected C:\Documents and Settings\Wheezy\Cookies\Wheezy@goclick[1].txt Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Wheezy\Cookies\Wheezy@klik.klikadvertising[2].txt Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Wheezy\Cookies\Wheezy@searchportal.information[2].txt Spyware:Cookie/Seeq Not disinfected C:\Documents and Settings\Wheezy\Cookies\Wheezy@seeq[1].txt Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Wheezy\Cookies\Wheezy@stat.onestat[2].txt Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Wheezy\Cookies\Wheezy@statse.webtrendslive[1].txt Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Wheezy\Cookies\Wheezy@target[2].txt Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Wheezy\Cookies\Wheezy@toplist[1].txt Spyware:Cookie/Tucows Not disinfected C:\Documents and Settings\Wheezy\Cookies\Wheezy@tucows[1].txt Spyware:Cookie/RealTracker Not disinfected C:\Documents and Settings\Wheezy\Cookies\Wheezy@web2.realtracker[1].txt Spyware:Cookie/Weborama Not disinfected C:\Documents and Settings\Wheezy\Cookies\Wheezy@weborama[1].txt Spyware:Cookie/Seeq Not disinfected C:\Documents and Settings\Wheezy\Cookies\Wheezy@www48.seeq[1].txt Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Wheezy\Cookies\Wheezy@xiti[1].txt Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Wheezy\Cookies\Wheezy@yadro[2].txt Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Wheezy\Desktop\ComboFix.exe[nircmd.exe] Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Wheezy\Desktop\ComboFix.exe[nircmd.cfexe] Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Wheezy\Desktop\SmitfraudFix\Process.exe Virus:Trj/Rebooter.J Disinfected C:\Documents and Settings\Wheezy\Desktop\SmitfraudFix\Reboot.exe Potentially unwanted tool:Application/SuperFast Not disinfected C:\Documents and Settings\Wheezy\Desktop\SmitfraudFix\restart.exe Virus:Trj/Rebooter.J Disinfected C:\Documents and Settings\Wheezy\Desktop\SmitfraudFix.exe Adware:Adware/SecurityToolbar Not disinfected C:\Documents and Settings\Wheezy\Desktop\[4]-Submit_2007-10-17@18.19.zip[berkehpm.dll] Adware:Adware/TTC Not disinfected C:\qoobox\Quarantine\C\Program Files\Windows Plus\satec4444.dll.vir Adware:Adware/TTC Not disinfected C:\qoobox\Quarantine\C\Program Files\Windows Plus\satec83122.dll.vir Adware:Adware/DriveCleaner Not disinfected C:\qoobox\Quarantine\C\WINDOWS\avp.exe.vir Spyware:Spyware/SafeSurf Not disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\k1\IKtzudll2.exe.vir[ExtractDLL.dll] Adware:Adware/TTC Not disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\ue1\aded83122.exe.vir Adware:Adware/TTC Not disinfected C:\qoobox\Quarantine\C\WINDOWS\TTC-4444.exe.vir Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\NirCmd.exe New HijackThis Log: Deckard's System Scanner v20071014.68 Run by Wheezy on 2007-10-17 21:49:56 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- HijackThis Clone ------------------------------------------------------------ Emulating logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2007-10-17 21:50:26 Platform: Windows XP Service Pack 2 (5.01.2600) MSIE: Internet Explorer (6.0.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\system32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Grisoft\AVG7\avgamsvr.exe C:\Program Files\Grisoft\AVG7\avgupsvc.exe C:\Program Files\Grisoft\AVG7\avgemc.exe C:\WINDOWS\ehome\ehrecvr.exe C:\WINDOWS\ehome\ehSched.exe C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe C:\WINDOWS\system32\fxssvc.exe C:\Program Files\Trend Micro\BM\TMBMSRV.exe C:\WINDOWS\system32\dllhost.exe C:\Program Files\Trend Micro\Internet Security\TmPfw.exe C:\Program Files\Trend Micro\Internet Security\TmProxy.exe C:\Program Files\AceBIT\WISE-FTP\WF_Scheduler.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\explorer.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\system32\msiexec.exe C:\Documents and Settings\Wheezy\Desktop\dss.exe R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.com/ig/dell?hl=en&...inc&channel=us R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...inc&channel=us O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user') O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file) O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing) O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgemc.exe O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe -- End of file - 5674 bytes -- Files created between 2007-09-17 and 2007-10-17 ----------------------------- 2007-10-17 20:34:01 0 d-------- C:\WINDOWS\LastGood 2007-10-17 20:10:51 0 d-------- \ComboFix 2007-10-17 20:10:51 0 d-------- \ComboFix 2007-10-17 20:07:08 0 d-------- C:\WINDOWS\system32\%programfiles% 2007-10-17 20:07:08 0 d-------- C:\WINDOWS\system32\%commonprogramfiles% 2007-10-17 20:07:06 1071812608 --ahs---- \hiberfil.sys 2007-10-17 20:07:06 1071812608 --ahs---- \hiberfil.sys 2007-10-17 07:02:38 0 dr-h----- C:\$VAULT$.AVG 2007-10-17 07:02:38 0 dr-h----- \$VAULT$.AVG 2007-10-17 07:02:38 0 dr-h----- \$VAULT$.AVG 2007-10-17 01:38:58 0 d-------- C:\Documents and Settings\Wheezy\Application Data\AVG7 2007-10-17 01:38:43 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7 2007-10-17 01:38:31 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft 2007-10-17 01:38:31 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7 2007-10-17 01:30:41 214 --a------ C:\WINDOWS\system32\tmp.reg 2007-10-16 23:44:38 0 d-------- \qoobox 2007-10-16 23:44:38 0 d-------- \qoobox 2007-10-16 21  50 0 d-------- \Deckard2007-10-16 21 50 0 d-------- \Deckard2007-10-16 01:59:00 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2007-10-15 23:04:33 0 d-------- C:\WINDOWS\system32\ActiveScan 2007-10-15 23:00:34 0 d--hs---- C:\WINDOWS\CSC 2007-10-15 19:48:35 0 d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro 2007-10-15 19:43:23 0 d-------- C:\Documents and Settings\Wheezy\Application Data\BestsellerAntivirus 2007-10-15 02:51:16 24576 --a------ C:\WINDOWS\system32\msxml3a.dll <Not Verified; Microsoft Corporation; Microsoft XML Core Services> 2007-09-27 18:01:20 0 d-------- C:\Documents and Settings\Wheezy\Application Data\Real -- Find3M Report --------------------------------------------------------------- 2007-10-17 21:39:51 0 d-------- \WINDOWS 2007-10-17 21:39:51 0 d-------- \WINDOWS 2007-10-17 20:25:12 7409 --a------ \ComboFix.txt 2007-10-17 20:25:12 7409 --a------ \ComboFix.txt 2007-10-17 20:23:03 0 d-------- \Program Files 2007-10-17 20:23:03 0 d-------- \Program Files 2007-10-17 20:07:05 1610612736 --ahs---- \pagefile.sys 2007-10-17 20:07:05 1610612736 --ahs---- \pagefile.sys 2007-10-16 19:22:14 0 d-------- \Downloads 2007-10-16 19:22:14 0 d-------- \Downloads 2007-10-15 19:03:14 1146852 --a------ C:\Documents and Settings\Wheezy\Application Data\Install.xat 2007-10-15 02:58:29 244 --ah----- \sqmnoopt12.sqm 2007-10-15 02:58:29 244 --ah----- \sqmnoopt12.sqm 2007-10-15 02:58:29 304 --ah----- \sqmdata08.sqm 2007-10-15 02:58:29 304 --ah----- \sqmdata08.sqm 2007-10-15 02:54:14 244 --ah----- \sqmnoopt11.sqm 2007-10-15 02:54:14 244 --ah----- \sqmnoopt11.sqm 2007-10-15 02:54:14 232 --ah----- \sqmdata07.sqm 2007-10-15 02:54:14 232 --ah----- \sqmdata07.sqm 2007-10-14 20:44:14 244 --ah----- \sqmnoopt10.sqm 2007-10-14 20:44:14 244 --ah----- \sqmnoopt10.sqm 2007-10-14 20:44:14 232 --ah----- \sqmdata06.sqm 2007-10-14 20:44:14 232 --ah----- \sqmdata06.sqm 2007-10-07 04:16:41 0 d-------- \Private 2007-10-07 04:16:41 0 d-------- \Private 2007-09-27 18:02:33 3638 --a----c- C:\WINDOWS\mozver.dat 2007-09-08 00:57:20 0 d-------- \Sims 2 Backups 2007-09-08 00:57:20 0 d-------- \Sims 2 Backups 2007-09-05 21:05:40 0 d-------- \NVIDIA 2007-09-05 21:05:40 0 d-------- \NVIDIA 2007-09-05 20:22:48 244 --ah----- \sqmnoopt09.sqm 2007-09-05 20:22:48 244 --ah----- \sqmnoopt09.sqm 2007-09-05 20:22:48 268 --ah----- \sqmdata05.sqm 2007-09-05 20:22:48 268 --ah----- \sqmdata05.sqm 2007-09-04 23:27:42 244 --ah----- \sqmnoopt08.sqm 2007-09-04 23:27:42 244 --ah----- \sqmnoopt08.sqm 2007-09-04 23:27:42 268 --ah----- \sqmdata04.sqm 2007-09-04 23:27:42 268 --ah----- \sqmdata04.sqm 2007-09-04 22:51:16 244 --ah----- \sqmnoopt07.sqm 2007-09-04 22:51:16 244 --ah----- \sqmnoopt07.sqm 2007-09-04 22:51:16 232 --ah----- \sqmdata03.sqm 2007-09-04 22:51:16 232 --ah----- \sqmdata03.sqm 2007-09-04 22:31:07 244 --ah----- \sqmnoopt06.sqm 2007-09-04 22:31:07 244 --ah----- \sqmnoopt06.sqm 2007-09-04 22:31:07 232 --ah----- \sqmdata02.sqm 2007-09-04 22:31:07 232 --ah----- \sqmdata02.sqm 2007-09-04 22:15:01 244 --ah----- \sqmnoopt05.sqm 2007-09-04 22:15:01 244 --ah----- \sqmnoopt05.sqm 2007-09-04 22:15:01 232 --ah----- \sqmdata01.sqm 2007-09-04 22:15:01 232 --ah----- \sqmdata01.sqm 2007-09-04 21:28:55 244 --ah----- \sqmnoopt04.sqm 2007-09-04 21:28:55 244 --ah----- \sqmnoopt04.sqm 2007-09-04 21:28:55 232 --ah----- \sqmdata00.sqm 2007-09-04 21:28:55 232 --ah----- \sqmdata00.sqm 2007-09-04 21:18:02 244 --ah----- \sqmnoopt03.sqm 2007-09-04 21:18:02 244 --ah----- \sqmnoopt03.sqm 2007-09-04 21:18:02 232 --ah----- \sqmdata19.sqm 2007-09-04 21:18:02 232 --ah----- \sqmdata19.sqm 2007-09-04 21:01:58 244 --ah----- \sqmnoopt02.sqm 2007-09-04 21:01:58 244 --ah----- \sqmnoopt02.sqm 2007-09-04 21:01:58 232 --ah----- \sqmdata18.sqm 2007-09-04 21:01:58 232 --ah----- \sqmdata18.sqm 2007-09-04 20:57:32 244 --ah----- \sqmnoopt01.sqm 2007-09-04 20:57:32 244 --ah----- \sqmnoopt01.sqm 2007-09-04 20:57:32 232 --ah----- \sqmdata17.sqm 2007-09-04 20:57:32 232 --ah----- \sqmdata17.sqm 2007-09-04 18:39:06 244 --ah----- \sqmnoopt00.sqm 2007-09-04 18:39:06 244 --ah----- \sqmnoopt00.sqm 2007-09-04 18:39:06 232 --ah----- \sqmdata16.sqm 2007-09-04 18:39:06 232 --ah----- \sqmdata16.sqm 2007-09-04 18:16:07 244 --ah----- \sqmnoopt19.sqm 2007-09-04 18:16:07 244 --ah----- \sqmnoopt19.sqm 2007-09-04 18:16:07 232 --ah----- \sqmdata15.sqm 2007-09-04 18:16:07 232 --ah----- \sqmdata15.sqm 2007-09-04 18:02:10 244 --ah----- \sqmnoopt18.sqm 2007-09-04 18:02:10 244 --ah----- \sqmnoopt18.sqm 2007-09-04 18:02:10 268 --ah----- \sqmdata14.sqm 2007-09-04 18:02:10 268 --ah----- \sqmdata14.sqm 2007-09-04 13:52:16 244 --ah----- \sqmnoopt17.sqm 2007-09-04 13:52:16 244 --ah----- \sqmnoopt17.sqm 2007-09-04 13:52:16 268 --ah----- \sqmdata13.sqm 2007-09-04 13:52:16 268 --ah----- \sqmdata13.sqm 2007-08-31 04:46:13 244 --ah----- \sqmnoopt16.sqm 2007-08-31 04:46:13 244 --ah----- \sqmnoopt16.sqm 2007-08-31 04:46:13 232 --ah----- \sqmdata12.sqm 2007-08-31 04:46:13 232 --ah----- \sqmdata12.sqm 2007-08-31 02:36:26 244 --ah----- \sqmnoopt15.sqm 2007-08-31 02:36:26 244 --ah----- \sqmnoopt15.sqm 2007-08-31 02:36:26 268 --ah----- \sqmdata11.sqm 2007-08-31 02:36:26 268 --ah----- \sqmdata11.sqm 2007-08-30 22:53:00 268 --ah----- \sqmdata10.sqm 2007-08-30 22:53:00 268 --ah----- \sqmdata10.sqm 2007-08-30 22:52:59 244 --ah----- \sqmnoopt14.sqm 2007-08-30 22:52:59 244 --ah----- \sqmnoopt14.sqm 2007-08-22 01:51:10 244 --ah----- \sqmnoopt13.sqm 2007-08-22 01:51:10 244 --ah----- \sqmnoopt13.sqm 2007-08-22 01:51:10 268 --ah----- \sqmdata09.sqm 2007-08-22 01:51:10 268 --ah----- \sqmdata09.sqm 2007-08-18 23:45:11 6606 --a----c- C:\WINDOWS\unins000.dat 2007-08-18 23:45:01 667978 --a------ C:\WINDOWS\unins000.exe <Not Verified; ; Inno Setup> 2007-08-14 15:09:32 112 --a------ C:\WINDOWS\HOSTK100.DAT -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [01/19/2007 12:54 PM] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}] AutoRun\command- E:\setup.exe -- End of Deckard's System Scanner: finished at 2007-10-17 21:51:05 ------------ |
|
|
|
|
10-17-2007, 10:07 PM
|
#8 (permalink) | |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,900
OS: WinXP and Vista
|
Re: Cannot Boot System After Finding Trojan (2)
Hello Wheezy,
As you mentioned in your initial thread, things went 'screwy' after running Trend Micro AV: Quote:
This is what I'd like you to do: Click Start>All Programs>Accessories>System Tools
|
|
|
|
|
|
10-17-2007, 10:21 PM
|
#9 (permalink) | |
|
TSF Supporter
Join Date: Oct 2007
Location: Minnesota, USA
Posts: 101
OS: Windows XP
|
Re: Cannot Boot System After Finding Trojan (2)
Actually, things started to go "screwy" before I bought the Trend Micro security software. It was the behavior of my computer that actually prompted me to buy and install the Trend Micro.
Quote:
Last edited by Wheezy; 10-17-2007 at 10:25 PM. |
|
|
|
|
|
10-17-2007, 10:27 PM
|
#10 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 24,463
OS: N/A
|
Re: Cannot Boot System After Finding Trojan (2)
Your log is very difficult to read.
Kindly turn off the word wrap feature in your text editor. With notepad, this can be done by going to Format -> untick "Word Wrap". Then re-post the last ComboFix log
__________________
Question - what have you done for the community today? |
|
|
|
|
10-17-2007, 10:33 PM
|
#11 (permalink) |
|
TSF Supporter
Join Date: Oct 2007
Location: Minnesota, USA
Posts: 101
OS: Windows XP
|
Re: Cannot Boot System After Finding Trojan (2)
ComboFix Log (not word-wrapped):
Combofix.txt Log: ComboFix 07-10-17.8 - Wheezy 2007-10-17 20:14:26.6 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.567 [GMT -5:00] Running from: C:\Documents and Settings\Wheezy\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Wheezy\Desktop\CFScript.txt FILE:: C:\Program Files\c_setup.exe C:\Program Files\hlpsrv.exe C:\WINDOWS\system32\Delete_Me_Dummy_sulimo.dat C:\WINDOWS\xlavra3.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Program Files\c_setup.exe C:\Program Files\hlpsrv.exe C:\WINDOWS\xlavra3.exe . ((((((((((((((((((((((((( Files Created from 2007-09-18 to 2007-10-18 ))))))))))))))))))))))))))))))) . 2007-10-17 20:07 <DIR> d-------- C:\WINDOWS\system32\%programfiles% 2007-10-17 20:07 <DIR> d-------- C:\WINDOWS\system32\%commonprogramfiles% 2007-10-17 20:07 1,071,812,608 C:\ComboFix\=\hiberfil.sys 2007-10-17 20:07 1,071,812,608 C:\ComboFix\=\hiberfil.sys 2007-10-17 01:38 <DIR> d-------- C:\Documents and Settings\Wheezy\Application Data\AVG7 2007-10-17 01:38 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7 2007-10-17 01:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7 2007-10-17 01:30 214 --a------ C:\WINDOWS\system32\tmp.reg 2007-10-16 23:44 <DIR> C:\ComboFix\=\qoobox 2007-10-16 23:44 <DIR> C:\ComboFix\=\qoobox 2007-10-16 23:44 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-10-16 21:06 <DIR> d-------- C:\Deckard 2007-10-16 21:06 <DIR> C:\ComboFix\=\Deckard 2007-10-16 21:06 <DIR> C:\ComboFix\=\Deckard 2007-10-15 23:04 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2007-10-15 19:49 138,512 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys 2007-10-15 19:49 52,496 --a------ C:\WINDOWS\system32\drivers\tmactmon.sys 2007-10-15 19:49 52,368 --a------ C:\WINDOWS\system32\drivers\tmevtmgr.sys 2007-10-15 19:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro 2007-10-15 19:43 <DIR> d-------- C:\Documents and Settings\Wheezy\Application Data\BestsellerAntivirus 2007-10-15 02:51 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll 2007-10-09 13:11 584,192 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll 2007-09-18 00:29 1,126,328 --a------ C:\WINDOWS\system32\drivers\vsapint.sys 2007-09-18 00:29 333,328 --a------ C:\WINDOWS\system32\drivers\TM_CFW.sys 2007-09-18 00:29 203,024 --a------ C:\WINDOWS\system32\drivers\tmxpflt.sys 2007-09-18 00:29 65,936 --a------ C:\WINDOWS\system32\drivers\tmtdi.sys 2007-09-18 00:29 36,112 --a------ C:\WINDOWS\system32\drivers\tmpreflt.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-09-02 04:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer 2007-09-02 04:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple 2007-08-22 12:55 96,256 ----a-w C:\WINDOWS\system32\dllcache\inseng.dll 2007-08-22 12:55 665,600 ------w C:\WINDOWS\system32\dllcache\wininet.dll 2007-08-22 12:55 617,984 ------w C:\WINDOWS\system32\dllcache\urlmon.dll 2007-08-22 12:55 55,808 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll 2007-08-22 12:55 532,480 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll 2007-08-22 12:55 474,112 ------w C:\WINDOWS\system32\dllcache\shlwapi.dll 2007-08-22 12:55 449,024 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll 2007-08-22 12:55 39,424 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll 2007-08-22 12:55 357,888 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll 2007-08-22 12:55 3,064,832 ------w C:\WINDOWS\system32\dllcache\mshtml.dll 2007-08-22 12:55 251,904 ------w C:\WINDOWS\system32\dllcache\iepeers.dll 2007-08-22 12:55 205,824 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll 2007-08-22 12:55 16,384 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll 2007-08-22 12:55 151,040 ------w C:\WINDOWS\system32\dllcache\cdfview.dll 2007-08-22 12:55 146,432 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll 2007-08-22 12:55 1,498,112 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll 2007-08-22 12:55 1,054,208 ----a-w C:\WINDOWS\system32\dllcache\danim.dll 2007-08-22 12:55 1,022,976 ------w C:\WINDOWS\system32\dllcache\browseui.dll 2007-08-21 10:19 18,432 ----a-w C:\WINDOWS\system32\dllcache\iedw.exe 2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll 2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\dllcache\inetcomm.dll 2007-08-19 04:45 667,978 ----a-w C:\WINDOWS\unins000.exe 2007-07-31 00:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll 2007-07-31 00:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll 2007-07-31 00:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe 2007-07-31 00:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll 2007-07-31 00:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll 2007-07-31 00:19 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll 2007-07-31 00:19 207,736 ----a-w C:\WINDOWS\system32\muweb.dll 2007-07-31 00:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll 2007-07-31 00:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll 2007-07-31 00:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll 2007-07-31 00:18 33,624 ----a-w C:\WINDOWS\system32\dllcache\wups.dll 2006-10-21 21:54:47 152 --sh--r C:\WINDOWS\system32\11D43EA203.sys 2006-10-21 21:54:47 7,520 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((( snapshot@2007-10-17_ 0.19.06.53 ))))))))))))))))))))))))))))))))))))))))) . + 2007-10-17 06:38:38 821,728 ----a-w C:\WINDOWS\system32\drivers\avg7core.sys + 2007-10-17 06:38:40 4,224 ----a-w C:\WINDOWS\system32\drivers\avg7rsw.sys + 2007-10-17 06:38:40 27,776 ----a-w C:\WINDOWS\system32\drivers\avg7rsxp.sys + 2007-10-17 06:38:40 3,968 ----a-w C:\WINDOWS\system32\drivers\avgclean.sys + 2007-10-17 06:38:40 19,904 ----a-w C:\WINDOWS\system32\drivers\avgmfx86.sys + 2007-10-17 06:38:40 4,960 ----a-w C:\WINDOWS\system32\drivers\avgtdi.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL S3 SaiH8000;SaiH8000;C:\WINDOWS\system32\DRIVERS\SaiH8000.sys [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}] AutoRun\command - E:\setup.exe . Contents of the 'Scheduled Tasks' folder "2007-09-13 15:09:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" . ************************************************************************** catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-10-17 20:23:19 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-10-17 20:25:08 . --- E O F --- |
|
|
|
|
10-17-2007, 10:52 PM
|
#12 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 24,463
OS: N/A
|
Re: Cannot Boot System After Finding Trojan (2)
Locate this folder - C:\QooBox\Hiv-backup
Rename it from Hiv-backup to Hiv-backup-OLD ---------- Open NOTEPAD.exe and copy/paste the text in the quotebox below into it: Code:
@set > Env-log.txt && notepad Env-log.txt It should look like this:  Double click on env.bat & allow it to run Post back to tell me what it says
__________________
Question - what have you done for the community today? |
|
|
|
|
10-17-2007, 11:00 PM
|
#13 (permalink) |
|
TSF Supporter
Join Date: Oct 2007
Location: Minnesota, USA
Posts: 101
OS: Windows XP
|
Re: Cannot Boot System After Finding Trojan (2)
ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Wheezy\Application Data CLASSPATH=.;C:\Program Files\Java\j2re1.4.2_03\lib\ext\QTJava.zip CLIENTNAME=Console COMPUTERNAME=WHEEZY ComSpec=C:\WINDOWS\system32\cmd.exe FP_NO_HOST_CHECK=NO HOMEDRIVE=C: HOMEPATH=\Documents and Settings\Wheezy LOGONSERVER=\\WHEEZY NUMBER_OF_PROCESSORS=2 OS=Windows_NT Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\QTSystem PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH PROCESSOR_ARCHITECTURE=x86 PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 4, GenuineIntel PROCESSOR_LEVEL=15 PROCESSOR_REVISION=0404 PROMPT=$P$G QTJAVA=C:\Program Files\Java\j2re1.4.2_03\lib\ext\QTJava.zip SESSIONNAME=Console SystemDrive=C: SystemRoot=C:\WINDOWS TEMP=C:\DOCUME~1\Wheezy~1\LOCALS~1\Temp TMP=C:\DOCUME~1\Wheezy~1\LOCALS~1\Temp USERDOMAIN=WHEEZY USERNAME=Wheezy USERPROFILE=C:\Documents and Settings\Wheezy windir=C:\WINDOWS |
|
|
|
|
10-17-2007, 11:08 PM
|
#14 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 24,463
OS: N/A
|
Re: Cannot Boot System After Finding Trojan (2)
Reboot the machine now. Then run ComboFix by double clicking it.
Show me the log that's produced
__________________
Question - what have you done for the community today? |
|
|
|
|
10-17-2007, 11:37 PM
|
#15 (permalink) |
|
TSF Supporter
Join Date: Oct 2007
Location: Minnesota, USA
Posts: 101
OS: Windows XP
|
Re: Cannot Boot System After Finding Trojan (2)
ComboFix 07-10-17.8 - Wheezy 2007-10-18 0:14:19.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.567 [GMT -5:00] Running from: C:\Documents and Settings\Wheezy\Desktop\ComboFix.exe . ((((((((((((((((((((((((( Files Created from 2007-09-18 to 2007-10-18 ))))))))))))))))))))))))))))))) . 2007-10-17 20:07 <DIR> d-------- C:\WINDOWS\system32\%programfiles% 2007-10-17 20:07 <DIR> d-------- C:\WINDOWS\system32\%commonprogramfiles% 2007-10-17 20:07 1,071,812,608 C:\ComboFix\=\hiberfil.sys 2007-10-17 20:07 1,071,812,608 C:\ComboFix\=\hiberfil.sys 2007-10-17 01:38 <DIR> d-------- C:\Documents and Settings\Wheezy\Application Data\AVG7 2007-10-17 01:38 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7 2007-10-17 01:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7 2007-10-17 01:30 214 --a------ C:\WINDOWS\system32\tmp.reg 2007-10-16 23:44 <DIR> C:\ComboFix\=\qoobox 2007-10-16 23:44 <DIR> C:\ComboFix\=\qoobox 2007-10-16 23:44 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-10-16 21:06 <DIR> d-------- C:\Deckard 2007-10-16 21:06 <DIR> C:\ComboFix\=\Deckard 2007-10-16 21:06 <DIR> C:\ComboFix\=\Deckard 2007-10-15 23:04 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2007-10-15 19:49 138,512 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys 2007-10-15 19:49 52,496 --a------ C:\WINDOWS\system32\drivers\tmactmon.sys 2007-10-15 19:49 52,368 --a------ C:\WINDOWS\system32\drivers\tmevtmgr.sys 2007-10-15 19:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro 2007-10-15 19:43 <DIR> d-------- C:\Documents and Settings\Wheezy\Application Data\BestsellerAntivirus 2007-10-15 02:51 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll 2007-10-09 13:11 584,192 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll 2007-09-18 00:29 1,126,328 --a------ C:\WINDOWS\system32\drivers\vsapint.sys 2007-09-18 00:29 333,328 --a------ C:\WINDOWS\system32\drivers\TM_CFW.sys 2007-09-18 00:29 203,024 --a------ C:\WINDOWS\system32\drivers\tmxpflt.sys 2007-09-18 00:29 65,936 --a------ C:\WINDOWS\system32\drivers\tmtdi.sys 2007-09-18 00:29 36,112 --a------ C:\WINDOWS\system32\drivers\tmpreflt.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-09-02 04:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer 2007-09-02 04:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple 2007-08-22 12:55 96,256 ----a-w C:\WINDOWS\system32\dllcache\inseng.dll 2007-08-22 12:55 665,600 ------w C:\WINDOWS\system32\dllcache\wininet.dll 2007-08-22 12:55 617,984 ------w C:\WINDOWS\system32\dllcache\urlmon.dll 2007-08-22 12:55 55,808 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll 2007-08-22 12:55 532,480 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll 2007-08-22 12:55 474,112 ------w C:\WINDOWS\system32\dllcache\shlwapi.dll 2007-08-22 12:55 449,024 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll 2007-08-22 12:55 39,424 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll 2007-08-22 12:55 357,888 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll 2007-08-22 12:55 3,064,832 ------w C:\WINDOWS\system32\dllcache\mshtml.dll 2007-08-22 12:55 251,904 ------w C:\WINDOWS\system32\dllcache\iepeers.dll 2007-08-22 12:55 205,824 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll 2007-08-22 12:55 16,384 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll 2007-08-22 12:55 151,040 ------w C:\WINDOWS\system32\dllcache\cdfview.dll 2007-08-22 12:55 146,432 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll 2007-08-22 12:55 1,498,112 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll 2007-08-22 12:55 1,054,208 ----a-w C:\WINDOWS\system32\dllcache\danim.dll 2007-08-22 12:55 1,022,976 ------w C:\WINDOWS\system32\dllcache\browseui.dll 2007-08-21 10:19 18,432 ----a-w C:\WINDOWS\system32\dllcache\iedw.exe 2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll 2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\dllcache\inetcomm.dll 2007-08-19 04:45 667,978 ----a-w C:\WINDOWS\unins000.exe 2007-07-31 00:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll 2007-07-31 00:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll 2007-07-31 00:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe 2007-07-31 00:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll 2007-07-31 00:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll 2007-07-31 00:19 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll 2007-07-31 00:19 207,736 ----a-w C:\WINDOWS\system32\muweb.dll 2007-07-31 00:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll 2007-07-31 00:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll 2007-07-31 00:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll 2007-07-31 00:18 33,624 ----a-w C:\WINDOWS\system32\dllcache\wups.dll 2006-10-21 21:54:47 152 --sh--r C:\WINDOWS\system32\11D43EA203.sys 2006-10-21 21:54:47 7,520 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((( snapshot@2007-10-17_ 0.19.06.53 ))))))))))))))))))))))))))))))))))))))))) . + 2006-08-24 13:28:54 141,424 ----a-w C:\WINDOWS\Downloaded Program Files\asinst.dll + 2007-10-17 06:38:38 821,728 ----a-w C:\WINDOWS\system32\drivers\avg7core.sys + 2007-10-17 06:38:40 4,224 ----a-w C:\WINDOWS\system32\drivers\avg7rsw.sys + 2007-10-17 06:38:40 27,776 ----a-w C:\WINDOWS\system32\drivers\avg7rsxp.sys + 2007-10-17 06:38:40 3,968 ----a-w C:\WINDOWS\system32\drivers\avgclean.sys + 2007-10-17 06:38:40 19,904 ----a-w C:\WINDOWS\system32\drivers\avgmfx86.sys + 2007-10-17 06:38:40 4,960 ----a-w C:\WINDOWS\system32\drivers\avgtdi.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL S3 SaiH8000;SaiH8000;C:\WINDOWS\system32\DRIVERS\SaiH8000.sys [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}] AutoRun\command - E:\setup.exe . Contents of the 'Scheduled Tasks' folder "2007-09-13 15:09:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" . ************************************************************************** catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-10-18 00:27:32 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-10-18 0:29:20 C:\ComboFix2.txt ... 2007-10-17 20:25 . --- E O F --- |
|
|
|
|
10-17-2007, 11:52 PM
|
#16 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 24,463
OS: N/A
|
Re: Cannot Boot System After Finding Trojan (2)
Please verify if this strangely named folder exist - C:\ComboFix\=\Deckard
__________________
Question - what have you done for the community today? |
|
|
|
|
10-17-2007, 11:58 PM
|
#17 (permalink) | |
|
TSF Supporter
Join Date: Oct 2007
Location: Minnesota, USA
Posts: 101
OS: Windows XP
|
Re: Cannot Boot System After Finding Trojan (2)
Upon searching, it appears as though my ComboFix folder is empty. I then ran a search for the folder C:\ComboFix\=\Deckard and this promt came up:
Quote:
|
|
|
|
|
|
10-18-2007, 12:17 AM
|
#18 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 24,463
OS: N/A
|
Re: Cannot Boot System After Finding Trojan (2)
You need to perform a System Restore. The logs are telling me that the Operating System is corrupted. You need to restore to a time before 2007-10-17 18:27
If you're worried about losing files, you can backup any files that were created after 2007-10-17 18:27
__________________
Question - what have you done for the community today? |
|
|
|
|
10-18-2007, 12:22 AM
|
#19 (permalink) |
|
TSF Supporter
Join Date: Oct 2007
Location: Minnesota, USA
Posts: 101
OS: Windows XP
|
Re: Cannot Boot System After Finding Trojan (2)
So once I create a system restore, all my files from 10-17 on may be deleted? Because Im not worried so much about anything far back as say beginning of sept. But just in case... how should I go about making backups before I preform this system restore. And how should I preform this system restore?
|
|
|
|
|
10-18-2007, 12:31 AM
|
#20 (permalink) | ||
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 24,463
OS: N/A
|
Re: Cannot Boot System After Finding Trojan (2)
Quote:
Quote:
C:\WINDOWS\system32\Restore\rstui.exe. Double-click the file to launch System Restore
__________________
Question - what have you done for the community today? |
||
|
|
|
| Thread Tools | |
|
|
located at the bottom of the page.
then click 
