Malware Bytes + Hijackthis log files!

Magikarp · 06-30-2009, 01:13 AM

I know it's a long shot, i downloaded a WoW keylogger and followed a guide to remove it, thought i'd try my hand to see if anyone from GoN can read these things :P. Am posting on multiple forums, if i can't get a definitive answer i'll reformat but i won't get my account back for 2+ weeks so thought i'd try.

Malware bytes

Malwarebytes' Anti-Malware 1.38
Database version: 2353
Windows 5.1.2600 Service Pack 2

6/30/2009 3:51:25 PM
mbam-log-2009-06-30 (15-51-25).txt

Scan type: Full Scan (C:\|H:\|)
Objects scanned: 135356
Time elapsed: 17 minute(s), 58 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 7
Registry Data Items Infected: 0
Folders Infected: 5
Files Infected: 13

Memory Processes Infected:
C:\Program Files\MalwareRemovalBot\MalwareRemovalBot.exe (Rogue.MalwareRemovalBot) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{9d3cf193-58e5-40d5-ba60-233f4c216e37} (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Installer\UpgradeCodes\50e90ec4ec063d44bb935a0d02415732 (Rogue.MalwareBot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\50e90ec4ec063d44bb935a0d02415732 (Rogue.MalwareBot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\{9d3cf193-58e5-40d5-ba60-233f4c216e37} (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1f26a7a704abd8f4f8801f37167d691f (Rogue.MalwareBot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\aa02c0f5889834c42886c1a98ea53266 (Rogue.MalwareBot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\b575e3c1288dd9e4a83e9e064562cdc1 (Rogue.MalwareBot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\d37f1f5d110c2ea4c85ec64e702394b9 (Rogue.MalwareBot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MalwareRemovalBot (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingb1927 (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingd1059 (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletinga1882 (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingc7927 (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\c:\documents and settings\all users\start menu\programs\malwareremovalbot\ (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\c:\program files\malwareremovalbot\ (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MalwareRemovalBot (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\MalwareRemovalBot (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
c:\documents and settings\All Users\Start Menu\Programs\MalwareRemovalBot (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
c:\documents and settings\AND\Application Data\MalwareRemovalBot (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
c:\documents and settings\AND\application data\malwareremovalbot\Log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
c:\documents and settings\AND\application data\malwareremovalbot\Settings (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

Files Infected:
c:\documents and settings\AND\Desktop\setupxv.exe (Rogue.Installer) -> Quarantined and deleted successfully.
c:\documents and settings\AND\local settings\application data\Mozilla\Firefox\Profiles\kkdcvbtq.default\Cache\D8AABD14d01 (Rogue.Installer) -> Quarantined and deleted successfully.
c:\program files\malwareremovalbot\DataBase.ref (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
c:\program files\malwareremovalbot\MalwareRemovalBot.exe (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
c:\program files\malwareremovalbot\MalwareRemovalBot.url (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
c:\program files\malwareremovalbot\vistaCPtasks.xml (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
c:\documents and settings\all users\start menu\Programs\malwareremovalbot\MalwareRemovalBot on the Web.lnk (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
c:\documents and settings\all users\start menu\Programs\malwareremovalbot\MalwareRemovalBot.lnk (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
c:\documents and settings\AND\application data\malwareremovalbot\rs.dat (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
c:\documents and settings\AND\application data\malwareremovalbot\Log\2009 Jun 30 - 03_11_03 PM_562.log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
c:\documents and settings\AND\application data\malwareremovalbot\Settings\ScanResults.pie (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
c:\documents and settings\all users\Desktop\MalwareRemovalBot.lnk (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\MalwareRemovalBot Scheduled Scan.job (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:50:58 PM, on 6/30/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Curse\CurseClient.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Documents and Settings\AND\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe
C:\Documents and Settings\AND\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\AND\Local Settings\Application Data\Dyyno Receiver\DPPM.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/?o=101852&l=dis
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedi ... t=&gc=1&q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedi ... t=&gc=1&q=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://toolbar.ask.com/toolbarv/askRedi ... t=&gc=1&q=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www1.partypoker.com/pam_images/i ... d=en&sid=1
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Program Files\AskSearch\bin\DefaultSearch.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe 1
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [CurseClient] C:\Program Files\Curse\CurseClient.exe -silent
O4 - HKCU\..\Run: [Octoshape Streaming Services] "C:\Documents and Settings\AND\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe" -inv:bootrun
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\AND\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
O16 - DPF: {4E218431-2F07-40BD-A9D3-035324C1F13F} (DyynoX Class) - http://webserver.dyyno.com/DyynoClient/DyynoCAB.CAB
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\DOCUME~1\AND\LOCALS~1\Temp\69300622959mxx.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 9310 bytes

tetonbob · 07-02-2009, 10:30 AM

Hello and Welcome.

Regarding the posting at multiple forums, see this in our pre-posting instructions

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help

Quote:

NOTE: We are aware that users sometimes seek help from several Forums at the same time. Unfortunately, this can cause confusion and actually wastes time and resources - yours, ours and other Volunteers across the community. If you have already posted at another Forum, please advise us, or them, and choose just one.

As far as requesting assistance here....

We want all our members to perform the steps outlined in the link I'll give you below, before posting for assistance. There's a sticky at the top of this forum, and a

Quote:

Having problems with spyware and pop-ups? First Steps

link at the top of each page.

---------------------------------------------------------------------------------------------

Please follow our pre-posting process outlined here:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help

After running through all the steps, you shall have a proper set of logs. Please post them in a new topic, as this one shall be closed.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

Please note that the Virus/Trojan/Spyware Help forum is extremely busy, and it may take a while to receive a reply.

06-30-2009, 01:13 AM	#1 (permalink)
Magikarp Registered User Join Date: Jun 2009 Posts: 1 OS: WinXP 32 Bit	Malware Bytes + Hijackthis log files! I know it's a long shot, i downloaded a WoW keylogger and followed a guide to remove it, thought i'd try my hand to see if anyone from GoN can read these things :P. Am posting on multiple forums, if i can't get a definitive answer i'll reformat but i won't get my account back for 2+ weeks so thought i'd try. Malware bytes Malwarebytes' Anti-Malware 1.38 Database version: 2353 Windows 5.1.2600 Service Pack 2 6/30/2009 3:51:25 PM mbam-log-2009-06-30 (15-51-25).txt Scan type: Full Scan (C:\\|H:\\|) Objects scanned: 135356 Time elapsed: 17 minute(s), 58 second(s) Memory Processes Infected: 1 Memory Modules Infected: 0 Registry Keys Infected: 9 Registry Values Infected: 7 Registry Data Items Infected: 0 Folders Infected: 5 Files Infected: 13 Memory Processes Infected: C:\Program Files\MalwareRemovalBot\MalwareRemovalBot.exe (Rogue.MalwareRemovalBot) -> Unloaded process successfully. Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\CLSID\{9d3cf193-58e5-40d5-ba60-233f4c216e37} (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Installer\UpgradeCodes\50e90ec4ec063d44bb935a0d02415732 (Rogue.MalwareBot) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\50e90ec4ec063d44bb935a0d02415732 (Rogue.MalwareBot) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\{9d3cf193-58e5-40d5-ba60-233f4c216e37} (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1f26a7a704abd8f4f8801f37167d691f (Rogue.MalwareBot) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\aa02c0f5889834c42886c1a98ea53266 (Rogue.MalwareBot) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\b575e3c1288dd9e4a83e9e064562cdc1 (Rogue.MalwareBot) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\d37f1f5d110c2ea4c85ec64e702394b9 (Rogue.MalwareBot) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\MalwareRemovalBot (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingb1927 (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingd1059 (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletinga1882 (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingc7927 (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\c:\documents and settings\all users\start menu\programs\malwareremovalbot\ (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\c:\program files\malwareremovalbot\ (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MalwareRemovalBot (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: C:\Program Files\MalwareRemovalBot (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully. c:\documents and settings\All Users\Start Menu\Programs\MalwareRemovalBot (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully. c:\documents and settings\AND\Application Data\MalwareRemovalBot (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully. c:\documents and settings\AND\application data\malwareremovalbot\Log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully. c:\documents and settings\AND\application data\malwareremovalbot\Settings (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully. Files Infected: c:\documents and settings\AND\Desktop\setupxv.exe (Rogue.Installer) -> Quarantined and deleted successfully. c:\documents and settings\AND\local settings\application data\Mozilla\Firefox\Profiles\kkdcvbtq.default\Cache\D8AABD14d01 (Rogue.Installer) -> Quarantined and deleted successfully. c:\program files\malwareremovalbot\DataBase.ref (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully. c:\program files\malwareremovalbot\MalwareRemovalBot.exe (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully. c:\program files\malwareremovalbot\MalwareRemovalBot.url (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully. c:\program files\malwareremovalbot\vistaCPtasks.xml (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully. c:\documents and settings\all users\start menu\Programs\malwareremovalbot\MalwareRemovalBot on the Web.lnk (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully. c:\documents and settings\all users\start menu\Programs\malwareremovalbot\MalwareRemovalBot.lnk (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully. c:\documents and settings\AND\application data\malwareremovalbot\rs.dat (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully. c:\documents and settings\AND\application data\malwareremovalbot\Log\2009 Jun 30 - 03_11_03 PM_562.log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully. c:\documents and settings\AND\application data\malwareremovalbot\Settings\ScanResults.pie (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully. c:\documents and settings\all users\Desktop\MalwareRemovalBot.lnk (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully. C:\WINDOWS\Tasks\MalwareRemovalBot Scheduled Scan.job (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:50:58 PM, on 6/30/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\lg_fwupdate\fwupdate.exe C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Steam\Steam.exe C:\Program Files\DNA\btdna.exe C:\Program Files\Curse\CurseClient.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe C:\Documents and Settings\AND\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe C:\Documents and Settings\AND\Local Settings\Application Data\Google\Update\GoogleUpdate.exe C:\Program Files\Xfire\Xfire.exe C:\Program Files\OpenOffice.org 3\program\soffice.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe C:\Program Files\OpenOffice.org 3\program\soffice.bin C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\PnkBstrB.exe C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe C:\Program Files\AVG\AVG8\avgcsrvx.exe C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe C:\Program Files\Java\jre6\bin\jucheck.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\AND\Local Settings\Application Data\Dyyno Receiver\DPPM.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\Program Files\Windows Live\Contacts\wlcomm.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/?o=101852&l=dis R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedi ... t=&gc=1&q= R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedi ... t=&gc=1&q= R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://toolbar.ask.com/toolbarv/askRedi ... t=&gc=1&q=%s R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www1.partypoker.com/pam_images/i ... d=en&sid=1 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Program Files\AskSearch\bin\DefaultSearch.dll O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe 1 O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe" O4 - HKCU\..\Run: [CurseClient] C:\Program Files\Curse\CurseClient.exe -silent O4 - HKCU\..\Run: [Octoshape Streaming Services] "C:\Documents and Settings\AND\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe" -inv:bootrun O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\AND\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll O16 - DPF: {4E218431-2F07-40BD-A9D3-035324C1F13F} (DyynoX Class) - http://webserver.dyyno.com/DyynoClient/DyynoCAB.CAB O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: C:\DOCUME~1\AND\LOCALS~1\Temp\69300622959mxx.dll O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe -- End of file - 9310 bytes