Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Help, please....Thank You!!!!!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Help, please....Thank You!!!!!

Unread postby bob38058 » August 4th, 2007, 10:27 pm

Computer is barely responding.....
Here is the scan:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 9:03:34 PM, on 8/4/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\eAcceleration\OnAccess\scan.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\System32\qwerty12.exe
C:\Program Files\eAcceleration\Firewall\FWService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\eAcceleration\OnAccess\OnAccess.exe
C:\Program Files\eAcceleration\OnAccess\dguard.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Documents and Settings\Bob Parchman\Desktop\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\EACCEL~1\Station\station.exe
C:\Documents and Settings\Bob Parchman\Local Settings\Temporary Internet Files\Content.IE5\2HMD87OF\HiJackThis_v2[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {4E11BBF0-6F27-4105-8422-8800D821E434} - c:\windows\system32\afnpafn.dll
O2 - BHO: (no name) - {64988904-C617-4599-8CFA-0B8F5CE911D1} - C:\WINDOWS\msagent\CHARS\ysslpay.dll
O2 - BHO: (no name) - {B753C7C5-0942-4b7f-BC27-942B52BDAC66} - C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll
O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\WINDOWS\System32\tmp11.tmp.dll
O4 - HKLM\..\Run: [OnAccess] "C:\Program Files\eAcceleration\OnAccess\OnAccess.exe" -e
O4 - HKLM\..\Run: [StopSignSsFwMon] Rundll32.exe "C:\Program Files\eAcceleration\Firewall\ssfwmon.dll",VerifyStatus
O4 - HKLM\..\RunOnce: [StopSignSsFwMon] Rundll32.exe "C:\Program Files\eAcceleration\Firewall\ssfwmon.dll",VerifyStatus /ro
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O9 - Extra button: (no name) - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - (no file)
O20 - Winlogon Notify: absvwuuc - C:\WINDOWS\SYSTEM32\afnpafn.dll
O20 - Winlogon Notify: igfK32 - C:\WINDOWS\SYSTEM32\igfK32.dll
O20 - Winlogon Notify: ysslpay - C:\WINDOWS\msagent\CHARS\ysslpay.dll
O21 - SSODL: DCOM Server 25319 - {2C1CD3D7-86AC-4068-93BC-A02304B25319} - C:\WINDOWS\System32\lttf.dll
O21 - SSODL: vrTfcZHDn - {F89316E0-5239-BC4A-5616-83C0C5DF8E42} - C:\WINDOWS\System32\rdzq.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: gkj - {3E898EEA-FEFA-451b-ACF2-7561F94B1191} - C:\WINDOWS\System32\ert.dll (file missing)
O22 - SharedTaskScheduler: DCOM Server 25319 - {2C1CD3D7-86AC-4068-93BC-A02304B25319} - C:\WINDOWS\System32\lttf.dll
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\System32\qwerty12.exe
O23 - Service: FWService - eAcceleration Corp. - C:\Program Files\eAcceleration\Firewall\FWService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O24 - Desktop Component 0: (no name) - http://adisney.go.com/disneypictures/ca ... /mater.gif

--
End of file - 3711 bytes
bob38058
Regular Member
 
Posts: 19
Joined: August 4th, 2007, 10:19 pm
Advertisement
Register to Remove

Unread postby Angelfire777 » August 5th, 2007, 2:25 am

Hello, Welcome to Malware removal.

please be patient as I whip up a fix for you :)
User avatar
Angelfire777
Retired Graduate
 
Posts: 2554
Joined: April 27th, 2006, 9:58 am

Unread postby Angelfire777 » August 5th, 2007, 2:38 am

Hi,

HijackThis is currently in a folder where the backups that will be created during the fix are mostly likely to be deleted. Please create a new folder on your desktop and name it HJT or anything you want then move HijackThis from this location: C:\Documents and Settings\Bob Parchman\Local Settings\Temporary Internet Files\Content.IE5\2HMD87OF\HiJackThis_v2[1].exe to the new folder on the desktop you just created.

You may need to configure your machine to view hidden files to navigate to the folders:

Windows XP
  • Click Start.
  • Open My Computer..
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the "Hidden files and folders" heading select Show hidden files and folders.
  • Uncheck the Hide Protected Operating System Files Option.
  • Click Yes to confirm.
  • Click OK.


Since you have 2 HijackThis.exe running, the other on your desktop, I'm not sure if both have the same versions, if they do, you just need to move it from your desktop to the the new folder you created.
_______

Your current antivirus, eacceleration was previously listed in the list of Rogue antispyware programs: http://spywarewarrior.com/rogue_anti-spyware.htm

Also, it seems to be not doing its job, your machine is infested with a lot of malware, so I recommend you to uninstall eaccleration aka StopSign and change it to one of these:

» Avast!
» AVG AntiVirus
» AntiVir
_________

Download combofix.exe

1. Save it to your desktop.
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply along with a fresh HijackThis log.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
User avatar
Angelfire777
Retired Graduate
 
Posts: 2554
Joined: April 27th, 2006, 9:58 am

New logs

Unread postby bob38058 » August 6th, 2007, 9:07 am

Sorry that it has taken me so long to get these scans. The computer has been crashing while trying to run them. I moved hijack this from the desktop to a safe folder. The combofix is still on the desktop, hope that is not a problem. I have configured windows to show all files.
Thank you, so much, for your help, Bob
ComboFix 07-08-06.5 - "Bob Parchman" 2007-08-06 7:59:32.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.742 [GMT -5:00]
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\BOBPAR~1\APPLIC~1\Microsoft\25319.dat
C:\DOCUME~1\BOBPAR~1\APPLIC~1\tmp10.tmp.exe
C:\DOCUME~1\BOBPAR~1\APPLIC~1\tmp11.tmp.exe
C:\DOCUME~1\BOBPAR~1\APPLIC~1\tmp12.tmp.exe
C:\DOCUME~1\BOBPAR~1\APPLIC~1\tmp4.tmp.exe
C:\DOCUME~1\BOBPAR~1\APPLIC~1\tmp5.tmp.exe
C:\DOCUME~1\BOBPAR~1\APPLIC~1\tmp6.tmp.exe
C:\DOCUME~1\BOBPAR~1\APPLIC~1\tmp7.tmp.exe
C:\DOCUME~1\BOBPAR~1\APPLIC~1\tmp8.tmp.exe
C:\DOCUME~1\BOBPAR~1\APPLIC~1\tmp9.tmp.exe
C:\DOCUME~1\BOBPAR~1\APPLIC~1\tmpA.tmp.exe
C:\DOCUME~1\BOBPAR~1\APPLIC~1\tmpB.tmp.exe
C:\DOCUME~1\BOBPAR~1\APPLIC~1\tmpC.tmp.exe
C:\DOCUME~1\BOBPAR~1\APPLIC~1\tmpD.tmp.exe
C:\DOCUME~1\BOBPAR~1\APPLIC~1\tmpF.tmp.exe
C:\DOCUME~1\BOBPAR~1\Desktop.\internet explorer.lnk
C:\Documents and Settings\BOBPAR~1\spooldr.ini


((((((((((((((((((((((((( Files Created from 2007-07-06 to 2007-08-06 )))))))))))))))))))))))))))))))


2007-08-22 15:57 165,888 --a------ C:\WINDOWS\SYSTEM32\msvcr71.dll
2007-08-17 12:30 684,567 --a------ C:\WINDOWS\SYSTEM32\libeay32.dll
2007-08-17 12:30 147,729 --a------ C:\WINDOWS\SYSTEM32\libssl32.dll
2007-08-17 12:27 756,224 --a------ C:\WINDOWS\SYSTEM32\dvlrkcby.dll
2007-08-05 22:30 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-05 22:25 <DIR> d---s---- C:\DOCUME~1\KATEPA~1\UserData
2007-08-05 22:10 1,205,111 ---hs---- C:\WINDOWS\qruwwa.ini2
2007-08-05 21:54 7,680 --a------ C:\sysnrun.exe
2007-08-05 21:53 <DIR> d-------- C:\HJT
2007-08-05 21:44 89,902 --a------ C:\WINDOWS\SYSTEM32\dnf89316df.dat
2007-08-04 19:49 1,204,923 ---hs---- C:\WINDOWS\kmlopo.ini2
2007-08-04 19:09 131,448 --a------ C:\WINDOWS\opolmk.dll
2007-08-04 18:45 131,448 --a------ C:\WINDOWS\yababx.dll
2007-08-04 18:43 4,096 --a------ C:\WINDOWS\SYSTEM32\dfrgntfs.dll
2007-08-04 17:57 6,550 --a------ C:\WINDOWS\jautoexp.dat
2007-08-04 17:57 46,352 --a------ C:\WINDOWS\setdebug.exe
2007-08-04 17:57 313,856 --a------ C:\WINDOWS\SYSTEM32\dx3j.dll
2007-08-04 17:57 171,280 --a------ C:\WINDOWS\SYSTEM32\jit.dll
2007-08-04 17:57 139,536 --a------ C:\WINDOWS\SYSTEM32\javaee.dll
2007-08-04 17:56 947,472 --a------ C:\WINDOWS\SYSTEM32\msjava.dll
2007-08-04 17:56 63,248 --a------ C:\WINDOWS\SYSTEM32\javaprxy.dll
2007-08-04 17:56 49,424 --a------ C:\WINDOWS\SYSTEM32\clspack.exe
2007-08-04 17:56 404,752 --a------ C:\WINDOWS\SYSTEM32\javart.dll
2007-08-04 17:56 286,992 --a------ C:\WINDOWS\SYSTEM32\vmhelper.dll
2007-08-04 17:56 21,264 --a------ C:\WINDOWS\SYSTEM32\msjdbc10.dll
2007-08-04 17:56 187,152 --a------ C:\WINDOWS\SYSTEM32\javacypt.dll
2007-08-04 17:56 172,304 --a------ C:\WINDOWS\SYSTEM32\jview.exe
2007-08-04 17:56 171,792 --a------ C:\WINDOWS\SYSTEM32\wjview.exe
2007-08-04 17:56 154,384 --a------ C:\WINDOWS\SYSTEM32\msawt.dll
2007-08-04 17:56 15,120 --a------ C:\WINDOWS\SYSTEM32\jdbgmgr.exe
2007-08-04 17:56 113 --a------ C:\WINDOWS\SYSTEM32\zonedon.reg
2007-08-04 17:56 113 --a------ C:\WINDOWS\SYSTEM32\zonedoff.reg
2007-08-04 17:17 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-08-04 14:27 97,752 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\fwcore.sys
2007-08-04 12:27 <DIR> d-------- C:\Program Files\D-Link
2007-08-04 07:24 8,705 --a------ C:\WINDOWS\SYSTEM32\nkxdxruw.exe
2007-08-04 07:24 10,756 --a------ C:\WINDOWS\SYSTEM32\rtabnyrg.exe
2007-07-27 19:13 8,505 --a------ C:\WINDOWS\SYSTEM32\erninxcz.exe
2007-07-20 09:46 22,752 --a------ C:\WINDOWS\SYSTEM32\spupdsvc.exe
2007-07-20 09:46 <DIR> d-------- C:\WINDOWS\SYSTEM32\PreInstall
2007-07-20 09:45 <DIR> d-------- C:\WINDOWS\SYSTEM32\bits
2007-07-20 09:27 7,680 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\bitsprx2.dll
2007-07-20 09:27 7,680 --------- C:\WINDOWS\SYSTEM32\bitsprx2.dll
2007-07-20 09:27 7,168 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\bitsprx3.dll
2007-07-20 09:27 7,168 --------- C:\WINDOWS\SYSTEM32\bitsprx3.dll
2007-07-20 09:27 331,776 --a------ C:\WINDOWS\SYSTEM32\winhttp.dll
2007-07-20 09:27 17,408 --a------ C:\WINDOWS\SYSTEM32\qmgrprxy.dll
2007-07-20 09:27 158,720 --------- C:\WINDOWS\SYSTEM32\xpob2res.dll
2007-07-20 08:23 549,720 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll
2007-07-20 08:23 43,352 --a------ C:\WINDOWS\SYSTEM32\wups2.dll
2007-07-20 08:23 33,624 --a------ C:\WINDOWS\SYSTEM32\wups.dll
2007-07-20 08:23 325,976 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll
2007-07-20 08:17 <DIR> d-------- C:\WINDOWS\SoftwareDistribution


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-17 12:24 125440 --a------ C:\WINDOWS\system32\tovtbdrt.dll
2007-08-06 00:23 348160 --a------ C:\WINDOWS\system32\drivers\tcpip.sys
2007-08-05 14:49 --------- d-------- C:\Program Files\wmconnect
2007-08-04 22:53 --------- d-------- C:\Program Files\Viewpoint
2007-08-04 22:52 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-04 18:43 --------- d-------- C:\DOCUME~1\BOBPAR~1\APPLIC~1\eAcceleration
2007-08-04 18:02 --------- d-------- C:\Program Files\Messenger
2007-08-04 14:26 --------- d-------- C:\Program Files\eAcceleration
2007-08-04 14:22 --------- d-------- C:\Program Files\Acceleration Software
2007-08-04 13:53 --------- d-------- C:\Program Files\Common Files\eAcceleration
2007-08-04 13:53 --------- d-------- C:\Program Files\AdwareAlert
2007-08-04 12:40 --------- d-------- C:\Program Files\PartyGaming
2007-07-20 08:24 --------- d--h----- C:\Program Files\WindowsUpdate
2007-06-24 20:45 --------- d-------- C:\Program Files\Edventure Software
2007-06-24 20:41 63488 --a------ C:\WINDOWS\xobglu16.dll
2007-06-24 20:41 23552 --a------ C:\WINDOWS\xobglu32.dll
2007-06-24 20:35 --------- d-------- C:\Program Files\Scholastic
2007-06-24 14:34 --------- d-------- C:\Program Files\Microsoft Kids
2007-06-22 14:45 --------- d-------- C:\Program Files\FinePixViewer
2002-10-08 11:37 207759 --a------ C:\Program Files\INSTALL.LOG

C:\WINDOWS\system32\drivers\tcpip.sys ... is infected !! (additional data below)
327,168 2001-08-18 12:00:00 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
332,928 2002-08-29 08:58:12 C:\WINDOWS\ServicePackFiles\i386\tcpip.sys
340,480 2006-04-20 11:38:44 C:\WINDOWS\SoftwareDistribution\Download\556eb98436b65a8c1ffae674c83d197f\sp1qfe\tcpip.sys
359,808 2006-04-20 11:51:50 C:\WINDOWS\SoftwareDistribution\Download\556eb98436b65a8c1ffae674c83d197f\sp2gdr\tcpip.sys
360,576 2006-04-20 12:18:35 C:\WINDOWS\SoftwareDistribution\Download\556eb98436b65a8c1ffae674c83d197f\sp2qfe\tcpip.sys
348,160 2007-08-06 05:23:57 C:\WINDOWS\SYSTEM32\DRIVERS\tcpip.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4E11BBF0-6F27-4105-8422-8800D821E434}]
c:\windows\system32\afnpafn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{64988904-C617-4599-8CFA-0B8F5CE911D1}]
2007-08-04 18:43 593920 ---h----- C:\WINDOWS\msagent\CHARS\ysslpay.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OnAccess"="C:\Program Files\eAcceleration\OnAccess\OnAccess.exe" [2006-10-24 19:21]
"StopSignSsFwMon"="C:\Program Files\eAcceleration\Firewall\ssfwmon.dll" [2006-08-09 13:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"StopSignSsFwMon"=Rundll32.exe "C:\Program Files\eAcceleration\Firewall\ssfwmon.dll",VerifyStatus /ro

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

C:\Documents and Settings\Bob Parchman\Start Menu\Programs\Startup\
DESKTOP.INI [2001-08-31 10:50:56]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [2001-08-31 10:50:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{1A42F606-3E21-4AB5-9565-E7C8EF6B0929}"= C:\PROGRA~1\EACCEL~1\OnAccess\sehk.dll [2006-10-24 19:21 71256]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\igfK32]
igfK32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ysslpay]
C:\WINDOWS\msagent\CHARS\ysslpay.dll 2007-08-04 18:43 593920 C:\WINDOWS\MSAGENT\CHARS\ysslpay.dll

R0 fwcore;Fwcore Filter;C:\WINDOWS\System32\drivers\fwcore.sys
R1 Cdr4_xp;Cdr4_xp;C:\WINDOWS\System32\drivers\Cdr4_xp.sys
R1 cdudf_xp;cdudf_xp;C:\WINDOWS\System32\drivers\cdudf_xp.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\System32\drivers\pwd_2k.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\System32\drivers\UdfReadr_xp.sys
R2 ASCTRM;ASCTRM;C:\WINDOWS\System32\drivers\ASCTRM.sys
R2 FWService;FWService;C:\Program Files\eAcceleration\Firewall\FWService.exe -Service
R2 mrtRate;mrtRate;C:\WINDOWS\System32\drivers\mrtRate.sys
R2 MxlW2k;MxlW2k;C:\WINDOWS\System32\drivers\MxlW2k.sys
R2 PackethSvc;Virtual NIC Service;C:\WINDOWS\System32\PackethSvc.exe
R3 m4cxw2k3;NDIS5.1 Miniport Driver for D-Link PCI Express Ethernet Controller;C:\WINDOWS\System32\DRIVERS\m4cxw2k3.sys
R3 mmc_2K;mmc_2K;C:\WINDOWS\System32\drivers\mmc_2K.sys
R3 wandrv;WAN Network Driver;C:\WINDOWS\System32\DRIVERS\wandrv.sys
S2 HETUMXCZ;HETUMXCZ;\??\C:\WINDOWS\System32\hetumxcz.jzq
S2 mehtqnso;TCP/IP Protocol Monitor;C:\WINDOWS\System32\svchost.exe -k netsvcs
S3 dvd_2K;dvd_2K;C:\WINDOWS\System32\drivers\dvd_2K.sys
S3 MR97310_VGA_DUAL_CAMERA;VGA Dual-Mode Camera;C:\WINDOWS\System32\DRIVERS\mr97310v.sys
S4 hpt3xx;hpt3xx;C:\WINDOWS\System32\DRIVERS\hpt3xx.sys

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
mehtqnso
uploadmgrldrsvc


Contents of the 'Scheduled Tasks' folder
2007-08-05 06:55:00 C:\WINDOWS\Tasks\Start Scan.job - C:\PROGRA~1\ACCELE~1\ANTI-V~1\STOPSI~1.EXE

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-06 08:02:00
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

C:\WINDOWS\Sti_Trace.log:lyuryq 11385 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

Completion time: 2007-08-06 8:02:57
C:\ComboFix-quarantined-files.txt ... 2007-08-06 08:02
C:\ComboFix2.txt ... 2007-08-06 01:13
C:\ComboFix3.txt ... 2007-08-06 00:41

--- E O F ---

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 8:05:02 AM, on 8/6/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\eAcceleration\OnAccess\scan.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\eAcceleration\Firewall\FWService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\eAcceleration\OnAccess\OnAccess.exe
C:\Program Files\eAcceleration\OnAccess\dguard.exe
C:\PROGRA~1\EACCEL~1\Station\station.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Bob Parchman\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {4E11BBF0-6F27-4105-8422-8800D821E434} - c:\windows\system32\afnpafn.dll (file missing)
O2 - BHO: (no name) - {64988904-C617-4599-8CFA-0B8F5CE911D1} - C:\WINDOWS\msagent\CHARS\ysslpay.dll
O2 - BHO: (no name) - {B753C7C5-0942-4b7f-BC27-942B52BDAC66} - C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll
O4 - HKLM\..\Run: [OnAccess] "C:\Program Files\eAcceleration\OnAccess\OnAccess.exe" -e
O4 - HKLM\..\Run: [StopSignSsFwMon] Rundll32.exe "C:\Program Files\eAcceleration\Firewall\ssfwmon.dll",VerifyStatus
O4 - HKLM\..\RunOnce: [StopSignSsFwMon] Rundll32.exe "C:\Program Files\eAcceleration\Firewall\ssfwmon.dll",VerifyStatus /ro
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O20 - Winlogon Notify: igfK32 - igfK32.dll (file missing)
O20 - Winlogon Notify: ysslpay - C:\WINDOWS\msagent\CHARS\ysslpay.dll
O23 - Service: FWService - eAcceleration Corp. - C:\Program Files\eAcceleration\Firewall\FWService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O24 - Desktop Component 0: (no name) - http://adisney.go.com/disneypictures/ca ... /mater.gif

--
End of file - 2503 bytes
bob38058
Regular Member
 
Posts: 19
Joined: August 4th, 2007, 10:19 pm

new browser, etc

Unread postby bob38058 » August 6th, 2007, 9:19 am

Hi,
Is it safe for me to download a Firefox browser now? Also, what antivirus/anti spam/ anti spyware package or combination is the best. I really want to do everyting possible to prevent this in the future. Thank You!!
bob38058
Regular Member
 
Posts: 19
Joined: August 4th, 2007, 10:19 pm

Unread postby Angelfire777 » August 7th, 2007, 12:32 am

Hi,
Is it safe for me to download a Firefox browser now?


Yes, there's no harm in downloading firefox, in fact, it's a security addition.

Also, what antivirus/anti spam/ anti spyware package or combination is the best. I really want to do everyting possible to prevent this in the future. Thank You!!


If you are willing to pay, Kaspersky AntiVirus and Nod32 are the best.

If not, you can start by reading my recommendations in my previous post.
________

*Uninstall the items in bold if found:

AdwareAlert
That program was listed before in the list of Rogue Antispyware applications HERE. Though it was de-listed in 2005, I strongly recommend that you do not use it because we may never know their tactics or schemes. There are a lot of other alternatives out there that are far better than this.

Party Poker
The sites where you play these programs are sometimes vectors for malware to enter in your system. I recommend that if you play this game, consider this cleaner and free alternative: http://www.pokerstars.net

Viewpoint
Viewpoint Media Player
Viewpoint Manager
Viewpoint Toolbar

(Any entries with Viewpoint in it)
Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player’s components. Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything "bad". In 2006, this may change, read Viewpoint to Plunge Into Adware.

*Click Start > Control Panel > Add or Remove Programs and uninstall the items I listed in bold if found.

Delete the following folders if you uninstalled their corresponding programs:

C:\Program Files\AdwareAlert
C:\Program Files\PartyGaming

empty your recycle bin.
_________

Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank


Close your browsers and all open windows except for HijackThis, then click "Fix checked". Exit HijackThis.
________

Combofix Deletions
  • Open notepad."
  • Copy and paste the text inside the code box below to notepad
Code: Select all
File::
C:\WINDOWS\qruwwa.ini2
C:\WINDOWS\kmlopo.ini2
C:\WINDOWS\opolmk.dll
C:\WINDOWS\yababx.dll
C:\WINDOWS\SYSTEM32\dfrgntfs.dll
C:\WINDOWS\SYSTEM32\nkxdxruw.exe
C:\WINDOWS\SYSTEM32\rtabnyrg.exe
C:\WINDOWS\SYSTEM32\erninxcz.exe
C:\WINDOWS\msagent\CHARS\ysslpay.dll

Folder::
C:\Program Files\Viewpoint

ADS::
C:\WINDOWS\Sti_Trace.log

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4E11BBF0-6F27-4105-8422-8800D821E434}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{64988904-C617-4599-8CFA-0B8F5CE911D1}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\igfK32]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ysslpay]

  • Save and Name it as "CFScript"
  • Drag and drop CFScript.txt to your copy of combofix.
  • You can take a look at the image below if you're unsure on how to do it.
    Image
  • Combofix wil restart your machine then it will produce a log afterwards.
  • Please post the contents of that log along with a fresh HijackThis log.
__________

Open notepad.
Copy and paste the text inside the Code Box below into Notepad
Choose File > Save As and under "Save as type", choose "All Files".
Type move.bat in the File name and save it to your desktop.

Code: Select all
@echo off
copy /y "C:\WINDOWS\ServicePackFiles\i386\tcpip.sys" "C:\WINDOWS\SYSTEM32\DRIVERS"

For /F "TOKENS=*" %%g IN ('dir /s/a-d/b %windir%\system32\drivers\tpcip.sys'
) Do @echo "%%~g" %%~zg %%~tg >>report.txt 2>nul
start notepad report.txt & exit


Locate move.bat on your Desktop and double-click on it. It will open Notepad with some text in it. Please post the text here.
__________

download RegSearch Tool by Bobbi Flekman

Unzip it to your desktop

In the search box, enter the keywords below & click "Ok".

mehtqnso
HETUMXCZ


Notepad will open with some text in it (the file will also be saved in the program's folder as well).
Post this text in your next reply.
__________

I would like you to scan a few files for me.

Please go HERE. Click browse then, navigate to this file:

C:\WINDOWS\System32\hetumxcz.jzq

Then click submit.

Do the same for these files:
C:\WINDOWS\SYSTEM32\dvlrkcby.dll
C:\sysnrun.exe
C:\WINDOWS\system32\tovtbdrt.dll

Please post the results to your next reply.

If Jotti is too busy, you can go HERE and do the same as above.
____________

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      Extended (if available otherwise Standard)
    • Scan Options:
      Scan Archives
      Scan Mail Bases

  • Click OK
  • Now under select a target to scan:
      Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

On your next reply, please include a fresh HijackThis log, kaspersky scan log, combofix log, regsearch results, results from move.bat
User avatar
Angelfire777
Retired Graduate
 
Posts: 2554
Joined: April 27th, 2006, 9:58 am

Sorry for the delay

Unread postby bob38058 » August 8th, 2007, 1:31 am

Hi,
I deleted Party Poker & Viewpoint. I ran the Hijack this scan & checked the 2 files : R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
and tried to delete them, but they came back.
I was unable th run the Kaspersky Online Scanner. I could not navigate to the Accept license button. I'm not sure which Internet Explorer I'm running. I could not make the browser large enough to get to the button, sorry. If you have any tips, or if I need to download a newer browser, I'll do my best.
I do, really, want to thank you, so much for helping me! I had no idea how infected my computer is. And definatly would not know how to fix it. Thank You!!!! Bob

Here are the logs that you asked me to run:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 12:11:55 AM, on 8/8/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\eAcceleration\Firewall\FWService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\eAcceleration\OnAccess\OnAccess.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\System32\lexpps.exe
C:\Program Files\eAcceleration\OnAccess\scan.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\EACCEL~1\Station\station.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\SYSTEM32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Bob Parchman\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {64988904-C617-4599-8CFA-0B8F5CE911D1} - C:\WINDOWS\msagent\CHARS\ysslpay.dll
O2 - BHO: (no name) - {B753C7C5-0942-4b7f-BC27-942B52BDAC66} - C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll
O4 - HKLM\..\Run: [OnAccess] "C:\Program Files\eAcceleration\OnAccess\OnAccess.exe" -e
O4 - HKLM\..\Run: [StopSignSsFwMon] Rundll32.exe "C:\Program Files\eAcceleration\Firewall\ssfwmon.dll",VerifyStatus
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\RunOnce: [StopSignSsFwMon] Rundll32.exe "C:\Program Files\eAcceleration\Firewall\ssfwmon.dll",VerifyStatus /ro
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O20 - Winlogon Notify: ysslpay - C:\WINDOWS\msagent\CHARS\ysslpay.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: FWService - eAcceleration Corp. - C:\Program Files\eAcceleration\Firewall\FWService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O24 - Desktop Component 0: (no name) - http://adisney.go.com/disneypictures/ca ... /mater.gif

--
End of file - 3521 bytes

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.5.0

; Results at 8/7/2007 11:03:01 PM for strings:
; 'mehtqnso'
; 'hetumxcz'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
; Contents of value:
; 6to4
; AppMgmt
; AudioSrv
; Browser
; CryptSvc
; DMServer
; DHCP
; ERSvc
; EventSystem
; FastUserSwitchingCompatibility
; HidServ
; Ias
; Iprip
; Irmon
; mehtqnso
; LanmanServer
; LanmanWorkstation
; Messenger
; Netman
; Nla
; Ntmssvc
; NWCWorkstation
; Nwsapagent
; Rasauto
; Rasman
; Remoteaccess
; Schedule
; Seclogon
; SENS
; Sharedaccess
; SRService
; Tapisrv
; Themes
; TrkWks
; W32Time
; WZCSVC
; Wmi
; WmdmPmSp
; winmgmt
; TermService
; wuauserv
; BITS
; ShellHWDetection
; helpsvc
; uploadmgrldrsvc
;
"netsvcs"=hex(7):36,00,74,00,6f,00,34,00,00,00,41,00,70,00,70,00,4d,00,67,00,\
6d,00,74,00,00,00,41,00,75,00,64,00,69,00,6f,00,53,00,72,00,76,00,00,00,42,\
00,72,00,6f,00,77,00,73,00,65,00,72,00,00,00,43,00,72,00,79,00,70,00,74,00,\
53,00,76,00,63,00,00,00,44,00,4d,00,53,00,65,00,72,00,76,00,65,00,72,00,00,\
00,44,00,48,00,43,00,50,00,00,00,45,00,52,00,53,00,76,00,63,00,00,00,45,00,\
76,00,65,00,6e,00,74,00,53,00,79,00,73,00,74,00,65,00,6d,00,00,00,46,00,61,\
00,73,00,74,00,55,00,73,00,65,00,72,00,53,00,77,00,69,00,74,00,63,00,68,00,\
69,00,6e,00,67,00,43,00,6f,00,6d,00,70,00,61,00,74,00,69,00,62,00,69,00,6c,\
00,69,00,74,00,79,00,00,00,48,00,69,00,64,00,53,00,65,00,72,00,76,00,00,00,\
49,00,61,00,73,00,00,00,49,00,70,00,72,00,69,00,70,00,00,00,49,00,72,00,6d,\
00,6f,00,6e,00,00,00,6d,00,65,00,68,00,74,00,71,00,6e,00,73,00,6f,00,00,00,\
4c,00,61,00,6e,00,6d,00,61,00,6e,00,53,00,65,00,72,00,76,00,65,00,72,00,00,\
00,4c,00,61,00,6e,00,6d,00,61,00,6e,00,57,00,6f,00,72,00,6b,00,73,00,74,00,\
61,00,74,00,69,00,6f,00,6e,00,00,00,4d,00,65,00,73,00,73,00,65,00,6e,00,67,\
00,65,00,72,00,00,00,4e,00,65,00,74,00,6d,00,61,00,6e,00,00,00,4e,00,6c,00,\
61,00,00,00,4e,00,74,00,6d,00,73,00,73,00,76,00,63,00,00,00,4e,00,57,00,43,\
00,57,00,6f,00,72,00,6b,00,73,00,74,00,61,00,74,00,69,00,6f,00,6e,00,00,00,\
4e,00,77,00,73,00,61,00,70,00,61,00,67,00,65,00,6e,00,74,00,00,00,52,00,61,\
00,73,00,61,00,75,00,74,00,6f,00,00,00,52,00,61,00,73,00,6d,00,61,00,6e,00,\
00,00,52,00,65,00,6d,00,6f,00,74,00,65,00,61,00,63,00,63,00,65,00,73,00,73,\
00,00,00,53,00,63,00,68,00,65,00,64,00,75,00,6c,00,65,00,00,00,53,00,65,00,\
63,00,6c,00,6f,00,67,00,6f,00,6e,00,00,00,53,00,45,00,4e,00,53,00,00,00,53,\
00,68,00,61,00,72,00,65,00,64,00,61,00,63,00,63,00,65,00,73,00,73,00,00,00,\
53,00,52,00,53,00,65,00,72,00,76,00,69,00,63,00,65,00,00,00,54,00,61,00,70,\
00,69,00,73,00,72,00,76,00,00,00,54,00,68,00,65,00,6d,00,65,00,73,00,00,00,\
54,00,72,00,6b,00,57,00,6b,00,73,00,00,00,57,00,33,00,32,00,54,00,69,00,6d,\
00,65,00,00,00,57,00,5a,00,43,00,53,00,56,00,43,00,00,00,57,00,6d,00,69,00,\
00,00,57,00,6d,00,64,00,6d,00,50,00,6d,00,53,00,70,00,00,00,77,00,69,00,6e,\
00,6d,00,67,00,6d,00,74,00,00,00,54,00,65,00,72,00,6d,00,53,00,65,00,72,00,\
76,00,69,00,63,00,65,00,00,00,77,00,75,00,61,00,75,00,73,00,65,00,72,00,76,\
00,00,00,42,00,49,00,54,00,53,00,00,00,53,00,68,00,65,00,6c,00,6c,00,48,00,\
57,00,44,00,65,00,74,00,65,00,63,00,74,00,69,00,6f,00,6e,00,00,00,68,00,65,\
00,6c,00,70,00,73,00,76,00,63,00,00,00,75,00,70,00,6c,00,6f,00,61,00,64,00,\
6d,00,67,00,72,00,6c,00,64,00,72,00,73,00,76,00,63,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_HETUMXCZ]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_HETUMXCZ\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_HETUMXCZ\0000]
"Service"="HETUMXCZ"
"DeviceDesc"="HETUMXCZ"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_HETUMXCZ\0000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_HETUMXCZ\0000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MEHTQNSO]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MEHTQNSO\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MEHTQNSO\0000]
"Service"="mehtqnso"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MEHTQNSO\0000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MEHTQNSO\0000\Control]
"ActiveService"="mehtqnso"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\HETUMXCZ]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\HETUMXCZ]
; Contents of value:
; \??\C:\WINDOWS\System32\hetumxcz.jzq
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
44,00,4f,00,57,00,53,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
00,5c,00,68,00,65,00,74,00,75,00,6d,00,78,00,63,00,7a,00,2e,00,6a,00,7a,00,\
71,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\HETUMXCZ\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\HETUMXCZ\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\HETUMXCZ\Enum]
"0"="Root\\LEGACY_HETUMXCZ\\0000"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mehtqnso]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mehtqnso\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mehtqnso\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mehtqnso\Enum]
"0"="Root\\LEGACY_MEHTQNSO\\0000"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_HETUMXCZ]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_HETUMXCZ\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_HETUMXCZ\0000]
"Service"="HETUMXCZ"
"DeviceDesc"="HETUMXCZ"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_HETUMXCZ\0000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MEHTQNSO]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MEHTQNSO\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MEHTQNSO\0000]
"Service"="mehtqnso"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\HETUMXCZ]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\HETUMXCZ]
; Contents of value:
; \??\C:\WINDOWS\System32\hetumxcz.jzq
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
44,00,4f,00,57,00,53,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
00,5c,00,68,00,65,00,74,00,75,00,6d,00,78,00,63,00,7a,00,2e,00,6a,00,7a,00,\
71,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\HETUMXCZ\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\mehtqnso]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\mehtqnso\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HETUMXCZ]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HETUMXCZ\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HETUMXCZ\0000]
"Service"="HETUMXCZ"
"DeviceDesc"="HETUMXCZ"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HETUMXCZ\0000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HETUMXCZ\0000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MEHTQNSO]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MEHTQNSO\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MEHTQNSO\0000]
"Service"="mehtqnso"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MEHTQNSO\0000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MEHTQNSO\0000\Control]
"ActiveService"="mehtqnso"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HETUMXCZ]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HETUMXCZ]
; Contents of value:
; \??\C:\WINDOWS\System32\hetumxcz.jzq
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
44,00,4f,00,57,00,53,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
00,5c,00,68,00,65,00,74,00,75,00,6d,00,78,00,63,00,7a,00,2e,00,6a,00,7a,00,\
71,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HETUMXCZ\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HETUMXCZ\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HETUMXCZ\Enum]
"0"="Root\\LEGACY_HETUMXCZ\\0000"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mehtqnso]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mehtqnso\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mehtqnso\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mehtqnso\Enum]
"0"="Root\\LEGACY_MEHTQNSO\\0000"

; End Of The Log...

C:\WINDOWS\System32\hetumxcz.jzq file not found

File: dvlrkcby.dll
Status:
INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: e7fba52c9e97ae5ddd3bd253519dc239
Packers detected:
-
Bit9 reports: File not found
Scanner results
Scan taken on 08 Aug 2007 04:42:28 (GMT)
A-Squared
Found nothing
AntiVir
Found TR/Dldr.ConHook.Gen
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found Clicker.HRP
BitDefender
Found Trojan.Dldr.Conhook.AH
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found Packed.Win32.Morphine.a (probable variant)
Fortinet
Found nothing
Kaspersky Anti-Virus
Found Packed.Win32.Morphine.a (probable variant)
NOD32
Found nothing
Norman Virus Control
Found W32/BHO.QG
Panda Antivirus
Found nothing
Rising Antivirus
Found Trojan.Clicker.Win32.Delf.hi
Sophos Antivirus
Found Mal/EncPk-M
VirusBuster
Found nothing
VBA32
Found nothing


C:\sysnrun.exe

File: sysnrun.exe
Status:
INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: eed047c97d8773479eb09d7bd6ba4fca
Packers detected:
-
Bit9 reports: File not found

Scanner results
Scan taken on 08 Aug 2007 04:46:06 (GMT)
A-Squared
Found nothing
AntiVir
Found TR/Crypt.U.Gen
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found Obfustat.AJC
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found Trojan.Packed.153
F-Prot Antivirus
Found Possibly a new variant of W32/CodeCru-based!Maximus
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found Generic
Rising Antivirus
Found nothing
Sophos Antivirus
Found Mal/HckPk-A
VirusBuster
Found nothing
VBA32
Found Trojan-PSW.Pinch.65 (paranoid heuristics) (probable variant)

C:\WINDOWS\system32\tovtbdrt.dll

File: tovtbdrt.dll
Status:
INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 9710c7b22e7b3121f0a25a6f2b258f3b
Packers detected:
-
Bit9 reports: File not found

Scanner results
Scan taken on 08 Aug 2007 04:50:07 (GMT)
A-Squared
Found nothing
AntiVir
Found TR/Dldr.ConHook.Gen
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found Obfustat.CZZ
BitDefender
Found Trojan.Dldr.Conhook.AA
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found Packed.Win32.Morphine.a (probable variant)
Fortinet
Found nothing
Kaspersky Anti-Virus
Found Packed.Win32.Morphine.a (probable variant)
NOD32
Found nothing
Norman Virus Control
Found W32/BHO.QG
Panda Antivirus
Found nothing
Rising Antivirus
Found Trojan.Clicker.Win32.Delf.hi
Sophos Antivirus
Found Mal/EncPk-M
VirusBuster
Found nothing
VBA32
Found nothing

ComboFix 07-08-06.5 - "Bob Parchman" 2007-08-08 0:21:19.10 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.614 [GMT -5:00]
Command switches used :: C:\Documents and Settings\Bob Parchman\Recent\CFscript.lnk
* Created a new restore point


((((((((((((((((((((((((( Files Created from 2007-07-08 to 2007-08-08 )))))))))))))))))))))))))))))))


2007-08-22 15:57 165,888 --a------ C:\WINDOWS\SYSTEM32\msvcr71.dll
2007-08-17 12:30 684,567 --a------ C:\WINDOWS\SYSTEM32\libeay32.dll
2007-08-17 12:30 147,729 --a------ C:\WINDOWS\SYSTEM32\libssl32.dll
2007-08-17 12:27 756,224 --a------ C:\WINDOWS\SYSTEM32\dvlrkcby.dll
2007-08-06 12:53 475,136 --a------ C:\WINDOWS\Uninstaller.exe
2007-08-06 10:22 95,608 --a------ C:\WINDOWS\SYSTEM32\AvastSS.scr
2007-08-06 10:22 94,416 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon2.sys
2007-08-06 10:22 92,848 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon.sys
2007-08-06 10:22 783,224 --a------ C:\WINDOWS\SYSTEM32\aswBoot.exe
2007-08-06 10:22 499,712 --a------ C:\WINDOWS\SYSTEM32\MSVCP71.dll
2007-08-06 10:22 42,912 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswTdi.sys
2007-08-06 10:22 26,624 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aavmker4.sys
2007-08-06 10:22 23,152 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswRdr.sys
2007-08-06 10:22 1,060,864 --a------ C:\WINDOWS\SYSTEM32\MFC71.dll
2007-08-06 10:21 <DIR> d-------- C:\Program Files\Alwil Software
2007-08-05 22:30 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-05 22:25 <DIR> d---s---- C:\DOCUME~1\KATEPA~1\UserData
2007-08-05 22:10 1,205,111 ---hs---- C:\WINDOWS\qruwwa.ini2
2007-08-05 21:54 7,680 --a------ C:\sysnrun.exe
2007-08-05 21:53 <DIR> d-------- C:\HJT
2007-08-05 21:44 89,902 --a------ C:\WINDOWS\SYSTEM32\dnf89316df.dat
2007-08-04 19:49 1,204,923 ---hs---- C:\WINDOWS\kmlopo.ini2
2007-08-04 19:09 131,448 --a------ C:\WINDOWS\opolmk.dll
2007-08-04 18:45 131,448 --a------ C:\WINDOWS\yababx.dll
2007-08-04 18:43 4,096 --a------ C:\WINDOWS\SYSTEM32\dfrgntfs.dll
2007-08-04 17:57 6,550 --a------ C:\WINDOWS\jautoexp.dat
2007-08-04 17:57 46,352 --a------ C:\WINDOWS\setdebug.exe
2007-08-04 17:57 313,856 --a------ C:\WINDOWS\SYSTEM32\dx3j.dll
2007-08-04 17:57 171,280 --a------ C:\WINDOWS\SYSTEM32\jit.dll
2007-08-04 17:57 139,536 --a------ C:\WINDOWS\SYSTEM32\javaee.dll
2007-08-04 17:56 947,472 --a------ C:\WINDOWS\SYSTEM32\msjava.dll
2007-08-04 17:56 63,248 --a------ C:\WINDOWS\SYSTEM32\javaprxy.dll
2007-08-04 17:56 49,424 --a------ C:\WINDOWS\SYSTEM32\clspack.exe
2007-08-04 17:56 404,752 --a------ C:\WINDOWS\SYSTEM32\javart.dll
2007-08-04 17:56 286,992 --a------ C:\WINDOWS\SYSTEM32\vmhelper.dll
2007-08-04 17:56 21,264 --a------ C:\WINDOWS\SYSTEM32\msjdbc10.dll
2007-08-04 17:56 187,152 --a------ C:\WINDOWS\SYSTEM32\javacypt.dll
2007-08-04 17:56 172,304 --a------ C:\WINDOWS\SYSTEM32\jview.exe
2007-08-04 17:56 171,792 --a------ C:\WINDOWS\SYSTEM32\wjview.exe
2007-08-04 17:56 154,384 --a------ C:\WINDOWS\SYSTEM32\msawt.dll
2007-08-04 17:56 15,120 --a------ C:\WINDOWS\SYSTEM32\jdbgmgr.exe
2007-08-04 17:56 113 --a------ C:\WINDOWS\SYSTEM32\zonedon.reg
2007-08-04 17:56 113 --a------ C:\WINDOWS\SYSTEM32\zonedoff.reg
2007-08-04 17:17 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-08-04 14:27 97,752 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\fwcore.sys
2007-08-04 12:27 <DIR> d-------- C:\Program Files\D-Link
2007-08-04 07:24 8,705 --a------ C:\WINDOWS\SYSTEM32\nkxdxruw.exe
2007-07-27 19:13 8,505 --a------ C:\WINDOWS\SYSTEM32\erninxcz.exe
2007-07-20 09:46 22,752 --a------ C:\WINDOWS\SYSTEM32\spupdsvc.exe
2007-07-20 09:46 <DIR> d-------- C:\WINDOWS\SYSTEM32\PreInstall
2007-07-20 09:45 <DIR> d-------- C:\WINDOWS\SYSTEM32\bits
2007-07-20 09:27 7,680 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\bitsprx2.dll
2007-07-20 09:27 7,680 --------- C:\WINDOWS\SYSTEM32\bitsprx2.dll
2007-07-20 09:27 7,168 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\bitsprx3.dll
2007-07-20 09:27 7,168 --------- C:\WINDOWS\SYSTEM32\bitsprx3.dll
2007-07-20 09:27 331,776 --a------ C:\WINDOWS\SYSTEM32\winhttp.dll
2007-07-20 09:27 17,408 --a------ C:\WINDOWS\SYSTEM32\qmgrprxy.dll
2007-07-20 09:27 158,720 --------- C:\WINDOWS\SYSTEM32\xpob2res.dll
2007-07-20 08:23 549,720 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll
2007-07-20 08:23 43,352 --a------ C:\WINDOWS\SYSTEM32\wups2.dll
2007-07-20 08:23 33,624 --a------ C:\WINDOWS\SYSTEM32\wups.dll
2007-07-20 08:23 325,976 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll
2007-07-20 08:17 <DIR> d-------- C:\WINDOWS\SoftwareDistribution


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-17 12:24 125440 --a------ C:\WINDOWS\system32\tovtbdrt.dll
2007-08-07 14:48 --------- d-------- C:\Program Files\wmconnect
2007-08-04 22:53 --------- d-------- C:\Program Files\Viewpoint
2007-08-04 22:52 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-04 18:43 --------- d-------- C:\DOCUME~1\BOBPAR~1\APPLIC~1\eAcceleration
2007-08-04 18:02 --------- d-------- C:\Program Files\Messenger
2007-08-04 14:26 --------- d-------- C:\Program Files\eAcceleration
2007-08-04 14:22 --------- d-------- C:\Program Files\Acceleration Software
2007-08-04 13:53 --------- d-------- C:\Program Files\Common Files\eAcceleration
2007-07-20 08:24 --------- d--h----- C:\Program Files\WindowsUpdate
2007-06-24 20:45 --------- d-------- C:\Program Files\Edventure Software
2007-06-24 20:41 63488 --a------ C:\WINDOWS\xobglu16.dll
2007-06-24 20:41 23552 --a------ C:\WINDOWS\xobglu32.dll
2007-06-24 20:35 --------- d-------- C:\Program Files\Scholastic
2007-06-24 14:34 --------- d-------- C:\Program Files\Microsoft Kids
2007-06-22 14:45 --------- d-------- C:\Program Files\FinePixViewer
2002-10-08 11:37 207759 --a------ C:\Program Files\INSTALL.LOG


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{64988904-C617-4599-8CFA-0B8F5CE911D1}]
2007-08-04 18:43 593920 ---h----- C:\WINDOWS\msagent\CHARS\ysslpay.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OnAccess"="C:\Program Files\eAcceleration\OnAccess\OnAccess.exe" [2006-10-24 19:21]
"StopSignSsFwMon"="C:\Program Files\eAcceleration\Firewall\ssfwmon.dll" [2006-08-09 13:56]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-07-27 17:03]
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2002-02-27 13:17]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"StopSignSsFwMon"=Rundll32.exe "C:\Program Files\eAcceleration\Firewall\ssfwmon.dll",VerifyStatus /ro

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

C:\Documents and Settings\Bob Parchman\Start Menu\Programs\Startup\
DESKTOP.INI [2001-08-31 10:50:56]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [2001-08-31 10:50:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{1A42F606-3E21-4AB5-9565-E7C8EF6B0929}"= C:\PROGRA~1\EACCEL~1\OnAccess\sehk.dll [2006-10-24 19:21 71256]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ysslpay]
C:\WINDOWS\msagent\CHARS\ysslpay.dll 2007-08-04 18:43 593920 C:\WINDOWS\MSAGENT\CHARS\ysslpay.dll

R0 fwcore;Fwcore Filter;C:\WINDOWS\System32\drivers\fwcore.sys
R1 Cdr4_xp;Cdr4_xp;C:\WINDOWS\System32\drivers\Cdr4_xp.sys
R1 cdudf_xp;cdudf_xp;C:\WINDOWS\System32\drivers\cdudf_xp.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\System32\drivers\pwd_2k.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\System32\drivers\UdfReadr_xp.sys
R2 ASCTRM;ASCTRM;C:\WINDOWS\System32\drivers\ASCTRM.sys
R2 FWService;FWService;C:\Program Files\eAcceleration\Firewall\FWService.exe -Service
R2 mrtRate;mrtRate;C:\WINDOWS\System32\drivers\mrtRate.sys
R2 MxlW2k;MxlW2k;C:\WINDOWS\System32\drivers\MxlW2k.sys
R2 PackethSvc;Virtual NIC Service;C:\WINDOWS\System32\PackethSvc.exe
R3 m4cxw2k3;NDIS5.1 Miniport Driver for D-Link PCI Express Ethernet Controller;C:\WINDOWS\System32\DRIVERS\m4cxw2k3.sys
R3 mmc_2K;mmc_2K;C:\WINDOWS\System32\drivers\mmc_2K.sys
R3 wandrv;WAN Network Driver;C:\WINDOWS\System32\DRIVERS\wandrv.sys
S2 HETUMXCZ;HETUMXCZ;\??\C:\WINDOWS\System32\hetumxcz.jzq
S2 mehtqnso;TCP/IP Protocol Monitor;C:\WINDOWS\System32\svchost.exe -k netsvcs
S3 dvd_2K;dvd_2K;C:\WINDOWS\System32\drivers\dvd_2K.sys
S3 MR97310_VGA_DUAL_CAMERA;VGA Dual-Mode Camera;C:\WINDOWS\System32\DRIVERS\mr97310v.sys
S4 hpt3xx;hpt3xx;C:\WINDOWS\System32\DRIVERS\hpt3xx.sys

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
mehtqnso
uploadmgrldrsvc


Contents of the 'Scheduled Tasks' folder
2007-08-07 06:55:00 C:\WINDOWS\Tasks\Start Scan.job - C:\PROGRA~1\ACCELE~1\ANTI-V~1\STOPSI~1.EXE

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-08 00:22:25
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-08 0:23:29
C:\ComboFix-quarantined-files.txt ... 2007-08-08 00:23
C:\ComboFix2.txt ... 2007-08-07 22:33
C:\ComboFix3.txt ... 2007-08-06 18:51

--- E O F ---
:D :D :D
bob38058
Regular Member
 
Posts: 19
Joined: August 4th, 2007, 10:19 pm

Kaspersky Online Virus Scanner

Unread postby bob38058 » August 8th, 2007, 1:53 am

Hi,
I just got the Kaspersky Online Virus Scanner to work, but it is almost 1am, so, I'm going to bed now & will run it first thing in the morning.... Thanks, Bob
bob38058
Regular Member
 
Posts: 19
Joined: August 4th, 2007, 10:19 pm

Unread postby Angelfire777 » August 8th, 2007, 2:02 am

Hi,

The Combofix deletions part was not successful. Also, you didn't post the results of move.bat...Please follow the instructions carefully and read them one by one..

Do the following again in order..

Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank


Close your browsers and all open windows except for HijackThis, then click "Fix checked". Exit HijackThis.
________

Combofix Deletions
  • Open notepad."
  • Copy and paste the text inside the code box below to notepad
Code: Select all
File::
C:\WINDOWS\qruwwa.ini2
C:\WINDOWS\kmlopo.ini2
C:\WINDOWS\opolmk.dll
C:\WINDOWS\yababx.dll
C:\WINDOWS\SYSTEM32\dfrgntfs.dll
C:\WINDOWS\SYSTEM32\nkxdxruw.exe
C:\WINDOWS\SYSTEM32\rtabnyrg.exe
C:\WINDOWS\SYSTEM32\erninxcz.exe
C:\WINDOWS\msagent\CHARS\ysslpay.dll
C:\WINDOWS\System32\hetumxcz.jzq

Driver::
HETUMXCZ

Collect::
C:\WINDOWS\SYSTEM32\dvlrkcby.dll
C:\WINDOWS\system32\tovtbdrt.dll
C:\sysnrun.exe

Folder::
C:\Program Files\Viewpoint

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4E11BBF0-6F27-4105-8422-8800D821E434}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{64988904-C617-4599-8CFA-0B8F5CE911D1}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ysslpay]

  • Save and Name it as "CFScript"
  • Drag and drop CFScript.txt to your copy of combofix.
  • You can take a look at the image below if you're unsure on how to do it.
    Image
  • Combofix wil restart your machine then it will produce a log afterwards.
  • Please post the contents of that log.
__________

Open notepad.
Copy and paste the text inside the Code Box below into Notepad
Choose File > Save As and under "Save as type", choose "All Files".
Type export.bat in the File name and save it to your desktop.

Code: Select all
@echo off
cd\
swreg export "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mehtqnso" >>report.txt
swreg export  "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\uploadmgrldrsvc" >>report.txt
echo.================>>report.txt
For /F "TOKENS=*" %%g IN ('dir /s/a-d/b %windir%\system32\drivers\tcpip.sys'
) Do @echo "%%~g" %%~zg %%~tg >>report.txt
start notepad report.txt & exit


Locate move.bat on your Desktop and double-click on it. It will open Notepad with some text in it. Please post the text here.
__________

On your next reply, please include a fresh HijackThis log, kaspersky scan log, combofix log, results from export.bat
Last edited by Angelfire777 on August 8th, 2007, 8:52 pm, edited 1 time in total.
User avatar
Angelfire777
Retired Graduate
 
Posts: 2554
Joined: April 27th, 2006, 9:58 am

Very sorry!

Unread postby bob38058 » August 8th, 2007, 1:55 pm

Sorry that I messed up the scans. I believe they are correct now.

I submitted this file to bleepingcomputer.com

C:\DOCUME~1\BOBPAR~1\Desktop.\[4]-Submit_2007-08-08_102446.39.zip

ComboFix 07-08-06.5 - "Bob Parchman" 2007-08-08 10:24:50.11 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.724 [GMT -5:00]
Command switches used :: C:\Documents and Settings\Bob Parchman\Desktop\cfscript.txt
* Created a new restore point

FILE::
C:\WINDOWS\qruwwa.ini2
C:\WINDOWS\kmlopo.ini2
C:\WINDOWS\opolmk.dll
C:\WINDOWS\yababx.dll
C:\WINDOWS\SYSTEM32\dfrgntfs.dll
C:\WINDOWS\SYSTEM32\nkxdxruw.exe
C:\WINDOWS\SYSTEM32\rtabnyrg.exe
C:\WINDOWS\SYSTEM32\erninxcz.exe
C:\WINDOWS\msagent\CHARS\ysslpay.dll
C:\WINDOWS\System32\hetumxcz.jzq


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\sysnrun.exe
C:\WINDOWS\kmlopo.ini2
C:\WINDOWS\msagent\CHARS\ysslpay.dll
C:\WINDOWS\opolmk.dll
C:\WINDOWS\qruwwa.ini2
C:\WINDOWS\SYSTEM32\dfrgntfs.dll
C:\WINDOWS\SYSTEM32\dvlrkcby.dll
C:\WINDOWS\SYSTEM32\erninxcz.exe
C:\WINDOWS\SYSTEM32\nkxdxruw.exe
C:\WINDOWS\system32\tovtbdrt.dll
C:\WINDOWS\yababx.dll


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_HETUMXCZ
-------\HETUMXCZ


((((((((((((((((((((((((( Files Created from 2007-07-08 to 2007-08-08 )))))))))))))))))))))))))))))))


2007-08-22 15:57 165,888 --a------ C:\WINDOWS\SYSTEM32\msvcr71.dll
2007-08-17 12:30 684,567 --a------ C:\WINDOWS\SYSTEM32\libeay32.dll
2007-08-17 12:30 147,729 --a------ C:\WINDOWS\SYSTEM32\libssl32.dll
2007-08-08 00:35 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-08-08 00:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-08-06 12:53 475,136 --a------ C:\WINDOWS\Uninstaller.exe
2007-08-06 10:22 95,608 --a------ C:\WINDOWS\SYSTEM32\AvastSS.scr
2007-08-06 10:22 94,416 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon2.sys
2007-08-06 10:22 92,848 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon.sys
2007-08-06 10:22 783,224 --a------ C:\WINDOWS\SYSTEM32\aswBoot.exe
2007-08-06 10:22 499,712 --a------ C:\WINDOWS\SYSTEM32\MSVCP71.dll
2007-08-06 10:22 42,912 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswTdi.sys
2007-08-06 10:22 26,624 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aavmker4.sys
2007-08-06 10:22 23,152 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswRdr.sys
2007-08-06 10:22 1,060,864 --a------ C:\WINDOWS\SYSTEM32\MFC71.dll
2007-08-06 10:21 <DIR> d-------- C:\Program Files\Alwil Software
2007-08-05 22:30 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-05 22:25 <DIR> d---s---- C:\DOCUME~1\KATEPA~1\UserData
2007-08-05 21:53 <DIR> d-------- C:\HJT
2007-08-05 21:44 89,902 --a------ C:\WINDOWS\SYSTEM32\dnf89316df.dat
2007-08-04 17:57 6,550 --a------ C:\WINDOWS\jautoexp.dat
2007-08-04 17:57 46,352 --a------ C:\WINDOWS\setdebug.exe
2007-08-04 17:57 313,856 --a------ C:\WINDOWS\SYSTEM32\dx3j.dll
2007-08-04 17:57 171,280 --a------ C:\WINDOWS\SYSTEM32\jit.dll
2007-08-04 17:57 139,536 --a------ C:\WINDOWS\SYSTEM32\javaee.dll
2007-08-04 17:56 947,472 --a------ C:\WINDOWS\SYSTEM32\msjava.dll
2007-08-04 17:56 63,248 --a------ C:\WINDOWS\SYSTEM32\javaprxy.dll
2007-08-04 17:56 49,424 --a------ C:\WINDOWS\SYSTEM32\clspack.exe
2007-08-04 17:56 404,752 --a------ C:\WINDOWS\SYSTEM32\javart.dll
2007-08-04 17:56 286,992 --a------ C:\WINDOWS\SYSTEM32\vmhelper.dll
2007-08-04 17:56 21,264 --a------ C:\WINDOWS\SYSTEM32\msjdbc10.dll
2007-08-04 17:56 187,152 --a------ C:\WINDOWS\SYSTEM32\javacypt.dll
2007-08-04 17:56 172,304 --a------ C:\WINDOWS\SYSTEM32\jview.exe
2007-08-04 17:56 171,792 --a------ C:\WINDOWS\SYSTEM32\wjview.exe
2007-08-04 17:56 154,384 --a------ C:\WINDOWS\SYSTEM32\msawt.dll
2007-08-04 17:56 15,120 --a------ C:\WINDOWS\SYSTEM32\jdbgmgr.exe
2007-08-04 17:56 113 --a------ C:\WINDOWS\SYSTEM32\zonedon.reg
2007-08-04 17:56 113 --a------ C:\WINDOWS\SYSTEM32\zonedoff.reg
2007-08-04 17:17 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-08-04 12:27 <DIR> d-------- C:\Program Files\D-Link
2007-07-20 09:46 22,752 --a------ C:\WINDOWS\SYSTEM32\spupdsvc.exe
2007-07-20 09:46 <DIR> d-------- C:\WINDOWS\SYSTEM32\PreInstall
2007-07-20 09:45 <DIR> d-------- C:\WINDOWS\SYSTEM32\bits
2007-07-20 09:27 7,680 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\bitsprx2.dll
2007-07-20 09:27 7,680 --------- C:\WINDOWS\SYSTEM32\bitsprx2.dll
2007-07-20 09:27 7,168 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\bitsprx3.dll
2007-07-20 09:27 7,168 --------- C:\WINDOWS\SYSTEM32\bitsprx3.dll
2007-07-20 09:27 331,776 --a------ C:\WINDOWS\SYSTEM32\winhttp.dll
2007-07-20 09:27 17,408 --a------ C:\WINDOWS\SYSTEM32\qmgrprxy.dll
2007-07-20 09:27 158,720 --------- C:\WINDOWS\SYSTEM32\xpob2res.dll
2007-07-20 08:23 549,720 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll
2007-07-20 08:23 43,352 --a------ C:\WINDOWS\SYSTEM32\wups2.dll
2007-07-20 08:23 33,624 --a------ C:\WINDOWS\SYSTEM32\wups.dll
2007-07-20 08:23 325,976 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll
2007-07-20 08:17 <DIR> d-------- C:\WINDOWS\SoftwareDistribution


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-08 10:06 --------- d-------- C:\DOCUME~1\BOBPAR~1\APPLIC~1\eAcceleration
2007-08-08 07:32 --------- d-------- C:\Program Files\wmconnect
2007-08-04 22:52 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-04 18:02 --------- d-------- C:\Program Files\Messenger
2007-07-20 08:24 --------- d--h----- C:\Program Files\WindowsUpdate
2007-06-24 20:45 --------- d-------- C:\Program Files\Edventure Software
2007-06-24 20:41 63488 --a------ C:\WINDOWS\xobglu16.dll
2007-06-24 20:41 23552 --a------ C:\WINDOWS\xobglu32.dll
2007-06-24 20:35 --------- d-------- C:\Program Files\Scholastic
2007-06-24 14:34 --------- d-------- C:\Program Files\Microsoft Kids
2007-06-22 14:45 --------- d-------- C:\Program Files\FinePixViewer
2002-10-08 11:37 207759 --a------ C:\Program Files\INSTALL.LOG


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-07-27 17:03]
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2002-02-27 13:17]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

C:\Documents and Settings\Bob Parchman\Start Menu\Programs\Startup\
DESKTOP.INI [2001-08-31 10:50:56]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [2001-08-31 10:50:56]

R1 Cdr4_xp;Cdr4_xp;C:\WINDOWS\System32\drivers\Cdr4_xp.sys
R1 cdudf_xp;cdudf_xp;C:\WINDOWS\System32\drivers\cdudf_xp.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\System32\drivers\pwd_2k.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\System32\drivers\UdfReadr_xp.sys
R2 ASCTRM;ASCTRM;C:\WINDOWS\System32\drivers\ASCTRM.sys
R2 mrtRate;mrtRate;C:\WINDOWS\System32\drivers\mrtRate.sys
R2 MxlW2k;MxlW2k;C:\WINDOWS\System32\drivers\MxlW2k.sys
R2 PackethSvc;Virtual NIC Service;C:\WINDOWS\System32\PackethSvc.exe
R3 m4cxw2k3;NDIS5.1 Miniport Driver for D-Link PCI Express Ethernet Controller;C:\WINDOWS\System32\DRIVERS\m4cxw2k3.sys
R3 mmc_2K;mmc_2K;C:\WINDOWS\System32\drivers\mmc_2K.sys
R3 wandrv;WAN Network Driver;C:\WINDOWS\System32\DRIVERS\wandrv.sys
S3 dvd_2K;dvd_2K;C:\WINDOWS\System32\drivers\dvd_2K.sys
S3 MR97310_VGA_DUAL_CAMERA;VGA Dual-Mode Camera;C:\WINDOWS\System32\DRIVERS\mr97310v.sys
S4 hpt3xx;hpt3xx;C:\WINDOWS\System32\DRIVERS\hpt3xx.sys
Stop Pending2 mehtqnso;TCP/IP Protocol Monitor;C:\WINDOWS\System32\svchost.exe -k netsvcs

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
mehtqnso
uploadmgrldrsvc


Contents of the 'Scheduled Tasks' folder
2007-08-08 06:55:00 C:\WINDOWS\Tasks\Start Scan.job - C:\PROGRA~1\ACCELE~1\ANTI-V~1\STOPSI~1.EXE

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-08 10:28:58
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-08 10:30:42 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-08 10:30
C:\ComboFix2.txt ... 2007-08-08 00:23
C:\ComboFix3.txt ... 2007-08-07 22:33

--- E O F ---

ComboFix 07-08-06.5 - "Bob Parchman" 2007-08-08 10:24:50.11 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.724 [GMT -5:00]
Command switches used :: C:\Documents and Settings\Bob Parchman\Desktop\cfscript.txt
* Created a new restore point

FILE::
C:\WINDOWS\qruwwa.ini2
C:\WINDOWS\kmlopo.ini2
C:\WINDOWS\opolmk.dll
C:\WINDOWS\yababx.dll
C:\WINDOWS\SYSTEM32\dfrgntfs.dll
C:\WINDOWS\SYSTEM32\nkxdxruw.exe
C:\WINDOWS\SYSTEM32\rtabnyrg.exe
C:\WINDOWS\SYSTEM32\erninxcz.exe
C:\WINDOWS\msagent\CHARS\ysslpay.dll
C:\WINDOWS\System32\hetumxcz.jzq


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\sysnrun.exe
C:\WINDOWS\kmlopo.ini2
C:\WINDOWS\msagent\CHARS\ysslpay.dll
C:\WINDOWS\opolmk.dll
C:\WINDOWS\qruwwa.ini2
C:\WINDOWS\SYSTEM32\dfrgntfs.dll
C:\WINDOWS\SYSTEM32\dvlrkcby.dll
C:\WINDOWS\SYSTEM32\erninxcz.exe
C:\WINDOWS\SYSTEM32\nkxdxruw.exe
C:\WINDOWS\system32\tovtbdrt.dll
C:\WINDOWS\yababx.dll


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_HETUMXCZ
-------\HETUMXCZ


((((((((((((((((((((((((( Files Created from 2007-07-08 to 2007-08-08 )))))))))))))))))))))))))))))))


2007-08-22 15:57 165,888 --a------ C:\WINDOWS\SYSTEM32\msvcr71.dll
2007-08-17 12:30 684,567 --a------ C:\WINDOWS\SYSTEM32\libeay32.dll
2007-08-17 12:30 147,729 --a------ C:\WINDOWS\SYSTEM32\libssl32.dll
2007-08-08 00:35 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-08-08 00:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-08-06 12:53 475,136 --a------ C:\WINDOWS\Uninstaller.exe
2007-08-06 10:22 95,608 --a------ C:\WINDOWS\SYSTEM32\AvastSS.scr
2007-08-06 10:22 94,416 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon2.sys
2007-08-06 10:22 92,848 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon.sys
2007-08-06 10:22 783,224 --a------ C:\WINDOWS\SYSTEM32\aswBoot.exe
2007-08-06 10:22 499,712 --a------ C:\WINDOWS\SYSTEM32\MSVCP71.dll
2007-08-06 10:22 42,912 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswTdi.sys
2007-08-06 10:22 26,624 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aavmker4.sys
2007-08-06 10:22 23,152 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswRdr.sys
2007-08-06 10:22 1,060,864 --a------ C:\WINDOWS\SYSTEM32\MFC71.dll
2007-08-06 10:21 <DIR> d-------- C:\Program Files\Alwil Software
2007-08-05 22:30 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-05 22:25 <DIR> d---s---- C:\DOCUME~1\KATEPA~1\UserData
2007-08-05 21:53 <DIR> d-------- C:\HJT
2007-08-05 21:44 89,902 --a------ C:\WINDOWS\SYSTEM32\dnf89316df.dat
2007-08-04 17:57 6,550 --a------ C:\WINDOWS\jautoexp.dat
2007-08-04 17:57 46,352 --a------ C:\WINDOWS\setdebug.exe
2007-08-04 17:57 313,856 --a------ C:\WINDOWS\SYSTEM32\dx3j.dll
2007-08-04 17:57 171,280 --a------ C:\WINDOWS\SYSTEM32\jit.dll
2007-08-04 17:57 139,536 --a------ C:\WINDOWS\SYSTEM32\javaee.dll
2007-08-04 17:56 947,472 --a------ C:\WINDOWS\SYSTEM32\msjava.dll
2007-08-04 17:56 63,248 --a------ C:\WINDOWS\SYSTEM32\javaprxy.dll
2007-08-04 17:56 49,424 --a------ C:\WINDOWS\SYSTEM32\clspack.exe
2007-08-04 17:56 404,752 --a------ C:\WINDOWS\SYSTEM32\javart.dll
2007-08-04 17:56 286,992 --a------ C:\WINDOWS\SYSTEM32\vmhelper.dll
2007-08-04 17:56 21,264 --a------ C:\WINDOWS\SYSTEM32\msjdbc10.dll
2007-08-04 17:56 187,152 --a------ C:\WINDOWS\SYSTEM32\javacypt.dll
2007-08-04 17:56 172,304 --a------ C:\WINDOWS\SYSTEM32\jview.exe
2007-08-04 17:56 171,792 --a------ C:\WINDOWS\SYSTEM32\wjview.exe
2007-08-04 17:56 154,384 --a------ C:\WINDOWS\SYSTEM32\msawt.dll
2007-08-04 17:56 15,120 --a------ C:\WINDOWS\SYSTEM32\jdbgmgr.exe
2007-08-04 17:56 113 --a------ C:\WINDOWS\SYSTEM32\zonedon.reg
2007-08-04 17:56 113 --a------ C:\WINDOWS\SYSTEM32\zonedoff.reg
2007-08-04 17:17 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-08-04 12:27 <DIR> d-------- C:\Program Files\D-Link
2007-07-20 09:46 22,752 --a------ C:\WINDOWS\SYSTEM32\spupdsvc.exe
2007-07-20 09:46 <DIR> d-------- C:\WINDOWS\SYSTEM32\PreInstall
2007-07-20 09:45 <DIR> d-------- C:\WINDOWS\SYSTEM32\bits
2007-07-20 09:27 7,680 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\bitsprx2.dll
2007-07-20 09:27 7,680 --------- C:\WINDOWS\SYSTEM32\bitsprx2.dll
2007-07-20 09:27 7,168 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\bitsprx3.dll
2007-07-20 09:27 7,168 --------- C:\WINDOWS\SYSTEM32\bitsprx3.dll
2007-07-20 09:27 331,776 --a------ C:\WINDOWS\SYSTEM32\winhttp.dll
2007-07-20 09:27 17,408 --a------ C:\WINDOWS\SYSTEM32\qmgrprxy.dll
2007-07-20 09:27 158,720 --------- C:\WINDOWS\SYSTEM32\xpob2res.dll
2007-07-20 08:23 549,720 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll
2007-07-20 08:23 43,352 --a------ C:\WINDOWS\SYSTEM32\wups2.dll
2007-07-20 08:23 33,624 --a------ C:\WINDOWS\SYSTEM32\wups.dll
2007-07-20 08:23 325,976 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll
2007-07-20 08:17 <DIR> d-------- C:\WINDOWS\SoftwareDistribution


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-08 10:06 --------- d-------- C:\DOCUME~1\BOBPAR~1\APPLIC~1\eAcceleration
2007-08-08 07:32 --------- d-------- C:\Program Files\wmconnect
2007-08-04 22:52 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-04 18:02 --------- d-------- C:\Program Files\Messenger
2007-07-20 08:24 --------- d--h----- C:\Program Files\WindowsUpdate
2007-06-24 20:45 --------- d-------- C:\Program Files\Edventure Software
2007-06-24 20:41 63488 --a------ C:\WINDOWS\xobglu16.dll
2007-06-24 20:41 23552 --a------ C:\WINDOWS\xobglu32.dll
2007-06-24 20:35 --------- d-------- C:\Program Files\Scholastic
2007-06-24 14:34 --------- d-------- C:\Program Files\Microsoft Kids
2007-06-22 14:45 --------- d-------- C:\Program Files\FinePixViewer
2002-10-08 11:37 207759 --a------ C:\Program Files\INSTALL.LOG


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-07-27 17:03]
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2002-02-27 13:17]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

C:\Documents and Settings\Bob Parchman\Start Menu\Programs\Startup\
DESKTOP.INI [2001-08-31 10:50:56]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [2001-08-31 10:50:56]

R1 Cdr4_xp;Cdr4_xp;C:\WINDOWS\System32\drivers\Cdr4_xp.sys
R1 cdudf_xp;cdudf_xp;C:\WINDOWS\System32\drivers\cdudf_xp.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\System32\drivers\pwd_2k.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\System32\drivers\UdfReadr_xp.sys
R2 ASCTRM;ASCTRM;C:\WINDOWS\System32\drivers\ASCTRM.sys
R2 mrtRate;mrtRate;C:\WINDOWS\System32\drivers\mrtRate.sys
R2 MxlW2k;MxlW2k;C:\WINDOWS\System32\drivers\MxlW2k.sys
R2 PackethSvc;Virtual NIC Service;C:\WINDOWS\System32\PackethSvc.exe
R3 m4cxw2k3;NDIS5.1 Miniport Driver for D-Link PCI Express Ethernet Controller;C:\WINDOWS\System32\DRIVERS\m4cxw2k3.sys
R3 mmc_2K;mmc_2K;C:\WINDOWS\System32\drivers\mmc_2K.sys
R3 wandrv;WAN Network Driver;C:\WINDOWS\System32\DRIVERS\wandrv.sys
S3 dvd_2K;dvd_2K;C:\WINDOWS\System32\drivers\dvd_2K.sys
S3 MR97310_VGA_DUAL_CAMERA;VGA Dual-Mode Camera;C:\WINDOWS\System32\DRIVERS\mr97310v.sys
S4 hpt3xx;hpt3xx;C:\WINDOWS\System32\DRIVERS\hpt3xx.sys
Stop Pending2 mehtqnso;TCP/IP Protocol Monitor;C:\WINDOWS\System32\svchost.exe -k netsvcs

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
mehtqnso
uploadmgrldrsvc


Contents of the 'Scheduled Tasks' folder
2007-08-08 06:55:00 C:\WINDOWS\Tasks\Start Scan.job - C:\PROGRA~1\ACCELE~1\ANTI-V~1\STOPSI~1.EXE

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-08 10:28:58
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-08 10:30:42 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-08 10:30
C:\ComboFix2.txt ... 2007-08-08 00:23
C:\ComboFix3.txt ... 2007-08-07 22:33

--- E O F ---
ComboFix 07-08-06.5 - "Bob Parchman" 2007-08-08 10:24:50.11 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.724 [GMT -5:00]
Command switches used :: C:\Documents and Settings\Bob Parchman\Desktop\cfscript.txt
* Created a new restore point

FILE::
C:\WINDOWS\qruwwa.ini2
C:\WINDOWS\kmlopo.ini2
C:\WINDOWS\opolmk.dll
C:\WINDOWS\yababx.dll
C:\WINDOWS\SYSTEM32\dfrgntfs.dll
C:\WINDOWS\SYSTEM32\nkxdxruw.exe
C:\WINDOWS\SYSTEM32\rtabnyrg.exe
C:\WINDOWS\SYSTEM32\erninxcz.exe
C:\WINDOWS\msagent\CHARS\ysslpay.dll
C:\WINDOWS\System32\hetumxcz.jzq


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\sysnrun.exe
C:\WINDOWS\kmlopo.ini2
C:\WINDOWS\msagent\CHARS\ysslpay.dll
C:\WINDOWS\opolmk.dll
C:\WINDOWS\qruwwa.ini2
C:\WINDOWS\SYSTEM32\dfrgntfs.dll
C:\WINDOWS\SYSTEM32\dvlrkcby.dll
C:\WINDOWS\SYSTEM32\erninxcz.exe
C:\WINDOWS\SYSTEM32\nkxdxruw.exe
C:\WINDOWS\system32\tovtbdrt.dll
C:\WINDOWS\yababx.dll


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_HETUMXCZ
-------\HETUMXCZ


((((((((((((((((((((((((( Files Created from 2007-07-08 to 2007-08-08 )))))))))))))))))))))))))))))))


2007-08-22 15:57 165,888 --a------ C:\WINDOWS\SYSTEM32\msvcr71.dll
2007-08-17 12:30 684,567 --a------ C:\WINDOWS\SYSTEM32\libeay32.dll
2007-08-17 12:30 147,729 --a------ C:\WINDOWS\SYSTEM32\libssl32.dll
2007-08-08 00:35 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-08-08 00:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-08-06 12:53 475,136 --a------ C:\WINDOWS\Uninstaller.exe
2007-08-06 10:22 95,608 --a------ C:\WINDOWS\SYSTEM32\AvastSS.scr
2007-08-06 10:22 94,416 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon2.sys
2007-08-06 10:22 92,848 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon.sys
2007-08-06 10:22 783,224 --a------ C:\WINDOWS\SYSTEM32\aswBoot.exe
2007-08-06 10:22 499,712 --a------ C:\WINDOWS\SYSTEM32\MSVCP71.dll
2007-08-06 10:22 42,912 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswTdi.sys
2007-08-06 10:22 26,624 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aavmker4.sys
2007-08-06 10:22 23,152 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswRdr.sys
2007-08-06 10:22 1,060,864 --a------ C:\WINDOWS\SYSTEM32\MFC71.dll
2007-08-06 10:21 <DIR> d-------- C:\Program Files\Alwil Software
2007-08-05 22:30 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-05 22:25 <DIR> d---s---- C:\DOCUME~1\KATEPA~1\UserData
2007-08-05 21:53 <DIR> d-------- C:\HJT
2007-08-05 21:44 89,902 --a------ C:\WINDOWS\SYSTEM32\dnf89316df.dat
2007-08-04 17:57 6,550 --a------ C:\WINDOWS\jautoexp.dat
2007-08-04 17:57 46,352 --a------ C:\WINDOWS\setdebug.exe
2007-08-04 17:57 313,856 --a------ C:\WINDOWS\SYSTEM32\dx3j.dll
2007-08-04 17:57 171,280 --a------ C:\WINDOWS\SYSTEM32\jit.dll
2007-08-04 17:57 139,536 --a------ C:\WINDOWS\SYSTEM32\javaee.dll
2007-08-04 17:56 947,472 --a------ C:\WINDOWS\SYSTEM32\msjava.dll
2007-08-04 17:56 63,248 --a------ C:\WINDOWS\SYSTEM32\javaprxy.dll
2007-08-04 17:56 49,424 --a------ C:\WINDOWS\SYSTEM32\clspack.exe
2007-08-04 17:56 404,752 --a------ C:\WINDOWS\SYSTEM32\javart.dll
2007-08-04 17:56 286,992 --a------ C:\WINDOWS\SYSTEM32\vmhelper.dll
2007-08-04 17:56 21,264 --a------ C:\WINDOWS\SYSTEM32\msjdbc10.dll
2007-08-04 17:56 187,152 --a------ C:\WINDOWS\SYSTEM32\javacypt.dll
2007-08-04 17:56 172,304 --a------ C:\WINDOWS\SYSTEM32\jview.exe
2007-08-04 17:56 171,792 --a------ C:\WINDOWS\SYSTEM32\wjview.exe
2007-08-04 17:56 154,384 --a------ C:\WINDOWS\SYSTEM32\msawt.dll
2007-08-04 17:56 15,120 --a------ C:\WINDOWS\SYSTEM32\jdbgmgr.exe
2007-08-04 17:56 113 --a------ C:\WINDOWS\SYSTEM32\zonedon.reg
2007-08-04 17:56 113 --a------ C:\WINDOWS\SYSTEM32\zonedoff.reg
2007-08-04 17:17 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-08-04 12:27 <DIR> d-------- C:\Program Files\D-Link
2007-07-20 09:46 22,752 --a------ C:\WINDOWS\SYSTEM32\spupdsvc.exe
2007-07-20 09:46 <DIR> d-------- C:\WINDOWS\SYSTEM32\PreInstall
2007-07-20 09:45 <DIR> d-------- C:\WINDOWS\SYSTEM32\bits
2007-07-20 09:27 7,680 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\bitsprx2.dll
2007-07-20 09:27 7,680 --------- C:\WINDOWS\SYSTEM32\bitsprx2.dll
2007-07-20 09:27 7,168 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\bitsprx3.dll
2007-07-20 09:27 7,168 --------- C:\WINDOWS\SYSTEM32\bitsprx3.dll
2007-07-20 09:27 331,776 --a------ C:\WINDOWS\SYSTEM32\winhttp.dll
2007-07-20 09:27 17,408 --a------ C:\WINDOWS\SYSTEM32\qmgrprxy.dll
2007-07-20 09:27 158,720 --------- C:\WINDOWS\SYSTEM32\xpob2res.dll
2007-07-20 08:23 549,720 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll
2007-07-20 08:23 43,352 --a------ C:\WINDOWS\SYSTEM32\wups2.dll
2007-07-20 08:23 33,624 --a------ C:\WINDOWS\SYSTEM32\wups.dll
2007-07-20 08:23 325,976 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll
2007-07-20 08:17 <DIR> d-------- C:\WINDOWS\SoftwareDistribution


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-08 10:06 --------- d-------- C:\DOCUME~1\BOBPAR~1\APPLIC~1\eAcceleration
2007-08-08 07:32 --------- d-------- C:\Program Files\wmconnect
2007-08-04 22:52 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-04 18:02 --------- d-------- C:\Program Files\Messenger
2007-07-20 08:24 --------- d--h----- C:\Program Files\WindowsUpdate
2007-06-24 20:45 --------- d-------- C:\Program Files\Edventure Software
2007-06-24 20:41 63488 --a------ C:\WINDOWS\xobglu16.dll
2007-06-24 20:41 23552 --a------ C:\WINDOWS\xobglu32.dll
2007-06-24 20:35 --------- d-------- C:\Program Files\Scholastic
2007-06-24 14:34 --------- d-------- C:\Program Files\Microsoft Kids
2007-06-22 14:45 --------- d-------- C:\Program Files\FinePixViewer
2002-10-08 11:37 207759 --a------ C:\Program Files\INSTALL.LOG


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-07-27 17:03]
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2002-02-27 13:17]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

C:\Documents and Settings\Bob Parchman\Start Menu\Programs\Startup\
DESKTOP.INI [2001-08-31 10:50:56]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [2001-08-31 10:50:56]

R1 Cdr4_xp;Cdr4_xp;C:\WINDOWS\System32\drivers\Cdr4_xp.sys
R1 cdudf_xp;cdudf_xp;C:\WINDOWS\System32\drivers\cdudf_xp.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\System32\drivers\pwd_2k.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\System32\drivers\UdfReadr_xp.sys
R2 ASCTRM;ASCTRM;C:\WINDOWS\System32\drivers\ASCTRM.sys
R2 mrtRate;mrtRate;C:\WINDOWS\System32\drivers\mrtRate.sys
R2 MxlW2k;MxlW2k;C:\WINDOWS\System32\drivers\MxlW2k.sys
R2 PackethSvc;Virtual NIC Service;C:\WINDOWS\System32\PackethSvc.exe
R3 m4cxw2k3;NDIS5.1 Miniport Driver for D-Link PCI Express Ethernet Controller;C:\WINDOWS\System32\DRIVERS\m4cxw2k3.sys
R3 mmc_2K;mmc_2K;C:\WINDOWS\System32\drivers\mmc_2K.sys
R3 wandrv;WAN Network Driver;C:\WINDOWS\System32\DRIVERS\wandrv.sys
S3 dvd_2K;dvd_2K;C:\WINDOWS\System32\drivers\dvd_2K.sys
S3 MR97310_VGA_DUAL_CAMERA;VGA Dual-Mode Camera;C:\WINDOWS\System32\DRIVERS\mr97310v.sys
S4 hpt3xx;hpt3xx;C:\WINDOWS\System32\DRIVERS\hpt3xx.sys
Stop Pending2 mehtqnso;TCP/IP Protocol Monitor;C:\WINDOWS\System32\svchost.exe -k netsvcs

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
mehtqnso
uploadmgrldrsvc


Contents of the 'Scheduled Tasks' folder
2007-08-08 06:55:00 C:\WINDOWS\Tasks\Start Scan.job - C:\PROGRA~1\ACCELE~1\ANTI-V~1\STOPSI~1.EXE

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-08 10:28:58
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-08 10:30:42 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-08 10:30
C:\ComboFix2.txt ... 2007-08-08 00:23
C:\ComboFix3.txt ... 2007-08-07 22:33

--- E O F ---
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 12:54:50 PM, on 8/8/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\SYSTEM32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\SYSTEM32\NOTEPAD.EXE
C:\Documents and Settings\Bob Parchman\Desktop\HiJackThis_v2.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O24 - Desktop Component 0: (no name) - http://adisney.go.com/disneypictures/ca ... /mater.gif

--
End of file - 2477 bytes

Thanks again for your patience & all your help! Bob
:D
bob38058
Regular Member
 
Posts: 19
Joined: August 4th, 2007, 10:19 pm

Unread postby Angelfire777 » August 8th, 2007, 8:53 pm

Hello :)

You didn't post the kaspersky scan log and the results of export.bat.. Please post them as I need to see it..
User avatar
Angelfire777
Retired Graduate
 
Posts: 2554
Joined: April 27th, 2006, 9:58 am

Sorry...

Unread postby bob38058 » August 8th, 2007, 10:06 pm

Sorry,


SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 (C)

SWReg EXPORT KeyName FileName [/nt4]

Keyname ROOTKEY\SubKey (local machine only)
ROOTKEY [ HKLM | HKCU | HKCR | HKU | HKCC ]
SubKey The full name of a registry key under the selected ROOTKEY
FileName The name of the disk file to export
/nt4 Output reg file as old NT4 format

Examples:

SWReg EXPORT HKLM\Software\MyCo\MyApp AppBkUp.reg /nt4
Exports all subkeys and values of the key MyApp to the file AppBkUp.reg
in the nt4 reg format

SWReg EXPORT HKLM\Software\MyCo MyCoBkUp.reg
Exports the hive MyCo to the file MyCoBkUp.reg

DISCLAIMER
Official download location: SteelWerX (http://www.xs4all.nl/~fstaal01)
Mirrors: Atribune.org (http://www.atribune.org)
BleepingComputer.com (http://www.bleepingcomputer.com)
Spyware Times (http://www.spywaretimes.com)

SteelWerX is not liable for damages of any kind arising from the use of
this program.

SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 (C)

SWReg EXPORT KeyName FileName [/nt4]

Keyname ROOTKEY\SubKey (local machine only)
ROOTKEY [ HKLM | HKCU | HKCR | HKU | HKCC ]
SubKey The full name of a registry key under the selected ROOTKEY
FileName The name of the disk file to export
/nt4 Output reg file as old NT4 format

Examples:

SWReg EXPORT HKLM\Software\MyCo\MyApp AppBkUp.reg /nt4
Exports all subkeys and values of the key MyApp to the file AppBkUp.reg
in the nt4 reg format

SWReg EXPORT HKLM\Software\MyCo MyCoBkUp.reg
Exports the hive MyCo to the file MyCoBkUp.reg

DISCLAIMER
Official download location: SteelWerX (http://www.xs4all.nl/~fstaal01)
Mirrors: Atribune.org (http://www.atribune.org)
BleepingComputer.com (http://www.bleepingcomputer.com)
Spyware Times (http://www.spywaretimes.com)

SteelWerX is not liable for damages of any kind arising from the use of
this program.

================
SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 (C)

SWReg EXPORT KeyName FileName [/nt4]

Keyname ROOTKEY\SubKey (local machine only)
ROOTKEY [ HKLM | HKCU | HKCR | HKU | HKCC ]
SubKey The full name of a registry key under the selected ROOTKEY
FileName The name of the disk file to export
/nt4 Output reg file as old NT4 format

Examples:

SWReg EXPORT HKLM\Software\MyCo\MyApp AppBkUp.reg /nt4
Exports all subkeys and values of the key MyApp to the file AppBkUp.reg
in the nt4 reg format

SWReg EXPORT HKLM\Software\MyCo MyCoBkUp.reg
Exports the hive MyCo to the file MyCoBkUp.reg

DISCLAIMER
Official download location: SteelWerX (http://www.xs4all.nl/~fstaal01)
Mirrors: Atribune.org (http://www.atribune.org)
BleepingComputer.com (http://www.bleepingcomputer.com)
Spyware Times (http://www.spywaretimes.com)

SteelWerX is not liable for damages of any kind arising from the use of
this program.

SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 (C)

SWReg EXPORT KeyName FileName [/nt4]

Keyname ROOTKEY\SubKey (local machine only)
ROOTKEY [ HKLM | HKCU | HKCR | HKU | HKCC ]
SubKey The full name of a registry key under the selected ROOTKEY
FileName The name of the disk file to export
/nt4 Output reg file as old NT4 format

Examples:

SWReg EXPORT HKLM\Software\MyCo\MyApp AppBkUp.reg /nt4
Exports all subkeys and values of the key MyApp to the file AppBkUp.reg
in the nt4 reg format

SWReg EXPORT HKLM\Software\MyCo MyCoBkUp.reg
Exports the hive MyCo to the file MyCoBkUp.reg

DISCLAIMER
Official download location: SteelWerX (http://www.xs4all.nl/~fstaal01)
Mirrors: Atribune.org (http://www.atribune.org)
BleepingComputer.com (http://www.bleepingcomputer.com)
Spyware Times (http://www.spywaretimes.com)

SteelWerX is not liable for damages of any kind arising from the use of
this program.

================

KASPERSKY ONLINE SCANNER REPORT
Wednesday, August 08, 2007 12:50:11 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 8/08/2007
Kaspersky Anti-Virus database records: 377200
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
D:\
E:\
Scan Statistics
Total number of scanned objects 45083
Number of viruses found 28
Number of infected objects 63
Number of suspicious objects 8
Duration of the scan process 00:54:29

Infected Object Name Virus Name Last Action
C:\1671390 Infected: Trojan.Win32.Agent.bi skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\Bob Parchman\Application Data\Mozilla\Firefox\Profiles\lddmb0uc.default\cert8.db Object is locked skipped
C:\Documents and Settings\Bob Parchman\Application Data\Mozilla\Firefox\Profiles\lddmb0uc.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Bob Parchman\Application Data\Mozilla\Firefox\Profiles\lddmb0uc.default\history.dat Object is locked skipped
C:\Documents and Settings\Bob Parchman\Application Data\Mozilla\Firefox\Profiles\lddmb0uc.default\key3.db Object is locked skipped
C:\Documents and Settings\Bob Parchman\Application Data\Mozilla\Firefox\Profiles\lddmb0uc.default\parent.lock Object is locked skipped
C:\Documents and Settings\Bob Parchman\Application Data\Mozilla\Firefox\Profiles\lddmb0uc.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Bob Parchman\Application Data\Mozilla\Firefox\Profiles\lddmb0uc.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Bob Parchman\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Bob Parchman\Desktop\[4]-Submit_2007-08-08_102446.39.zip/dvlrkcby.dll Suspicious: Packed.Win32.Morphine.a skipped
C:\Documents and Settings\Bob Parchman\Desktop\[4]-Submit_2007-08-08_102446.39.zip/tovtbdrt.dll Suspicious: Packed.Win32.Morphine.a skipped
C:\Documents and Settings\Bob Parchman\Desktop\[4]-Submit_2007-08-08_102446.39.zip ZIP: suspicious - 2 skipped
C:\Documents and Settings\Bob Parchman\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Bob Parchman\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Bob Parchman\Local Settings\Application Data\Mozilla\Firefox\Profiles\lddmb0uc.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Bob Parchman\Local Settings\Application Data\Mozilla\Firefox\Profiles\lddmb0uc.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Bob Parchman\Local Settings\Application Data\Mozilla\Firefox\Profiles\lddmb0uc.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Bob Parchman\Local Settings\Application Data\Mozilla\Firefox\Profiles\lddmb0uc.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Bob Parchman\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Bob Parchman\Local Settings\History\History.IE5\MSHist012007080820070809\index.dat Object is locked skipped
C:\Documents and Settings\Bob Parchman\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Bob Parchman\ntuser.dat Object is locked skipped
C:\Documents and Settings\Bob Parchman\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\Program Files\Internet Explorer\msimg32.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\QooBox\Quarantine\C\DOCUME~1\BOBPAR~1\APPLIC~1\tmp10.tmp.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
C:\QooBox\Quarantine\C\DOCUME~1\BOBPAR~1\APPLIC~1\tmp11.tmp.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
C:\QooBox\Quarantine\C\DOCUME~1\BOBPAR~1\APPLIC~1\tmp6.tmp.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
C:\QooBox\Quarantine\C\DOCUME~1\BOBPAR~1\APPLIC~1\tmp8.tmp.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
C:\QooBox\Quarantine\C\DOCUME~1\BOBPAR~1\APPLIC~1\tmp9.tmp.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
C:\QooBox\Quarantine\C\DOCUME~1\BOBPAR~1\APPLIC~1\tmpB.tmp.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
C:\QooBox\Quarantine\C\DOCUME~1\BOBPAR~1\APPLIC~1\tmpC.tmp.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
C:\QooBox\Quarantine\C\DOCUME~1\BOBPAR~1\APPLIC~1\tmpF.tmp.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
C:\QooBox\Quarantine\C\DOCUME~1\KATEPA~1\APPLIC~1\tmp1.tmp.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
C:\QooBox\Quarantine\C\DOCUME~1\KATEPA~1\APPLIC~1\tmp8.tmp.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3BROVLY.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.at skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3DTACTL.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3HISTSW.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.l skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.af skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3IMSTUB.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3POPSWT.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3REPROX.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3RESTUB.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3SCHMON.EXE.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.a skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.an skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3SHLLVW.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.aq skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3HTML.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3IDLE.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.ax skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3MSG.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3SKIN.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.ad skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3SLSRCH.EXE.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped
C:\QooBox\Quarantine\C\WINDOWS\MSAGENT\CHARS\ysslpay.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\QooBox\Quarantine\C\WINDOWS\opolmk.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\dfrgntfs.dll.vir Infected: Trojan.Win32.Agent.aqo skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\SECDRV.SYS.vir Infected: Rootkit.Win32.Agent.dp skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\erninxcz.exe.vir Infected: Packed.Win32.Tibs.ay skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\f3PSSavr.scr.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\KB55963079.exe.vir Infected: Trojan-Downloader.Win32.Small.ety skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\KB73687313.exe.vir Infected: Trojan.Win32.Qhost.it skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\nkxdxruw.exe.vir Infected: Trojan-Downloader.Win32.Tibs.mv skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\qwerty12.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
C:\QooBox\Quarantine\C\WINDOWS\yababx.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
C:\QooBox\Quarantine\catchme2007-08-06_ 11104.78.zip/gjhklibf.sys Infected: Rootkit.Win32.Podnuha.a skipped
C:\QooBox\Quarantine\catchme2007-08-06_ 11104.78.zip/afnpafn.dll Infected: Trojan-Clicker.Win32.Delf.hi skipped
C:\QooBox\Quarantine\catchme2007-08-06_ 11104.78.zip/igfK32.dll Infected: Trojan.Win32.Agent.bi skipped
C:\QooBox\Quarantine\catchme2007-08-06_ 11104.78.zip ZIP: infected - 3 skipped
C:\QooBox\Quarantine\catchme2007-08-08_102849.96.zip/ysslpay.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\QooBox\Quarantine\catchme2007-08-08_102849.96.zip ZIP: infected - 1 skipped
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP185\A0087884.exe Infected: Trojan-Downloader.Win32.Small.vs skipped
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP186\A0088013.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP186\A0088014.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP186\A0088015.dll Infected: Trojan.Win32.Agent.aqo skipped
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP186\A0088016.exe Infected: Trojan-Downloader.Win32.Tibs.mv skipped
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP186\A0088017.exe Infected: Packed.Win32.Tibs.ay skipped
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP186\A0088024.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP186\change.log Object is locked skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\afnpafn(2).dll Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\CONFIG\Antivirus.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\WINDOWS\SYSTEM32\dvlrkcby.dll.bak Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\msfoiaaa.exe Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\tovtbdrt(2).dll Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\tovtbdrt.dll.bak Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\vxtkaoph.dll Infected: Trojan.Win32.Delf.zj skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\temp\Perflib_Perfdata_720.dat Object is locked skipped
C:\WINDOWS\temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
bob38058
Regular Member
 
Posts: 19
Joined: August 4th, 2007, 10:19 pm

export.bat

Unread postby bob38058 » August 8th, 2007, 10:18 pm

SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 (C)

SWReg EXPORT KeyName FileName [/nt4]

Keyname ROOTKEY\SubKey (local machine only)
ROOTKEY [ HKLM | HKCU | HKCR | HKU | HKCC ]
SubKey The full name of a registry key under the selected ROOTKEY
FileName The name of the disk file to export
/nt4 Output reg file as old NT4 format

Examples:

SWReg EXPORT HKLM\Software\MyCo\MyApp AppBkUp.reg /nt4
Exports all subkeys and values of the key MyApp to the file AppBkUp.reg
in the nt4 reg format

SWReg EXPORT HKLM\Software\MyCo MyCoBkUp.reg
Exports the hive MyCo to the file MyCoBkUp.reg

DISCLAIMER
Official download location: SteelWerX (http://www.xs4all.nl/~fstaal01)
Mirrors: Atribune.org (http://www.atribune.org)
BleepingComputer.com (http://www.bleepingcomputer.com)
Spyware Times (http://www.spywaretimes.com)

SteelWerX is not liable for damages of any kind arising from the use of
this program.

SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 (C)

SWReg EXPORT KeyName FileName [/nt4]

Keyname ROOTKEY\SubKey (local machine only)
ROOTKEY [ HKLM | HKCU | HKCR | HKU | HKCC ]
SubKey The full name of a registry key under the selected ROOTKEY
FileName The name of the disk file to export
/nt4 Output reg file as old NT4 format

Examples:

SWReg EXPORT HKLM\Software\MyCo\MyApp AppBkUp.reg /nt4
Exports all subkeys and values of the key MyApp to the file AppBkUp.reg
in the nt4 reg format

SWReg EXPORT HKLM\Software\MyCo MyCoBkUp.reg
Exports the hive MyCo to the file MyCoBkUp.reg

DISCLAIMER
Official download location: SteelWerX (http://www.xs4all.nl/~fstaal01)
Mirrors: Atribune.org (http://www.atribune.org)
BleepingComputer.com (http://www.bleepingcomputer.com)
Spyware Times (http://www.spywaretimes.com)

SteelWerX is not liable for damages of any kind arising from the use of
this program.

================
SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 (C)

SWReg EXPORT KeyName FileName [/nt4]

Keyname ROOTKEY\SubKey (local machine only)
ROOTKEY [ HKLM | HKCU | HKCR | HKU | HKCC ]
SubKey The full name of a registry key under the selected ROOTKEY
FileName The name of the disk file to export
/nt4 Output reg file as old NT4 format

Examples:

SWReg EXPORT HKLM\Software\MyCo\MyApp AppBkUp.reg /nt4
Exports all subkeys and values of the key MyApp to the file AppBkUp.reg
in the nt4 reg format

SWReg EXPORT HKLM\Software\MyCo MyCoBkUp.reg
Exports the hive MyCo to the file MyCoBkUp.reg

DISCLAIMER
Official download location: SteelWerX (http://www.xs4all.nl/~fstaal01)
Mirrors: Atribune.org (http://www.atribune.org)
BleepingComputer.com (http://www.bleepingcomputer.com)
Spyware Times (http://www.spywaretimes.com)

SteelWerX is not liable for damages of any kind arising from the use of
this program.

SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 (C)

SWReg EXPORT KeyName FileName [/nt4]

Keyname ROOTKEY\SubKey (local machine only)
ROOTKEY [ HKLM | HKCU | HKCR | HKU | HKCC ]
SubKey The full name of a registry key under the selected ROOTKEY
FileName The name of the disk file to export
/nt4 Output reg file as old NT4 format

Examples:

SWReg EXPORT HKLM\Software\MyCo\MyApp AppBkUp.reg /nt4
Exports all subkeys and values of the key MyApp to the file AppBkUp.reg
in the nt4 reg format

SWReg EXPORT HKLM\Software\MyCo MyCoBkUp.reg
Exports the hive MyCo to the file MyCoBkUp.reg

DISCLAIMER
Official download location: SteelWerX (http://www.xs4all.nl/~fstaal01)
Mirrors: Atribune.org (http://www.atribune.org)
BleepingComputer.com (http://www.bleepingcomputer.com)
Spyware Times (http://www.spywaretimes.com)

SteelWerX is not liable for damages of any kind arising from the use of
this program.

================
SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 (C)

SWReg EXPORT KeyName FileName [/nt4]

Keyname ROOTKEY\SubKey (local machine only)
ROOTKEY [ HKLM | HKCU | HKCR | HKU | HKCC ]
SubKey The full name of a registry key under the selected ROOTKEY
FileName The name of the disk file to export
/nt4 Output reg file as old NT4 format

Examples:

SWReg EXPORT HKLM\Software\MyCo\MyApp AppBkUp.reg /nt4
Exports all subkeys and values of the key MyApp to the file AppBkUp.reg
in the nt4 reg format

SWReg EXPORT HKLM\Software\MyCo MyCoBkUp.reg
Exports the hive MyCo to the file MyCoBkUp.reg

DISCLAIMER
Official download location: SteelWerX (http://www.xs4all.nl/~fstaal01)
Mirrors: Atribune.org (http://www.atribune.org)
BleepingComputer.com (http://www.bleepingcomputer.com)
Spyware Times (http://www.spywaretimes.com)

SteelWerX is not liable for damages of any kind arising from the use of
this program.

SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 (C)

SWReg EXPORT KeyName FileName [/nt4]

Keyname ROOTKEY\SubKey (local machine only)
ROOTKEY [ HKLM | HKCU | HKCR | HKU | HKCC ]
SubKey The full name of a registry key under the selected ROOTKEY
FileName The name of the disk file to export
/nt4 Output reg file as old NT4 format

Examples:

SWReg EXPORT HKLM\Software\MyCo\MyApp AppBkUp.reg /nt4
Exports all subkeys and values of the key MyApp to the file AppBkUp.reg
in the nt4 reg format

SWReg EXPORT HKLM\Software\MyCo MyCoBkUp.reg
Exports the hive MyCo to the file MyCoBkUp.reg

DISCLAIMER
Official download location: SteelWerX (http://www.xs4all.nl/~fstaal01)
Mirrors: Atribune.org (http://www.atribune.org)
BleepingComputer.com (http://www.bleepingcomputer.com)
Spyware Times (http://www.spywaretimes.com)

SteelWerX is not liable for damages of any kind arising from the use of
this program.

================
"C:\WINDOWS\system32\drivers\tcpip.sys" 332928 08/29/2002 03:58 AM
bob38058
Regular Member
 
Posts: 19
Joined: August 4th, 2007, 10:19 pm

Unread postby Angelfire777 » August 8th, 2007, 11:15 pm

Hi,

I need you to repeat something..

Open notepad.
Copy and paste the text inside the Code Box below into Notepad
Choose File > Save As and under "Save as type", choose "All Files".
Type export2.bat in the File name and save it to your desktop.

Code: Select all
@echo off
swreg query "HKLM\SYSTEM\CurrentControlSet\Services\mehtqnso">>"%systemroot%\report.txt"
swreg query "HKLM\SYSTEM\CurrentControlSet\Services\uploadmgrldrsvc">>"%systemroot%\report.txt"
start notepad "%systemroot%\report.txt"
exit


Locate export2.bat on your Desktop and double-click on it. It will open Notepad with some text in it. Please post the text here.
User avatar
Angelfire777
Retired Graduate
 
Posts: 2554
Joined: April 27th, 2006, 9:58 am

Unread postby bob38058 » August 9th, 2007, 6:13 am

Hi, here it is:

SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 (C)

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\mehtqnso
<NO NAME> REG_SZ
ImagePath REG_EXPAND_SZ %SystemRoot%\System32\svchost.exe -k netsvcs
Description REG_SZ TCP/IP Protocol
DisplayName REG_SZ TCP/IP Protocol Monitor
ErrorControl REG_DWORD 1 (0x1)
ObjectName REG_SZ LocalSystem
Start REG_DWORD 2 (0x2)
Type REG_DWORD 32 (0x20)

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\mehtqnso\Parameters

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\mehtqnso\Enum

SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 (C)

Error: Key: system\currentcontrolset\services\uploadmgrldrsvc does not exist!
bob38058
Regular Member
 
Posts: 19
Joined: August 4th, 2007, 10:19 pm
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 37 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware