Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

IEXPLORE.exe is at 100%

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Unread postby ber88 » September 26th, 2007, 9:17 am

Hi,

1. No RED entries in IceSword lists.

2. The data column at reganal32 contains C:\WINDOWS\system32\reganal32.exe but couldn't be found in files list.

3.Please find below the requested reports :

ComboFix 07-09-18.4 - "Oved" 2007-09-26 12:01:15.5 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1255.972.1033.18.117 [GMT 2:00]
* Created a new restore point

FILE::
C:\WINDOWS\system32\dbghd3dx.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\dbghd3dx.exe

.
((((((((((((((((((((((((( Files Created from 2007-08-26 to 2007-09-26 )))))))))))))))))))))))))))))))
.

2007-09-24 21:00 <DIR> d-------- C:\WINDOWS\ERUNT
2007-09-19 20:56 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-09-18 18:48 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-11 02:48 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-08-31 15:05 16 --a------ C:\WINDOWS\gfr.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-08-23 19:30 741376 --a------ C:\WINDOWS\system32\libeay32.dll
2007-08-23 19:30 155648 --a------ C:\WINDOWS\system32\ssleay32.dll
2007-08-05 01:02 --------- d-------- C:\DOCUME~1\OVED\APPLIC~1\SPAMfighter
2007-07-04 14:22 1184400 --a------ C:\WINDOWS\system32\FreeImage.dll
2004-10-01 15:00 40960 --a------ C:\Program Files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((( snapshot_2007-09-18_185929.86 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 163,328 2007-09-23 06:52:20 C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
----a-w 6,025,216 2007-09-24 19:00:52 C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat
----a-w 81,920 2007-09-24 19:00:52 C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
----a-w 163,328 2007-09-23 06:52:20 C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
----a-w 6,025,216 2007-09-24 19:01:02 C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
----a-w 81,920 2007-09-24 19:01:02 C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="D:\Programs\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-02 20:24]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"LGODDFU"="D:\Programs\lg_fwupdate\fwupdate.exe" [2006-02-20 11:40]
"reganal32"="C:\WINDOWS\system32\reganal32.exe" []
"!AVG Anti-Spyware"="D:\Programs\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 11:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 13:56]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2006-02-10 21:40]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Microsoft Office.lnk - D:\Programs\Microsoft Office 2000\Office\OSA9.EXE [1999-02-17 22:05:56]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Oved^Start Menu^Programs^Startup^WinMySQLadmin.lnk]
path=C:\Documents and Settings\Oved\Start Menu\Programs\Startup\WinMySQLadmin.lnk
backup=C:\WINDOWS\pss\WinMySQLadmin.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]
"D:\Programs\ICQLite\ICQLite.exe" -minimize

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM_Monitor]
D:\Programs\OLYMPUS\OLYMPUS Master\FirstStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"D:\Programs\Skype\Phone\Skype.exe" /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoipStunt]
"D:\Programs\VoipStunt.com\VoipStunt\VoipStunt.exe" -nosplash -minimized

R2 LANPkt;Realtek LANPkt Protocol;C:\WINDOWS\system32\DRIVERS\LANPkt.sys
R2 ONSIO;ONSIO;\??\C:\WINDOWS\SYSTEM32\DRIVERS\ONSIO.SYS
R3 admjoy;Aureal Game Port Enumerator;C:\WINDOWS\system32\DRIVERS\admjoy.sys
R3 METROP;Hewlett Packard ScanJet 5300C;C:\WINDOWS\system32\DRIVERS\hp53pw2k.sys
R3 mf;mf;C:\WINDOWS\system32\DRIVERS\mf.sys
R3 PPPoEWin;PPPoEWin Miniport;C:\WINDOWS\system32\DRIVERS\PPPoEWin.SYS
R3 wdm_au8830;Aureal Vortex 8830 Audio Driver (WDM);C:\WINDOWS\system32\drivers\adm8830.sys
S0 SMPLSCSI;SMPLSCSI;C:\WINDOWS\system32\drivers\SMPLSCSI.SYS

.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-26 12:05:16
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-26 12:08:04
C:\ComboFix2.txt ... 2007-09-24 21:37
C:\ComboFix-quarantined-files.txt ... 2007-09-26 12:08
C:\ComboFix3.txt ... 2007-09-24 02:17
.
--- E O F ---


---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 2:44:52 PM 9/26/2007

+ Scan result:



D:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP720\A0122588.EXE -> Adware.BargainBuddy : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP720\A0122589.EXE -> Adware.BargainBuddy : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP720\A0122586.exe/cd_clint.dll -> Adware.Cydoor : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP720\A0122586.exe/cd_load.exe -> Adware.Cydoor : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP720\A0122586.exe/cd_swf.dll -> Adware.Cydoor : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP720\A0122590.DLL -> Adware.Exact : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP720\A0122591.DLL -> Adware.NewDotNet : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP720\A0122585.exe/Sponsor.exe -> Downloader.Swizzor.bt : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP720\A0122587.EXE -> Heuristic.Win32.Dialer : Cleaned with backup (quarantined).
C:\Documents and Settings\Oved\Cookies\oved@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Oved\Cookies\oved@adtech[1].txt -> TrackingCookie.Adtech : Cleaned.
C:\Documents and Settings\Oved\Cookies\oved@advertising[1].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Oved\Cookies\oved@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.289:C:\Documents and Settings\Oved\Application Data\Mozilla\Firefox\Profiles\4nlo95o6.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Oved\Cookies\oved@castup[1].txt -> TrackingCookie.Castup : Cleaned.
C:\Documents and Settings\Oved\Cookies\oved@switch5.castup[1].txt -> TrackingCookie.Castup : Cleaned.
:mozilla.394:C:\Documents and Settings\Oved\Application Data\Mozilla\Firefox\Profiles\4nlo95o6.default\cookies.txt -> TrackingCookie.Cnn : Cleaned.
:mozilla.491:C:\Documents and Settings\Oved\Application Data\Mozilla\Firefox\Profiles\4nlo95o6.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.392:C:\Documents and Settings\Oved\Application Data\Mozilla\Firefox\Profiles\4nlo95o6.default\cookies.txt -> TrackingCookie.Info : Cleaned.
:mozilla.410:C:\Documents and Settings\Oved\Application Data\Mozilla\Firefox\Profiles\4nlo95o6.default\cookies.txt -> TrackingCookie.Info : Cleaned.
C:\Documents and Settings\Oved\Cookies\oved@mediaplex[2].txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.210:C:\Documents and Settings\Oved\Application Data\Mozilla\Firefox\Profiles\4nlo95o6.default\cookies.txt -> TrackingCookie.Msn : Cleaned.
:mozilla.224:C:\Documents and Settings\Oved\Application Data\Mozilla\Firefox\Profiles\4nlo95o6.default\cookies.txt -> TrackingCookie.Msn : Cleaned.
:mozilla.237:C:\Documents and Settings\Oved\Application Data\Mozilla\Firefox\Profiles\4nlo95o6.default\cookies.txt -> TrackingCookie.Msn : Cleaned.
:mozilla.239:C:\Documents and Settings\Oved\Application Data\Mozilla\Firefox\Profiles\4nlo95o6.default\cookies.txt -> TrackingCookie.Msn : Cleaned.
:mozilla.87:C:\Documents and Settings\Oved\Application Data\Mozilla\Firefox\Profiles\4nlo95o6.default\cookies.txt -> TrackingCookie.Skype : Cleaned.
C:\Documents and Settings\Oved\Cookies\oved@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\Oved\Cookies\oved@a.total-media[1].txt -> TrackingCookie.Total-media : Cleaned.
C:\Documents and Settings\Oved\Cookies\oved@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP720\A0122579.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP720\A0122580.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP720\A0122581.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP720\A0122582.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP720\A0122573.exe -> Worm.Warezov : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP726\A0125261.exe -> Worm.Warezov : Cleaned with backup (quarantined).
C:\qoobox\Quarantine\C\WINDOWS\system32\dbghd3dx.exe.vir -> Worm.Warezov : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP720\A0122574.exe -> Worm.Warezov.mg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP720\A0122575.dll -> Worm.Warezov.mg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP720\A0122576.dll -> Worm.Warezov.mg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP720\A0122594.dll -> Worm.Warezov.mo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP720\A0122577.dll -> Worm.Warezov.nm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP720\A0122578.exe -> Worm.Warezov.nm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP720\A0122584.exe -> Worm.Warezov.ou : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP720\A0122595.DLL -> Worm.Warezov.pi : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP720\A0122596.DLL -> Worm.Warezov.pi : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP720\A0122597.dll -> Worm.Warezov.pi : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP720\A0122598.EXE -> Worm.Warezov.pi : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP720\A0122583.exe -> Worm.Warezov.ps : Cleaned with backup (quarantined).


::Report end

Logfile of HijackThis v1.99.1
Scan saved at 2:47:26 PM, on 9/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Programs\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
D:\Programs\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
D:\Programs\lg_fwupdate\fwupdate.exe
D:\Programs\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
D:\Programs\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
O4 - HKLM\..\Run: [RemoteControl] "D:\Programs\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LGODDFU] D:\Programs\lg_fwupdate\fwupdate.exe
O4 - HKLM\..\Run: [reganal32] C:\WINDOWS\system32\reganal32.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Programs\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Global Startup: Microsoft Office.lnk = D:\Programs\Microsoft Office 2000\Office\OSA9.EXE
O8 - Extra context menu item: Download all with Free Download Manager - file://D:\Programs\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://D:\Programs\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site with Free Download Manager - file://D:\Programs\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Download with Free Download Manager - file://D:\Programs\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Translate with &Babylon - res://d:\Programs\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Programs\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Programs\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - D:\Programs\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - D:\Programs\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Programs\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
ber88
Active Member
 
Posts: 14
Joined: September 15th, 2007, 6:03 pm
Advertisement
Register to Remove

Unread postby Scotty » September 26th, 2007, 10:56 am

Hello

Open Notepad and Copy/Paste the text in the codebox below into it:

Code: Select all
Registry:: 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 
"reganal32"=-



Save this as "CFScript"

Image


Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log with a new HijackThis log.

Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:

      + Extended(If available otherwise Standard)
    • Scan Options:

      + Scan Archives
      + Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Unread postby Scotty » October 2nd, 2007, 4:06 am

Hello

Still needing our help?
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Unread postby ber88 » October 5th, 2007, 1:14 am

Sorry for late reponse ...
The site's notice went to my junk mail folder.
Anyways , Yes I do need your help .

Please find below the logs you had been asked :
ComboFix 07-09-18.4 - "Oved" 2007-10-04 20:41:39.6 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1255.972.1033.18.127 [GMT 2:00]
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-09-04 to 2007-10-04 )))))))))))))))))))))))))))))))
.

2007-09-24 21:00 <DIR> d-------- C:\WINDOWS\ERUNT
2007-09-19 20:56 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-09-18 18:48 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-11 02:48 <DIR> d-------- C:\WINDOWS\SxsCaPendDel

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-08-23 19:30 741376 --a------ C:\WINDOWS\system32\libeay32.dll
2007-08-23 19:30 155648 --a------ C:\WINDOWS\system32\ssleay32.dll
2007-08-05 01:02 --------- d-------- C:\DOCUME~1\OVED\APPLIC~1\SPAMfighter
2007-07-04 14:22 1184400 --a------ C:\WINDOWS\system32\FreeImage.dll
2004-10-01 15:00 40960 --a------ C:\Program Files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((( snapshot_2007-09-18_185929.86 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 163,328 2007-09-23 06:52:20 C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
----a-w 6,025,216 2007-09-24 19:00:52 C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat
----a-w 81,920 2007-09-24 19:00:52 C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
----a-w 163,328 2007-09-23 06:52:20 C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
----a-w 6,025,216 2007-09-24 19:01:02 C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
----a-w 81,920 2007-09-24 19:01:02 C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="D:\Programs\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-02 20:24]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"LGODDFU"="D:\Programs\lg_fwupdate\fwupdate.exe" [2006-02-20 11:40]
"!AVG Anti-Spyware"="D:\Programs\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 11:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 13:56]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2006-02-10 21:40]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Microsoft Office.lnk - D:\Programs\Microsoft Office 2000\Office\OSA9.EXE [1999-02-17 22:05:56]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Oved^Start Menu^Programs^Startup^WinMySQLadmin.lnk]
path=C:\Documents and Settings\Oved\Start Menu\Programs\Startup\WinMySQLadmin.lnk
backup=C:\WINDOWS\pss\WinMySQLadmin.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]
"D:\Programs\ICQLite\ICQLite.exe" -minimize

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM_Monitor]
D:\Programs\OLYMPUS\OLYMPUS Master\FirstStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"D:\Programs\Skype\Phone\Skype.exe" /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoipStunt]
"D:\Programs\VoipStunt.com\VoipStunt\VoipStunt.exe" -nosplash -minimized

R2 LANPkt;Realtek LANPkt Protocol;C:\WINDOWS\system32\DRIVERS\LANPkt.sys
R2 ONSIO;ONSIO;\??\C:\WINDOWS\SYSTEM32\DRIVERS\ONSIO.SYS
R3 admjoy;Aureal Game Port Enumerator;C:\WINDOWS\system32\DRIVERS\admjoy.sys
R3 METROP;Hewlett Packard ScanJet 5300C;C:\WINDOWS\system32\DRIVERS\hp53pw2k.sys
R3 mf;mf;C:\WINDOWS\system32\DRIVERS\mf.sys
R3 PPPoEWin;PPPoEWin Miniport;C:\WINDOWS\system32\DRIVERS\PPPoEWin.SYS
R3 wdm_au8830;Aureal Vortex 8830 Audio Driver (WDM);C:\WINDOWS\system32\drivers\adm8830.sys
S0 SMPLSCSI;SMPLSCSI;C:\WINDOWS\system32\drivers\SMPLSCSI.SYS

.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-04 20:45:23
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-04 20:48:15
C:\ComboFix3.txt ... 2007-09-24 21:37
C:\ComboFix2.txt ... 2007-09-26 12:08
C:\ComboFix-quarantined-files.txt ... 2007-10-04 20:48
.
--- E O F ---

Logfile of HijackThis v1.99.1
Scan saved at 8:49:40 PM, on 10/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Programs\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
D:\Programs\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
D:\Programs\lg_fwupdate\fwupdate.exe
D:\Programs\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\svchost.exe
D:\Programs\MI696F~1\Office\OUTLOOK.EXE
C:\WINDOWS\explorer.exe
D:\Programs\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
O4 - HKLM\..\Run: [RemoteControl] "D:\Programs\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LGODDFU] D:\Programs\lg_fwupdate\fwupdate.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Programs\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Global Startup: Microsoft Office.lnk = D:\Programs\Microsoft Office 2000\Office\OSA9.EXE
O8 - Extra context menu item: Download all with Free Download Manager - file://D:\Programs\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://D:\Programs\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site with Free Download Manager - file://D:\Programs\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Download with Free Download Manager - file://D:\Programs\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Translate with &Babylon - res://d:\Programs\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Programs\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Programs\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - D:\Programs\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - D:\Programs\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Programs\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, October 05, 2007 7:08:46 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 5/10/2007
Kaspersky Anti-Virus database records: 427408
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 161269
Number of viruses found: 12
Number of infected objects: 61
Number of suspicious objects: 0
Duration of the scan process: 07:18:11

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Oved\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Oved\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\Oved\Local Settings\Temp\~DFA380.tmp Object is locked skipped
C:\Documents and Settings\Oved\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Oved\Local Settings\History\History.IE5\MSHist012007100420071005\index.dat Object is locked skipped
C:\Documents and Settings\Oved\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Oved\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Oved\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Oved\Local Settings\Application Data\Microsoft\Outlook\outlook.pst Object is locked skipped
C:\Documents and Settings\Oved\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Sent Items/10 Aug 2005 21:55 to Oved Berlowitz:Fw: The picture is sent on S/original.zip/1212.exe Infected: Email-Worm.Win32.Bagle.cg skipped
C:\Documents and Settings\Oved\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Sent Items/10 Aug 2005 21:55 to Oved Berlowitz:Fw: The picture is sent on S/original.zip Infected: Email-Worm.Win32.Bagle.cg skipped
C:\Documents and Settings\Oved\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Sent Items/15 Jan 2006 22:28 to Oved Berlowitz:FW: Hello/Details.zip/Details.txt .exe Infected: Email-Worm.Win32.NetSky.aa skipped
C:\Documents and Settings\Oved\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Sent Items/15 Jan 2006 22:28 to Oved Berlowitz:FW: Hello/Details.zip Infected: Email-Worm.Win32.NetSky.aa skipped
C:\Documents and Settings\Oved\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Sent Items/16 Jan 2006 19:21 to nfc@newsletter.barak.net.il; nfc-bounce@new/Details.zip/Details.txt .exe Infected: Email-Worm.Win32.NetSky.aa skipped
C:\Documents and Settings\Oved\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Sent Items/16 Jan 2006 19:21 to nfc@newsletter.barak.net.il; nfc-bounce@new/Details.zip Infected: Email-Worm.Win32.NetSky.aa skipped
C:\Documents and Settings\Oved\Local Settings\Application Data\Microsoft\Outlook\archive.pst Mail MS Mail: infected - 6 skipped
C:\Documents and Settings\Oved\Local Settings\Application Data\Identities\{E8EABECC-E823-4274-AFFB-5F67D37F69F3}\Microsoft\Outlook Express\Deleted Items.dbx/[From eBay <custservice_8183719247530@ebay.com>][Date Sat, 01 Feb 2003 20:58:16 -0600]/html Infected: Trojan-Spy.HTML.Bayfraud.hn skipped
C:\Documents and Settings\Oved\Local Settings\Application Data\Identities\{E8EABECC-E823-4274-AFFB-5F67D37F69F3}\Microsoft\Outlook Express\Deleted Items.dbx Mail MS Outlook 5: infected - 1 skipped
C:\Documents and Settings\Oved\Local Settings\Application Data\Identities\{E8EABECC-E823-4274-AFFB-5F67D37F69F3}\Microsoft\Outlook Express\Sent Items.dbx/[From "The Berlowitz" <berlowitz@safe-mail.net>][Date Wed, 10 Aug 2005 23:55:25 +0200]/UNNAMED/original.zip/1212.exe Infected: Email-Worm.Win32.Bagle.cg skipped
C:\Documents and Settings\Oved\Local Settings\Application Data\Identities\{E8EABECC-E823-4274-AFFB-5F67D37F69F3}\Microsoft\Outlook Express\Sent Items.dbx/[From "The Berlowitz" <berlowitz@safe-mail.net>][Date Wed, 10 Aug 2005 23:55:25 +0200]/UNNAMED/original.zip Infected: Email-Worm.Win32.Bagle.cg skipped
C:\Documents and Settings\Oved\Local Settings\Application Data\Identities\{E8EABECC-E823-4274-AFFB-5F67D37F69F3}\Microsoft\Outlook Express\Sent Items.dbx/[From "The Berlowitz" <berlowitz@safe-mail.net>][Date Wed, 10 Aug 2005 23:55:25 +0200]/UNNAMED Infected: Email-Worm.Win32.Bagle.cg skipped
C:\Documents and Settings\Oved\Local Settings\Application Data\Identities\{E8EABECC-E823-4274-AFFB-5F67D37F69F3}\Microsoft\Outlook Express\Sent Items.dbx Mail MS Outlook 5: infected - 3 skipped
C:\Documents and Settings\Oved\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Oved\Application Data\Microsoft\Outlook\outcmd.dat Object is locked skipped
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP719\A0119441.DLL Infected: Email-Worm.Win32.Warezov.mg skipped
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP720\A0122624.DLL Infected: Email-Worm.Win32.Warezov.mg skipped
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP723\A0124868.dll Infected: Email-Worm.Win32.Warezov.rw skipped
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP723\A0124874.DLL Infected: Email-Worm.Win32.Warezov.og skipped
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP723\A0124875.dll Infected: Email-Worm.Win32.Warezov.og skipped
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP723\A0124876.exe Infected: Email-Worm.Win32.Warezov.og skipped
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP723\A0124877.DLL Infected: Email-Worm.Win32.Warezov.qf skipped
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP723\A0124878.dll Infected: Email-Worm.Win32.Warezov.qf skipped
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP723\A0124879.DLL Infected: Email-Worm.Win32.Warezov.qf skipped
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP723\A0124880.exe Infected: Email-Worm.Win32.Warezov.qf skipped
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP723\A0124881.DLL Infected: Email-Worm.Win32.Warezov.qf skipped
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP724\A0125075.exe Infected: Email-Worm.Win32.Warezov.ry skipped
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP724\A0125076.exe Infected: Backdoor.Win32.SdBot.byt skipped
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP724\A0125077.DLL Infected: Email-Worm.Win32.Warezov.qf skipped
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP724\A0125078.exe Infected: Email-Worm.Win32.Warezov.qf skipped
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP724\A0125079.dll Infected: Email-Worm.Win32.Warezov.qf skipped
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP724\A0125080.DLL Infected: Email-Worm.Win32.Warezov.qf skipped
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP732\change.log Object is locked skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\confcnn.dll.vir Infected: Email-Worm.Win32.Warezov.mg skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\oservmc25.dll.vir Infected: Email-Worm.Win32.Warezov.rw skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\h2ubcjsw.dll.vir Infected: Email-Worm.Win32.Warezov.og skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\ewph65as.dll.vir Infected: Email-Worm.Win32.Warezov.og skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\bwxlno9a1p.exe.vir Infected: Email-Worm.Win32.Warezov.og skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\ksdmgr32.dll.vir Infected: Email-Worm.Win32.Warezov.qf skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\sdperf.exe.vir Infected: Email-Worm.Win32.Warezov.qf skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\netdex.exe.vir Infected: Email-Worm.Win32.Warezov.ry skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\pk32j.exe.vir Infected: Backdoor.Win32.SdBot.byt skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\onfksd.dll.vir Infected: Email-Worm.Win32.Warezov.qf skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\kconf.exe.vir Infected: Email-Worm.Win32.Warezov.qf skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\sdprf32.dll.vir Infected: Email-Worm.Win32.Warezov.qf skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\ksstat.dll.vir Infected: Email-Worm.Win32.Warezov.qf skipped
D:\Download\kf141.zip/keyfinder.exe/data.rar/xpkey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
D:\Download\kf141.zip/keyfinder.exe/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
D:\Download\kf141.zip/keyfinder.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
D:\Download\kf141.zip/keyfinder.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
D:\Download\kf141.zip ZIP: infected - 4 skipped
D:\Download\kf15b3.zip/keyfinder.exe/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
D:\Download\kf15b3.zip/keyfinder.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
D:\Download\kf15b3.zip/keyfinder.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
D:\Download\kf15b3.zip ZIP: infected - 3 skipped
D:\Documents\Noa\Old Noa\Local Settings\Temporary Internet Files\Content.IE5\LKKGU6G3\install_iframe[1].htm Infected: Trojan-Downloader.JS.Agent.kk skipped
D:\Documents\Noa\Old Noa\Local Settings\Temporary Internet Files\Content.IE5\LKKGU6G3\install_iframe[2].htm Infected: Trojan-Downloader.JS.Agent.kk skipped
D:\CIMAGE\PROGRA~1\INCRED~1\DATA\IDENTI~1\{42D00~1\MESSAG~1\INBOX.IMM/[From "michal" <michaldyok@barak-online.net>][Date Mon, 14 May 2001 11:18:31 +0200]/UNNAMED/cover Infected: Virus.MSWord.Passbox.e skipped
D:\CIMAGE\PROGRA~1\INCRED~1\DATA\IDENTI~1\{42D00~1\MESSAG~1\INBOX.IMM/[From "michal" <michaldyok@barak-online.net>][Date Mon, 14 May 2001 11:18:31 +0200]/UNNAMED/=?windows-1255?B?7uHl4C5kb2M=?= Infected: Virus.MSWord.Passbox.e skipped
D:\CIMAGE\PROGRA~1\INCRED~1\DATA\IDENTI~1\{42D00~1\MESSAG~1\INBOX.IMM/[From "michal" <michaldyok@barak-online.net>][Date Mon, 14 May 2001 11:18:31 +0200]/UNNAMED Infected: Virus.MSWord.Passbox.e skipped
D:\CIMAGE\PROGRA~1\INCRED~1\DATA\IDENTI~1\{42D00~1\MESSAG~1\INBOX.IMM/[From "Anne Berlowitz" <berlowitz@onebox.com>][Date Mon, 14 May 2001 01:53:49 -0700]/UNNAMED/UNNAMED/[From "michal" <michaldyok@barak-online.net>][Date Mon, 14 May 2001 11:18:31 +0200]/=?windows-1255?B?7uHl4C5kb2M=?= Infected: Virus.MSWord.Passbox.e skipped
D:\CIMAGE\PROGRA~1\INCRED~1\DATA\IDENTI~1\{42D00~1\MESSAG~1\INBOX.IMM/[From "Anne Berlowitz" <berlowitz@onebox.com>][Date Mon, 14 May 2001 01:53:49 -0700]/UNNAMED/UNNAMED Infected: Virus.MSWord.Passbox.e skipped
D:\CIMAGE\PROGRA~1\INCRED~1\DATA\IDENTI~1\{42D00~1\MESSAG~1\INBOX.IMM/[From "Anne Berlowitz" <berlowitz@onebox.com>][Date Mon, 14 May 2001 01:53:49 -0700]/UNNAMED Infected: Virus.MSWord.Passbox.e skipped
D:\CIMAGE\PROGRA~1\INCRED~1\DATA\IDENTI~1\{42D00~1\MESSAG~1\INBOX.IMM Mail: infected - 6 skipped
D:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP732\change.log Object is locked skipped

Scan process completed.
ber88
Active Member
 
Posts: 14
Joined: September 15th, 2007, 6:03 pm

Unread postby Scotty » October 5th, 2007, 4:11 pm

Hi

Quick question, but did you install a program called Magic Jellybean?
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Unread postby ber88 » October 6th, 2007, 2:18 pm

Hi,
The answer is YES.
Very long time ago . Not in use , so if you see any reason to delete it or uninstall it there is no problem to do it.
ber88
Active Member
 
Posts: 14
Joined: September 15th, 2007, 6:03 pm

Unread postby Scotty » October 7th, 2007, 7:46 pm

Hi ber88

To enable the viewing of Hidden files follow these steps:
  1. Close all programs so that you are at your desktop.
  2. Double-click on the My Computer icon (or click Start, then select My Computer)
  3. Select the Tools menu and click Folder Options.
  4. After the new window appears select the View tab.
  5. Put a checkmark in the checkbox labeled Display the contents of system folders.
  6. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
  7. Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
  8. Remove the checkmark from the checkbox labeled Hide protected operating system files.
  9. Press the Apply button and then the OK button and shutdown My Computer.
    Now your computer is configured to show all hidden files.


Navigate to and delete the following files and/or folders (if they are present):

Files:
D:\Documents\Noa\Old Noa\Local Settings\Temporary Internet Files\Content.IE5\LKKGU6G3\install_iframe[1].htm
D:\Documents\Noa\Old Noa\Local Settings\Temporary Internet Files\Content.IE5\LKKGU6G3\install_iframe[2].htm

Folders:
D:\Download\kf15b3.zip
D:\Download\kf141.zip

Is this folder necessary to you?

C:\Documents and Settings\Oved\Local Settings\Application Data\Microsoft\Outlook\archive.pst

It holds archived emails and at the moment is full of some nasty malware.

Open Incredimail and go to the Inbox. Then delete these emails.

[From "michal" <michaldyok@barak-online.net>][Date Mon, 14 May 2001 11:18:31 +0200]
[From "Anne Berlowitz" <berlowitz@onebox.com>][Date Mon, 14 May 2001 01:53:49 -0700]


Now open Outlook Express and open the Sent items folder and delete the following emails.

[From "The Berlowitz" <berlowitz@safe-mail.net>][Date Wed, 10 Aug 2005 23:55:25 +0200]
[From "The Berlowitz" <berlowitz@safe-mail.net>][Date Wed, 10 Aug 2005 23:55:25 +0200]
[From "The Berlowitz" <berlowitz@safe-mail.net>][Date Wed, 10 Aug 2005 23:55:25 +0200]


Then empty the Deleted Items folder in Outlook Express.

Post back with a new HijackThis log, and let me know how the deletions went, and how the computer is behaving now.
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Unread postby ber88 » October 8th, 2007, 5:37 pm

Hi,

1. I have deleted install_iframe[1].htm & install_iframe[2].htm .

2. I have deleted kf15b3.zip & kf141.zip

3. With regards to Outlook\archive.pst as you mentined it holds archived emails that I might want to keep. If you can be more precise of the nasty ones I can recover it and delete it and then archive it back.

4. I don't have incredimail anymore so I deleted the whole inbox.IMM file.

5. I have deleted "From "The Berlowitz" <berlowitz@safe-mail.net>][Date Wed, 10 Aug 2005 23:55:25 +0200] .
You mentioned it three time , I found it once.

6. It's a while (two weeks or so) that the computer works properly with no any strange behaviors.

7. Here is a new Hijacks log :

Logfile of HijackThis v1.99.1
Scan saved at 11:21:28 PM, on 10/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Programs\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
D:\Programs\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
D:\Programs\lg_fwupdate\fwupdate.exe
D:\Programs\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
D:\Programs\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
O4 - HKLM\..\Run: [RemoteControl] "D:\Programs\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LGODDFU] D:\Programs\lg_fwupdate\fwupdate.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Programs\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Global Startup: Microsoft Office.lnk = D:\Programs\Microsoft Office 2000\Office\OSA9.EXE
O8 - Extra context menu item: Download all with Free Download Manager - file://D:\Programs\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://D:\Programs\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site with Free Download Manager - file://D:\Programs\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Download with Free Download Manager - file://D:\Programs\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Translate with &Babylon - res://d:\Programs\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Programs\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Programs\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - D:\Programs\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - D:\Programs\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Programs\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
ber88
Active Member
 
Posts: 14
Joined: September 15th, 2007, 6:03 pm

Unread postby Scotty » October 11th, 2007, 4:48 am

Hi

If you open Outlook, look in the left pane for Archive Folders and click on the (+).
Enter the Sent Items folder and delete the following.

10 Aug 2005 21:55 to Oved Berlowitz:
15 Jan 2006 22:28 to Oved Berlowitz
16 Jan 2006 19:21 to nfc@newsletter.barak.net.il;


Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:

      + Extended(If available otherwise Standard)
    • Scan Options:

      + Scan Archives
      + Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Unread postby ber88 » October 12th, 2007, 1:07 am

Hi ,
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, October 12, 2007 6:46:50 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 11/10/2007
Kaspersky Anti-Virus database records: 431112
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 167021
Number of viruses found: 9
Number of infected objects: 40
Number of suspicious objects: 0
Duration of the scan process: 08:56:23

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Oved\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Oved\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\Oved\Local Settings\Temp\~DF5AFB.tmp Object is locked skipped
C:\Documents and Settings\Oved\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Oved\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Oved\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Oved\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Oved\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Noa\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Noa\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\Noa\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Noa\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Meitale\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Meitale\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\Meitale\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Meitale\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP739\change.log Object is locked skipped
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP724\A0125075.exe Infected: Email-Worm.Win32.Warezov.ry skipped
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP724\A0125076.exe Infected: Backdoor.Win32.SdBot.byt skipped
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP724\A0125077.DLL Infected: Email-Worm.Win32.Warezov.qf skipped
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP724\A0125078.exe Infected: Email-Worm.Win32.Warezov.qf skipped
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP724\A0125079.dll Infected: Email-Worm.Win32.Warezov.qf skipped
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP724\A0125080.DLL Infected: Email-Worm.Win32.Warezov.qf skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\confcnn.dll.vir Infected: Email-Worm.Win32.Warezov.mg skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\oservmc25.dll.vir Infected: Email-Worm.Win32.Warezov.rw skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\h2ubcjsw.dll.vir Infected: Email-Worm.Win32.Warezov.og skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\ewph65as.dll.vir Infected: Email-Worm.Win32.Warezov.og skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\bwxlno9a1p.exe.vir Infected: Email-Worm.Win32.Warezov.og skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\ksdmgr32.dll.vir Infected: Email-Worm.Win32.Warezov.qf skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\sdperf.exe.vir Infected: Email-Worm.Win32.Warezov.qf skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\netdex.exe.vir Infected: Email-Worm.Win32.Warezov.ry skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\pk32j.exe.vir Infected: Backdoor.Win32.SdBot.byt skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\onfksd.dll.vir Infected: Email-Worm.Win32.Warezov.qf skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\kconf.exe.vir Infected: Email-Worm.Win32.Warezov.qf skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\sdprf32.dll.vir Infected: Email-Worm.Win32.Warezov.qf skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\ksstat.dll.vir Infected: Email-Worm.Win32.Warezov.qf skipped

D:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP739\change.log Object is locked skipped

Scan process completed.
ber88
Active Member
 
Posts: 14
Joined: September 15th, 2007, 6:03 pm

Unread postby Elrond » October 12th, 2007, 6:34 am

Hi Oded

Scotty has left on a well deserved vacation and I promised to take over.
I am the ghost that have been giving you regards from time to time.

The last log came back clean and all indications are that the computer is clean.

Do the following.

  1. Clean up the stuff that we downloaded but that you do not need. Go to Start > Run - type in ComboFix /u & click OK.
    AVG AntiSpyware you can leave on your computer. It will expire but you can use it as a scanner. It is a good idea to update it and run it once a week because it will keep your computer clean from a lot of ad cookies and will also warn you if some types of infections get onto your computer.
  2. This is a good time to clear your existing system restore points and establish a new clean restore point:

    • Go to Start > All Programs > Accessories > System Tools > System Restore
    • Select Create a restore point, and Ok it.
    • Next, go to Start > Run and type in cleanmgr
    • Select drive will open. Click OK
    • Either a scan will open up and take a few minutes or it will go directly to Disk Cleanup for ...
    • Select the More options tab
    • Find System Restore. Click Clean up
  3. Set correct settings for files that should be hidden in Windows XP
    • Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
    • Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
    • If unchecked please checkHide protected operating system files (Recommended)
    • If necessary check "Display content of system folders"
    • If necessary Uncheck Hide file extensions for known file types.
    • Click OK

    Your computer now seems to be clean. Therefore please

    1. Clean out Temporary Files etc. Download System Security Suite from http://www.igorshpak.net/software/3ssetup104.zip. Extract it from the zip file into a folder and double click on sss.exe. Please check the following check-boxes under the Items to Clear tab:
      1. Under Internet Explorer
        • History
        • Temporary Files
      2. Under My Computer
        • Recycle Bin
        • Run (Menu)
        • Search History
        • Temporary Files
      Next click 'Clear Selected Items'. Reboot when prompted. It is a good idea to do this every few weeks as a lot of junk collects there over time.
    2. if you are using Intrnet Explorer v. 6
      Make your Internet Explorer more secure - This can be done by following these simple instructions:
      1. From within Internet Explorer click on the Tools menu and then click on Options.
      2. Click once on the Security tab
      3. Click once on the Internet icon so it becomes highlighted.
      4. Click once on the Custom Level button.
        1. Change the Download signed ActiveX controls to Prompt
        2. Change the Download unsigned ActiveX controls to Disable
        3. Change the Initialise and script ActiveX controls not marked as safe to Disable
        4. Change the Installation of desktop items to Prompt
        5. Change the Launching programs and files in an IFRAME to Prompt
        6. Change the Navigate sub-frames across different domains to Prompt
        7. When all these settings have been made, click on the OK button.
        8. If it prompts you as to whether or not you want to save the settings, press the Yes button.
      5. Next press the Apply button and then the OK to exit the Internet Properties page.
      There are good reasons to upgrade to Internet Explorer v. 7. Do look into this. You can find a lot of information about it on Microsofts website.
    3. Use an Anti Virus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
    4. Update your Anti Virus Software - It is imperitive that you update your Anti virus software at least once a week (Once a day is a good idea). If you do not update your anti virus software it will not be able to catch new variants that come out.
    5. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. Windows Firewall is not recomended.
      Be restrictive with granting access to the internet. If you are unsure if the program really needs the access, test it by denying the access and see if this has any negative effects. If not, make the block permanent.
    6. Never run two Antivirus programs or two Firewalls at the same time. They can interfere with each other and cause problems.
    7. Visit Microsoft's Windows Update Site Frequently or better yet set computer for automatic updates.
    8. Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
    9. Read and follow the sugestions given at this web site by Miekiemoes http://users.telenet.be/bluepatchy/miek ... ntion.html that will give you more information on some of the points above.
    Follow this list and your potential for being infected again will reduce dramatically.
  4. Stand up and be Counted.
    NOW is the time you can start to hit back at the people who infected you.
    Image
    Please take the time to go and complain. The infection that made the major problems was the Warezov Worm. Please post as a reply, you do not need to register to do so (but you can if you wish). It will also have a list of other places you can go to to register your complaint, depending on the country you are resident in. Please read the topics and complain, it is only with such complaints to goverment or government agances that something will get done.




Please post back if there still is something odd going on with your computer. Hopefully it should not be.


I hope that we have been of help to you. :(

Shabbat Shalom v'b'hazlacha. E :)
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem

Unread postby ber88 » October 14th, 2007, 3:15 pm

Thanks a lot for all your help.
I hope I won't need your help any more.
ber88
Active Member
 
Posts: 14
Joined: September 15th, 2007, 6:03 pm
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: random/random and 58 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware