Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

WinAvXX Virus

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

WinAvXX Virus

Unread postby Renegade » November 4th, 2007, 9:54 pm

Hi, I had the WinAvXX virus on my computer and I downloaded and ran SDFix (program I found out about in another forum to remove malware) and everything seems to have run smoothly (have control panel/adminstrative privileges back and no more popups), but the WinAvXX file still seems to be in my registry ([url="http://img205.imageshack.us/img205/195/screenshotmv8.png"]http://img205.imageshack.us/img205/195/screenshotmv8.png[/url]). Anything else I should do? Do I need to remove either of these files?

Here is my current HijackThis log:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 4:36:24 AM, on 04/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Computer Associates\InoculateIT\InoRpc.exe
C:\Program Files\Computer Associates\InoculateIT\InoRT.exe
C:\Program Files\Computer Associates\InoculateIT\InoTask.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\FarStone\RestoreIT!\RestoreIT!_XP\VBPTASK.EXE
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Computer Associates\InoculateIT\realmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Jo$h\Desktop\HiJackThis_v2.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http:\\www.mdg.ca
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = [url="http://www.imageshack.us/index4.php"]http://www.imageshack.us/index4.php[/url]
O3 - Toolbar: ImageShack Toolbar - {6932D140-ABC4-4073-A44C-D4A541665E35} - C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [farstone] NULL
O4 - HKLM\..\Run: [RestoreIT!] "C:\Program Files\FarStone\RestoreIT!\RestoreIT!_XP\VBPTASK.EXE" VBStart
O4 - HKLM\..\Run: [Ismirvkc] C:\Program Files\Rmgx\Elpouu.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\Computer Associates\InoculateIT\realmon.exe"
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DoNotDelete] C:\WINDOWS\system32\explore.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless Configuration Utility HW.51.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\ieSpell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\ieSpell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\Wikipedia.HTM
O8 - Extra context menu item: Post Image to Blog - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5003
O8 - Extra context menu item: Tag This Image - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5002
O8 - Extra context menu item: Transload Image to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5004
O8 - Extra context menu item: Upload All Images to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5000
O8 - Extra context menu item: Upload Image to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5001
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http:\\www.mdg.ca
O15 - Trusted Zone: [url="http://toolbar.imageshack.us"]http://toolbar.imageshack.us[/url]
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [url="http://go.microsoft.com/fwlink/?linkid=39204"]http://go.microsoft.com/fwlink/?linkid=39204[/url]
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - [url="http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.5.107.cab"]http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.5.107.cab[/url]
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - [url="http://by125fd.bay125.hotmail.msn.com/resources/MsnPUpld.cab"]http://by125fd.bay125.hotmail.msn.com/resources/MsnPUpld.cab[/url]
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - [url="http://download.divx.com/player/DivXBrowserPlugin.cab"]http://download.divx.com/player/DivXBrowserPlugin.cab[/url]
O16 - DPF: {6932D140-ABC4-4073-A44C-D4A541665E35} (ImageShack Toolbar) - [url="http://toolbar.imageshack.us/toolbar/ImageShackToolbar.cab"]http://toolbar.imageshack.us/toolbar/ImageShackToolbar.cab[/url]
O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} - [url="http://www.tbcode.com/ist/softwares/v4.0/0006_regular.cab"]http://www.tbcode.com/ist/softwares/v4.0/0006_regular.cab[/url]
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - [url="http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab"]http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab[/url]
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - [url="http://by125fd.bay125.hotmail.msn.com/activex/HMAtchmt.ocx"]http://by125fd.bay125.hotmail.msn.com/activex/HMAtchmt.ocx[/url]
O20 - AppInit_DLLs: C:\WINDOWS\system32\sulimo.dat
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: InoculateIT RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\Computer Associates\InoculateIT\InoRpc.exe
O23 - Service: InoculateIT Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\Computer Associates\InoculateIT\InoRT.exe
O23 - Service: InoculateIT Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\Computer Associates\InoculateIT\InoTask.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 8851 bytes

Here is my SDFix report:
SDFix: Version 1.113

Run by Jo$h on 04/11/2007 at 03:27 AM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default HomePage Value
Restoring Default Desktop Components Value
Resetting AppInit_DLLs value


Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe - Deleted
C:\Documents and Settings\Jo$h\Start Menu\Programs\Startup\system.exe - Deleted
C:\DOCUME~1\Jo$h\LOCALS~1\Temp\nspE.tmp - Deleted
C:\DOCUME~1\Jo$h\LOCALS~1\Temp\nspF.tmp - Deleted
C:\WINDOWS\advpn.dll - Deleted
C:\WINDOWS\div32.dll - Deleted
C:\WINDOWS\mssql.dll - Deleted
C:\WINDOWS\search_res.txt - Deleted
C:\WINDOWS\syscore.dll - Deleted
C:\WINDOWS\system32\printer.exe - Deleted
C:\WINDOWS\system32\vtr.dll - Deleted
C:\WINDOWS\system32\winavxx.exe - Deleted

Could Not Remove C:\WINDOWS\system32\sulimo.dat


Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1253 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url]
Rootkit scan 2007-11-04 03:39:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:7f47574d
"s2"=dword:f7b29aec
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:9b,df,06,ef,98,6c,74,f0,b8,50,1a,a0,d3,e5,fc,af,cc,6b,c9,7b,42,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:9b,df,06,ef,98,6c,74,f0,b8,50,1a,a0,d3,e5,fc,af,cc,6b,c9,7b,42,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MAIET\\Gunz\\Gunz.exe"="C:\\Program Files\\MAIET\\Gunz\\Gunz.exe:*:Enabled:Gunz"
"C:\\Program Files\\MAIET\\Gunz\\BAReport.exe"="C:\\Program Files\\MAIET\\Gunz\\BAReport.exe:*:Enabled:BAReport MFC ?? ????"
"C:\\Documents and Settings\\Jo$h\\My Documents\\My Downloads\\Gunbound\\softnyx\\GunboundWC\\GunBound.gme"="C:\\Documents and Settings\\Jo$h\\My Documents\\My Downloads\\Gunbound\\softnyx\\GunboundWC\\GunBound.gme:*:Enabled:GunBound"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"
"C:\\Documents and Settings\\Jo$h\\My Documents\\My Downloads\\A3 Game\\A3.exe"="C:\\Documents and Settings\\Jo$h\\My Documents\\My Downloads\\A3 Game\\A3.exe:*:Enabled:Updater MFC ?? ????"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Documents and Settings\\Jo$h\\My Documents\\My Downloads\\WoW\\WoW-1.1.0-Installer_Downloader-enUS.exe"="C:\\Documents and Settings\\Jo$h\\My Documents\\My Downloads\\WoW\\WoW-1.1.0-Installer_Downloader-enUS.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\MAIET\\Gunz\\TitaniumRunnable[11-24-05].exe"="C:\\Program Files\\MAIET\\Gunz\\TitaniumRunnable[11-24-05].exe:*:Enabled:Gunz"
"C:\\Program Files\\MAIET\\Gunz\\LymphRun.exe"="C:\\Program Files\\MAIET\\Gunz\\LymphRun.exe:*:Enabled:Gunz"
"C:\\Program Files\\MAIET\\Gunz\\ZhenRun.exe.exe"="C:\\Program Files\\MAIET\\Gunz\\ZhenRun.exe.exe:*:Enabled:Gunz"
"C:\\Program Files\\MAIET\\Gunz\\ZhenRun.exe"="C:\\Program Files\\MAIET\\Gunz\\ZhenRun.exe:*:Enabled:Gunz"
"C:\\Program Files\\MAIET\\Gunz\\f.exe"="C:\\Program Files\\MAIET\\Gunz\\f.exe:*:Enabled:Gunz"
"C:\\Program Files\\MAIET\\Gunz\\TitaniumRunnable.exe"="C:\\Program Files\\MAIET\\Gunz\\TitaniumRunnable.exe:*:Enabled:Gunz"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Documents and Settings\\Jo$h\\My Documents\\My Downloads\\WoW\\Game\\World of Warcraft\\WoW-1.9.2.4996-to-1.9.3.5059-enGB-downloader.exe"="C:\\Documents and Settings\\Jo$h\\My Documents\\My Downloads\\WoW\\Game\\World of Warcraft\\WoW-1.9.2.4996-to-1.9.3.5059-enGB-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Documents and Settings\\Jo$h\\Desktop\\utorrent.exe"="C:\\Documents and Settings\\Jo$h\\Desktop\\utorrent.exe:*:Enabled:æTorrent"
"C:\\Program Files\\MAIET\\Gunz\\GunzLauncher.exe"="C:\\Program Files\\MAIET\\Gunz\\GunzLauncher.exe:*:Enabled:GunzLauncher"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------
C:\WINDOWS\system32\sulimo.dat Found

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Fri 13 May 2005 217,073 A.SHR --- "C:\WINDOWS\meta4.exe"
Mon 24 Oct 2005 66,560 A.SHR --- "C:\WINDOWS\MOTA113.exe"
Thu 13 Oct 2005 422,400 A.SHR --- "C:\WINDOWS\x2.64.exe"
Fri 7 Oct 2005 308,224 A.SHR --- "C:\WINDOWS\system32\avisynth.dll"
Thu 14 Jul 2005 27,648 A.SHR --- "C:\WINDOWS\system32\AVSredirect.dll"
Sun 26 Jun 2005 616,448 A.SHR --- "C:\WINDOWS\system32\cygwin1.dll"
Tue 21 Jun 2005 45,568 A.SHR --- "C:\WINDOWS\system32\cygz.dll"
Sat 24 Jan 2004 70,656 A.SHR --- "C:\WINDOWS\system32\i420vfw.dll"
Mon 12 Sep 2005 1,024 A..HR --- "C:\WINDOWS\system32\NTICDMK32.dll"
Thu 27 Apr 2006 2,945,024 A.SHR --- "C:\WINDOWS\system32\Smab.dll"
Mon 28 Feb 2005 240,128 A.SHR --- "C:\WINDOWS\system32\x.264.exe"
Sat 24 Jan 2004 70,656 A.SHR --- "C:\WINDOWS\system32\yv12vfw.dll"
Tue 15 Nov 2005 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 28 Jul 2004 1,949,696 A..HR --- "C:\Program Files\Microsoft Works Suite 2005\Setup\LAUNCHER.EXE"
Sun 25 Jul 2004 53,760 A..HR --- "C:\Program Files\Microsoft Works Suite 2005\Setup\MNYINSTA.DLL"
Sat 12 Jun 2004 94,208 A..HR --- "C:\Program Files\Microsoft Works Suite 2005\Setup\RMVSUITE.EXE"
Fri 2 Jul 2004 35,328 A..HR --- "C:\Program Files\Microsoft Works Suite 2005\Setup\SETUPLNG.DLL"
Fri 21 Nov 2003 20,480 A..HR --- "C:\Program Files\Microsoft Works Suite 2005\Setup\UNREGWTR.EXE"
Tue 13 Sep 2005 1,740 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\ccReg.reg"
Tue 13 Sep 2005 274,904 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\CommonClient.reg"
Tue 13 Sep 2005 158,458 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\IAM.reg"

Finished!
Renegade
Active Member
 
Posts: 4
Joined: November 4th, 2007, 9:51 pm
Advertisement
Register to Remove

Unread postby Renegade » November 4th, 2007, 9:56 pm

Ok wtf why can't I edit the post.
Renegade
Active Member
 
Posts: 4
Joined: November 4th, 2007, 9:51 pm

Re: WinAvXX Virus

Unread postby Renegade » November 4th, 2007, 10:00 pm

Ok since this Edited xx forum won't let me edit my Editxx, i'll just re-post.

Here is my current HijackThis log:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 4:36:24 AM, on 04/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Computer Associates\InoculateIT\InoRpc.exe
C:\Program Files\Computer Associates\InoculateIT\InoRT.exe
C:\Program Files\Computer Associates\InoculateIT\InoTask.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\FarStone\RestoreIT!\RestoreIT!_XP\VBPTASK.EXE
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Computer Associates\InoculateIT\realmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Jo$h\Desktop\HiJackThis_v2.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http:\\www.mdg.ca
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = [url="http://www.imageshack.us/index4.php"]http://www.imageshack.us/index4.php[/url]
O3 - Toolbar: ImageShack Toolbar - {6932D140-ABC4-4073-A44C-D4A541665E35} - C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [farstone] NULL
O4 - HKLM\..\Run: [RestoreIT!] "C:\Program Files\FarStone\RestoreIT!\RestoreIT!_XP\VBPTASK.EXE" VBStart
O4 - HKLM\..\Run: [Ismirvkc] C:\Program Files\Rmgx\Elpouu.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\Computer Associates\InoculateIT\realmon.exe"
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DoNotDelete] C:\WINDOWS\system32\explore.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless Configuration Utility HW.51.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\ieSpell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\ieSpell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\Wikipedia.HTM
O8 - Extra context menu item: Post Image to Blog - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5003
O8 - Extra context menu item: Tag This Image - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5002
O8 - Extra context menu item: Transload Image to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5004
O8 - Extra context menu item: Upload All Images to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5000
O8 - Extra context menu item: Upload Image to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5001
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http:\\www.mdg.ca
O15 - Trusted Zone: [url="http://toolbar.imageshack.us"]http://toolbar.imageshack.us[/url]
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [url="http://go.microsoft.com/fwlink/?linkid=39204"]http://go.microsoft.com/fwlink/?linkid=39204[/url]
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - [url="http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.5.107.cab"]http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.5.107.cab[/url]
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - [url="http://by125fd.bay125.hotmail.msn.com/resources/MsnPUpld.cab"]http://by125fd.bay125.hotmail.msn.com/resources/MsnPUpld.cab[/url]
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - [url="http://download.divx.com/player/DivXBrowserPlugin.cab"]http://download.divx.com/player/DivXBrowserPlugin.cab[/url]
O16 - DPF: {6932D140-ABC4-4073-A44C-D4A541665E35} (ImageShack Toolbar) - [url="http://toolbar.imageshack.us/toolbar/ImageShackToolbar.cab"]http://toolbar.imageshack.us/toolbar/ImageShackToolbar.cab[/url]
O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} - [url="http://www.tbcode.com/ist/softwares/v4.0/0006_regular.cab"]http://www.tbcode.com/ist/softwares/v4.0/0006_regular.cab[/url]
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - [url="http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab"]http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab[/url]
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - [url="http://by125fd.bay125.hotmail.msn.com/activex/HMAtchmt.ocx"]http://by125fd.bay125.hotmail.msn.com/activex/HMAtchmt.ocx[/url]
O20 - AppInit_DLLs: C:\WINDOWS\system32\sulimo.dat
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: InoculateIT RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\Computer Associates\InoculateIT\InoRpc.exe
O23 - Service: InoculateIT Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\Computer Associates\InoculateIT\InoRT.exe
O23 - Service: InoculateIT Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\Computer Associates\InoculateIT\InoTask.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 8851 bytes

Here is my SDFix report:
SDFix: Version 1.113

Run by Jo$h on 04/11/2007 at 03:27 AM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default HomePage Value
Restoring Default Desktop Components Value
Resetting AppInit_DLLs value


Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe - Deleted
C:\Documents and Settings\Jo$h\Start Menu\Programs\Startup\system.exe - Deleted
C:\DOCUME~1\Jo$h\LOCALS~1\Temp\nspE.tmp - Deleted
C:\DOCUME~1\Jo$h\LOCALS~1\Temp\nspF.tmp - Deleted
C:\WINDOWS\advpn.dll - Deleted
C:\WINDOWS\div32.dll - Deleted
C:\WINDOWS\mssql.dll - Deleted
C:\WINDOWS\search_res.txt - Deleted
C:\WINDOWS\syscore.dll - Deleted
C:\WINDOWS\system32\printer.exe - Deleted
C:\WINDOWS\system32\vtr.dll - Deleted
C:\WINDOWS\system32\winavxx.exe - Deleted

Could Not Remove C:\WINDOWS\system32\sulimo.dat


Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1253 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url]
Rootkit scan 2007-11-04 03:39:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:7f47574d
"s2"=dword:f7b29aec
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:9b,df,06,ef,98,6c,74,f0,b8,50,1a,a0,d3,e5,fc,af,cc,6b,c9,7b,42,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:9b,df,06,ef,98,6c,74,f0,b8,50,1a,a0,d3,e5,fc,af,cc,6b,c9,7b,42,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MAIET\\Gunz\\Gunz.exe"="C:\\Program Files\\MAIET\\Gunz\\Gunz.exe:*:Enabled:Gunz"
"C:\\Program Files\\MAIET\\Gunz\\BAReport.exe"="C:\\Program Files\\MAIET\\Gunz\\BAReport.exe:*:Enabled:BAReport MFC ?? ????"
"C:\\Documents and Settings\\Jo$h\\My Documents\\My Downloads\\Gunbound\\softnyx\\GunboundWC\\GunBound.gme"="C:\\Documents and Settings\\Jo$h\\My Documents\\My Downloads\\Gunbound\\softnyx\\GunboundWC\\GunBound.gme:*:Enabled:GunBound"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"
"C:\\Documents and Settings\\Jo$h\\My Documents\\My Downloads\\A3 Game\\A3.exe"="C:\\Documents and Settings\\Jo$h\\My Documents\\My Downloads\\A3 Game\\A3.exe:*:Enabled:Updater MFC ?? ????"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Documents and Settings\\Jo$h\\My Documents\\My Downloads\\WoW\\WoW-1.1.0-Installer_Downloader-enUS.exe"="C:\\Documents and Settings\\Jo$h\\My Documents\\My Downloads\\WoW\\WoW-1.1.0-Installer_Downloader-enUS.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\MAIET\\Gunz\\TitaniumRunnable[11-24-05].exe"="C:\\Program Files\\MAIET\\Gunz\\TitaniumRunnable[11-24-05].exe:*:Enabled:Gunz"
"C:\\Program Files\\MAIET\\Gunz\\LymphRun.exe"="C:\\Program Files\\MAIET\\Gunz\\LymphRun.exe:*:Enabled:Gunz"
"C:\\Program Files\\MAIET\\Gunz\\ZhenRun.exe.exe"="C:\\Program Files\\MAIET\\Gunz\\ZhenRun.exe.exe:*:Enabled:Gunz"
"C:\\Program Files\\MAIET\\Gunz\\ZhenRun.exe"="C:\\Program Files\\MAIET\\Gunz\\ZhenRun.exe:*:Enabled:Gunz"
"C:\\Program Files\\MAIET\\Gunz\\f.exe"="C:\\Program Files\\MAIET\\Gunz\\f.exe:*:Enabled:Gunz"
"C:\\Program Files\\MAIET\\Gunz\\TitaniumRunnable.exe"="C:\\Program Files\\MAIET\\Gunz\\TitaniumRunnable.exe:*:Enabled:Gunz"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Documents and Settings\\Jo$h\\My Documents\\My Downloads\\WoW\\Game\\World of Warcraft\\WoW-1.9.2.4996-to-1.9.3.5059-enGB-downloader.exe"="C:\\Documents and Settings\\Jo$h\\My Documents\\My Downloads\\WoW\\Game\\World of Warcraft\\WoW-1.9.2.4996-to-1.9.3.5059-enGB-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Documents and Settings\\Jo$h\\Desktop\\utorrent.exe"="C:\\Documents and Settings\\Jo$h\\Desktop\\utorrent.exe:*:Enabled:æTorrent"
"C:\\Program Files\\MAIET\\Gunz\\GunzLauncher.exe"="C:\\Program Files\\MAIET\\Gunz\\GunzLauncher.exe:*:Enabled:GunzLauncher"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------
C:\WINDOWS\system32\sulimo.dat Found

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Fri 13 May 2005 217,073 A.SHR --- "C:\WINDOWS\meta4.exe"
Mon 24 Oct 2005 66,560 A.SHR --- "C:\WINDOWS\MOTA113.exe"
Thu 13 Oct 2005 422,400 A.SHR --- "C:\WINDOWS\x2.64.exe"
Fri 7 Oct 2005 308,224 A.SHR --- "C:\WINDOWS\system32\avisynth.dll"
Thu 14 Jul 2005 27,648 A.SHR --- "C:\WINDOWS\system32\AVSredirect.dll"
Sun 26 Jun 2005 616,448 A.SHR --- "C:\WINDOWS\system32\cygwin1.dll"
Tue 21 Jun 2005 45,568 A.SHR --- "C:\WINDOWS\system32\cygz.dll"
Sat 24 Jan 2004 70,656 A.SHR --- "C:\WINDOWS\system32\i420vfw.dll"
Mon 12 Sep 2005 1,024 A..HR --- "C:\WINDOWS\system32\NTICDMK32.dll"
Thu 27 Apr 2006 2,945,024 A.SHR --- "C:\WINDOWS\system32\Smab.dll"
Mon 28 Feb 2005 240,128 A.SHR --- "C:\WINDOWS\system32\x.264.exe"
Sat 24 Jan 2004 70,656 A.SHR --- "C:\WINDOWS\system32\yv12vfw.dll"
Tue 15 Nov 2005 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 28 Jul 2004 1,949,696 A..HR --- "C:\Program Files\Microsoft Works Suite 2005\Setup\LAUNCHER.EXE"
Sun 25 Jul 2004 53,760 A..HR --- "C:\Program Files\Microsoft Works Suite 2005\Setup\MNYINSTA.DLL"
Sat 12 Jun 2004 94,208 A..HR --- "C:\Program Files\Microsoft Works Suite 2005\Setup\RMVSUITE.EXE"
Fri 2 Jul 2004 35,328 A..HR --- "C:\Program Files\Microsoft Works Suite 2005\Setup\SETUPLNG.DLL"
Fri 21 Nov 2003 20,480 A..HR --- "C:\Program Files\Microsoft Works Suite 2005\Setup\UNREGWTR.EXE"
Tue 13 Sep 2005 1,740 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\ccReg.reg"
Tue 13 Sep 2005 274,904 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\CommonClient.reg"
Tue 13 Sep 2005 158,458 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\IAM.reg"

Finished!
Renegade
Active Member
 
Posts: 4
Joined: November 4th, 2007, 9:51 pm

Re: WinAvXX Virus

Unread postby Renegade » November 4th, 2007, 10:09 pm

Ugh, this is annoying. Final edit:

Hi, I had the WinAvXX virus on my computer and I downloaded and ran SDFix (malware removing program I found out about on another forum) and everything seems to have run smoothly (have control panel/adminstrative privileges back and no more popups), but the WinAvXX file still seems to be in my registry (http://img205.imageshack.us/img205/195/screenshotmv8.png). Anything else I should do? Do I need to remove either of these files?

Here is my current HijackThis log:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 4:36:24 AM, on 04/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Computer Associates\InoculateIT\InoRpc.exe
C:\Program Files\Computer Associates\InoculateIT\InoRT.exe
C:\Program Files\Computer Associates\InoculateIT\InoTask.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\FarStone\RestoreIT!\RestoreIT!_XP\VBPTASK.EXE
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Computer Associates\InoculateIT\realmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Jo$h\Desktop\HiJackThis_v2.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http:\\www.mdg.ca
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = [url="http://www.imageshack.us/index4.php"]http://www.imageshack.us/index4.php[/url]
O3 - Toolbar: ImageShack Toolbar - {6932D140-ABC4-4073-A44C-D4A541665E35} - C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [farstone] NULL
O4 - HKLM\..\Run: [RestoreIT!] "C:\Program Files\FarStone\RestoreIT!\RestoreIT!_XP\VBPTASK.EXE" VBStart
O4 - HKLM\..\Run: [Ismirvkc] C:\Program Files\Rmgx\Elpouu.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\Computer Associates\InoculateIT\realmon.exe"
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DoNotDelete] C:\WINDOWS\system32\explore.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless Configuration Utility HW.51.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\ieSpell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\ieSpell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\Wikipedia.HTM
O8 - Extra context menu item: Post Image to Blog - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5003
O8 - Extra context menu item: Tag This Image - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5002
O8 - Extra context menu item: Transload Image to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5004
O8 - Extra context menu item: Upload All Images to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5000
O8 - Extra context menu item: Upload Image to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5001
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http:\\www.mdg.ca
O15 - Trusted Zone: [url="http://toolbar.imageshack.us"]http://toolbar.imageshack.us[/url]
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [url="http://go.microsoft.com/fwlink/?linkid=39204"]http://go.microsoft.com/fwlink/?linkid=39204[/url]
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - [url="http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.5.107.cab"]http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.5.107.cab[/url]
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - [url="http://by125fd.bay125.hotmail.msn.com/resources/MsnPUpld.cab"]http://by125fd.bay125.hotmail.msn.com/resources/MsnPUpld.cab[/url]
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - [url="http://download.divx.com/player/DivXBrowserPlugin.cab"]http://download.divx.com/player/DivXBrowserPlugin.cab[/url]
O16 - DPF: {6932D140-ABC4-4073-A44C-D4A541665E35} (ImageShack Toolbar) - [url="http://toolbar.imageshack.us/toolbar/ImageShackToolbar.cab"]http://toolbar.imageshack.us/toolbar/ImageShackToolbar.cab[/url]
O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} - [url="http://www.tbcode.com/ist/softwares/v4.0/0006_regular.cab"]http://www.tbcode.com/ist/softwares/v4.0/0006_regular.cab[/url]
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - [url="http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab"]http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab[/url]
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - [url="http://by125fd.bay125.hotmail.msn.com/activex/HMAtchmt.ocx"]http://by125fd.bay125.hotmail.msn.com/activex/HMAtchmt.ocx[/url]
O20 - AppInit_DLLs: C:\WINDOWS\system32\sulimo.dat
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: InoculateIT RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\Computer Associates\InoculateIT\InoRpc.exe
O23 - Service: InoculateIT Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\Computer Associates\InoculateIT\InoRT.exe
O23 - Service: InoculateIT Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\Computer Associates\InoculateIT\InoTask.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 8851 bytes

Here is my SDFix report:
SDFix: Version 1.113

Run by Jo$h on 04/11/2007 at 03:27 AM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default HomePage Value
Restoring Default Desktop Components Value
Resetting AppInit_DLLs value


Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe - Deleted
C:\Documents and Settings\Jo$h\Start Menu\Programs\Startup\system.exe - Deleted
C:\DOCUME~1\Jo$h\LOCALS~1\Temp\nspE.tmp - Deleted
C:\DOCUME~1\Jo$h\LOCALS~1\Temp\nspF.tmp - Deleted
C:\WINDOWS\advpn.dll - Deleted
C:\WINDOWS\div32.dll - Deleted
C:\WINDOWS\mssql.dll - Deleted
C:\WINDOWS\search_res.txt - Deleted
C:\WINDOWS\syscore.dll - Deleted
C:\WINDOWS\system32\printer.exe - Deleted
C:\WINDOWS\system32\vtr.dll - Deleted
C:\WINDOWS\system32\winavxx.exe - Deleted

Could Not Remove C:\WINDOWS\system32\sulimo.dat


Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1253 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url]
Rootkit scan 2007-11-04 03:39:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:7f47574d
"s2"=dword:f7b29aec
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:9b,df,06,ef,98,6c,74,f0,b8,50,1a,a0,d3,e5,fc,af,cc,6b,c9,7b,42,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:9b,df,06,ef,98,6c,74,f0,b8,50,1a,a0,d3,e5,fc,af,cc,6b,c9,7b,42,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MAIET\\Gunz\\Gunz.exe"="C:\\Program Files\\MAIET\\Gunz\\Gunz.exe:*:Enabled:Gunz"
"C:\\Program Files\\MAIET\\Gunz\\BAReport.exe"="C:\\Program Files\\MAIET\\Gunz\\BAReport.exe:*:Enabled:BAReport MFC ?? ????"
"C:\\Documents and Settings\\Jo$h\\My Documents\\My Downloads\\Gunbound\\softnyx\\GunboundWC\\GunBound.gme"="C:\\Documents and Settings\\Jo$h\\My Documents\\My Downloads\\Gunbound\\softnyx\\GunboundWC\\GunBound.gme:*:Enabled:GunBound"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"
"C:\\Documents and Settings\\Jo$h\\My Documents\\My Downloads\\A3 Game\\A3.exe"="C:\\Documents and Settings\\Jo$h\\My Documents\\My Downloads\\A3 Game\\A3.exe:*:Enabled:Updater MFC ?? ????"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Documents and Settings\\Jo$h\\My Documents\\My Downloads\\WoW\\WoW-1.1.0-Installer_Downloader-enUS.exe"="C:\\Documents and Settings\\Jo$h\\My Documents\\My Downloads\\WoW\\WoW-1.1.0-Installer_Downloader-enUS.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\MAIET\\Gunz\\TitaniumRunnable[11-24-05].exe"="C:\\Program Files\\MAIET\\Gunz\\TitaniumRunnable[11-24-05].exe:*:Enabled:Gunz"
"C:\\Program Files\\MAIET\\Gunz\\LymphRun.exe"="C:\\Program Files\\MAIET\\Gunz\\LymphRun.exe:*:Enabled:Gunz"
"C:\\Program Files\\MAIET\\Gunz\\ZhenRun.exe.exe"="C:\\Program Files\\MAIET\\Gunz\\ZhenRun.exe.exe:*:Enabled:Gunz"
"C:\\Program Files\\MAIET\\Gunz\\ZhenRun.exe"="C:\\Program Files\\MAIET\\Gunz\\ZhenRun.exe:*:Enabled:Gunz"
"C:\\Program Files\\MAIET\\Gunz\\f.exe"="C:\\Program Files\\MAIET\\Gunz\\f.exe:*:Enabled:Gunz"
"C:\\Program Files\\MAIET\\Gunz\\TitaniumRunnable.exe"="C:\\Program Files\\MAIET\\Gunz\\TitaniumRunnable.exe:*:Enabled:Gunz"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Documents and Settings\\Jo$h\\My Documents\\My Downloads\\WoW\\Game\\World of Warcraft\\WoW-1.9.2.4996-to-1.9.3.5059-enGB-downloader.exe"="C:\\Documents and Settings\\Jo$h\\My Documents\\My Downloads\\WoW\\Game\\World of Warcraft\\WoW-1.9.2.4996-to-1.9.3.5059-enGB-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Documents and Settings\\Jo$h\\Desktop\\utorrent.exe"="C:\\Documents and Settings\\Jo$h\\Desktop\\utorrent.exe:*:Enabled:æTorrent"
"C:\\Program Files\\MAIET\\Gunz\\GunzLauncher.exe"="C:\\Program Files\\MAIET\\Gunz\\GunzLauncher.exe:*:Enabled:GunzLauncher"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------
C:\WINDOWS\system32\sulimo.dat Found

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Fri 13 May 2005 217,073 A.SHR --- "C:\WINDOWS\meta4.exe"
Mon 24 Oct 2005 66,560 A.SHR --- "C:\WINDOWS\MOTA113.exe"
Thu 13 Oct 2005 422,400 A.SHR --- "C:\WINDOWS\x2.64.exe"
Fri 7 Oct 2005 308,224 A.SHR --- "C:\WINDOWS\system32\avisynth.dll"
Thu 14 Jul 2005 27,648 A.SHR --- "C:\WINDOWS\system32\AVSredirect.dll"
Sun 26 Jun 2005 616,448 A.SHR --- "C:\WINDOWS\system32\cygwin1.dll"
Tue 21 Jun 2005 45,568 A.SHR --- "C:\WINDOWS\system32\cygz.dll"
Sat 24 Jan 2004 70,656 A.SHR --- "C:\WINDOWS\system32\i420vfw.dll"
Mon 12 Sep 2005 1,024 A..HR --- "C:\WINDOWS\system32\NTICDMK32.dll"
Thu 27 Apr 2006 2,945,024 A.SHR --- "C:\WINDOWS\system32\Smab.dll"
Mon 28 Feb 2005 240,128 A.SHR --- "C:\WINDOWS\system32\x.264.exe"
Sat 24 Jan 2004 70,656 A.SHR --- "C:\WINDOWS\system32\yv12vfw.dll"
Tue 15 Nov 2005 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 28 Jul 2004 1,949,696 A..HR --- "C:\Program Files\Microsoft Works Suite 2005\Setup\LAUNCHER.EXE"
Sun 25 Jul 2004 53,760 A..HR --- "C:\Program Files\Microsoft Works Suite 2005\Setup\MNYINSTA.DLL"
Sat 12 Jun 2004 94,208 A..HR --- "C:\Program Files\Microsoft Works Suite 2005\Setup\RMVSUITE.EXE"
Fri 2 Jul 2004 35,328 A..HR --- "C:\Program Files\Microsoft Works Suite 2005\Setup\SETUPLNG.DLL"
Fri 21 Nov 2003 20,480 A..HR --- "C:\Program Files\Microsoft Works Suite 2005\Setup\UNREGWTR.EXE"
Tue 13 Sep 2005 1,740 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\ccReg.reg"
Tue 13 Sep 2005 274,904 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\CommonClient.reg"
Tue 13 Sep 2005 158,458 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\IAM.reg"

Finished![/quote]
Renegade
Active Member
 
Posts: 4
Joined: November 4th, 2007, 9:51 pm

Re: WinAvXX Virus

Unread postby ChrisRLG » November 17th, 2007, 3:20 pm

Renegade

Your posts have been edited to remove those words which we feel to not be allowable on a family forum - please keep your langauge such that we do not need to edit them in the future.

This board has only recently updated to new software and the permission system is on of the last things that I am checking and updating - although we have never before allowed members to edit posts after they are made.

The reason why no one yet has responded - apart from your language - is due to you replying to your own topic, our helpers look for topics with zero replies and yours no longer falls into that category.

I will see if I can now get someone to check your logs.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Re: WinAvXX Virus

Unread postby askey127 » November 17th, 2007, 4:35 pm

Jedimindtricks/renegade,
As you have posted at other sites, and received expert help there
This Topic is now Closed
Malware Removal
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13897
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 38 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware