Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Hell opened its gates!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Hell opened its gates!

Unread postby Simon V. » February 26th, 2008, 3:38 pm

Hi :)

Why Nod32 failed to inform me of anything, not even about stupid clickers and downloaders?

Do you keep Nod32 updated?

Your logs are looking good, how is your computer currently running?
User avatar
Simon V.
MRU Emeritus
MRU Emeritus
 
Posts: 3388
Joined: November 11th, 2006, 3:35 pm
Location: Antwerp, Belgium
Advertisement
Register to Remove

Re: Hell opened its gates!

Unread postby simeseko » February 26th, 2008, 4:16 pm

i dont know, man. Everything looks fine for now but autoplay still doesnt work. Can you help me with that? Is there any posibility Nod has been compromised? One week ago he was askin for actualization fifty times in two days but this last five days nothing! And it didnt detect anything! I will scan only with Kaspersky online and every two days. It seems everything else is shit! Please, recomend good antispyware too cause this Spyware terminator is going out too, i dont trust it. Sorry for my bad english; im a Croat temporerly wisiting girlfriend in Slovakia and screwing her computer in the process. Thanks, man. How do i give donation? I have only two eyes for crying and a ptsd from war..
simeseko
Regular Member
 
Posts: 15
Joined: February 13th, 2008, 1:25 pm

Re: Hell opened its gates!

Unread postby Simon V. » February 27th, 2008, 2:51 am

Hi :)

I suggest you try reinstalling Nod32, that will probably fix the problem.

Donations can be done here - http://www.malwareremoval.com/donations.php

For getting the autoplay function back, please do the following -

Copy the text below into a Notepad (Go to Start > Run, type Notepad and hit Enter) document:

Code: Select all
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveAutoRun"=dword:00000149
"NoDriveTypeAutoRun"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveAutoRun"=dword:00000149
"NoDriveTypeAutoRun"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun"=dword:00000001



Note: Make sure there is no blank line before REGEDIT4 and one blank line at the end.

Go to File > Save As:. Save the file as "Fix.reg" (Including the quotes)

Double-click on Fix.reg. When asked if you want to merge the file with the registry, click Yes.

Restart your computer.

Here are a few tips to keep your computer clean in the future:

Click Start then Run....

  • Type Combofix /u in the runbox and click OK. (Note: The space between the x and the /u needs to be there)

    Image

  • This will uninstall Combofix.

Make your Internet Explorer More Secure

  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab.
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.

    • Change the Download signed ActiveX controls to Prompt.
    • Change the Download unsigned ActiveX controls to Disable.
    • Change the Initialise and script ActiveX controls not marked as safe to Disable.
    • Change the Installation of desktop items to Prompt.
    • Change the Launching programs and files in an IFRAME to Prompt.
    • Change the Navigate sub-frames across different domains to Prompt.
    • When all these settings have been made, click on the OK button.
    • If it prompts you as to whether or not you want to save the settings, press the Yes button.

  • Next press the Apply button and then the OK to exit the Internet Properties page.

Visit Microsoft's Update Site Frequently - It is important that you visit http://update.microsoft.com/ regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Install WinPatrol - An excellent startup manager, notifies you if programs are added to startup, allows delayed startup, ... A must have! An installation guide can be found here: http://www.winpatrol.com/download.html

Install Spybot - Search and Destroy - You should scan your computer with the program on a regular basis just as you would with your anti-virus software. A tutorial on installing and using this product can be found here (do not install TeaTimer): http://www.bleepingcomputer.com/tutoria ... ial43.html

Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. A tutorial can be found here: http://www.bleepingcomputer.com/tutoria ... ial49.html

Install IE-Spyad - IE-Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here: http://www.spywarewarrior.com/uiuc/resource.htm#IESPYAD

Update All Your Security Programs Regularly - Make sure you update all your security programs (Anti-Virus, Firewall, Anti-Spyware) regularly (once a weak, at least). Without regular updates you WILL NOT be protected when new malicious programs are released.

You can also read this excellent article by TonyKlein: So how did I get infected in the first place?

Follow this list and your potential for being infected again will reduce dramatically.
User avatar
Simon V.
MRU Emeritus
MRU Emeritus
 
Posts: 3388
Joined: November 11th, 2006, 3:35 pm
Location: Antwerp, Belgium

Re: Hell opened its gates!

Unread postby simeseko » February 27th, 2008, 6:22 am

It didnt help, I STILL GOT A BACKDOOR, STUPID DOWNLOADERS AND ANOYING CLICKER!
Ive scanned with Kaspersky online, Malwarebytes deep scan and did new Hijack log. According to Malwarebyts even HP printer files are infected with Downloaders. Should i Uninstall all printer drivers and utilities? Maybe i could use TuneUp shreder and shred all of it into pieces. You are the boss, i wont do anything without your permission.
Here are the logs, MAKE HASTE!!



Wednesday, February 27, 2008 10:17:58 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 27/02/2008
Kaspersky Anti-Virus database records: 583466
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
Scan Statistics
Total number of scanned objects 81178
Number of viruses found 12
Number of infected objects 44
Number of suspicious objects 0
Duration of the scan process 01:11:47

Infected Object Name Virus Name Last Action
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Veronika\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\ApplicationHistory\hpqimzone.exe.3204510e.ini.inuse Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\HP\Digital Imaging\db\administrativeInfo.dbf Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.cdx Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.dbf Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\HP\Digital Imaging\db\CB_Server_Errors.txt Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.cdx Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.dbf Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.cdx Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.dbf Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.fpt Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.cdx Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.dbf Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\HP\Digital Imaging\db\managedFolderTable.dbf Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.cdx Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.dbf Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\HP\Digital Imaging\db\propertiesTable.cdx Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\HP\Digital Imaging\db\propertiesTable.dbf Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.cdx Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.dbf Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\History\History.IE5\MSHist012008022720080228\index.dat Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Temp\hpodvd09.log Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Temp\om27.tmp Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Temp\~DFB35C.tmp Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Veronika\ntuser.dat Object is locked skipped
C:\Documents and Settings\Veronika\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Eset\infected\5JSWNFCA.NQF Infected: not-a-virus:AdWare.Win32.VB.bh skipped
C:\Program Files\Eset\infected\KRKKMJAA.NQF Infected: not-a-virus:AdWare.Win32.VB.bh skipped
C:\Program Files\Eset\infected\PE1FADCA.NQF Infected: Trojan-Downloader.Win32.Agent.dzm skipped
C:\Program Files\Eset\infected\YGFYOKAA.NQF Infected: Trojan-Clicker.Win32.VB.ael skipped
C:\Program Files\Eset\infected\YZ1RF5DA.NQF Infected: not-a-virus:AdWare.Win32.VB.bh skipped
C:\Program Files\Eset\logs\virlog.dat Object is locked skipped
C:\Program Files\Eset\logs\warnlog.dat Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\Config\csrss.exe.vir Infected: Backdoor.Win32.Agobot.aqs skipped
C:\QooBox\Quarantine\C\WINDOWS\Help\SETUP.EXE.vir Infected: Backdoor.Win32.VB.cds skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\andt.sys.vir Infected: Trojan-Downloader.Win32.Delf.evt skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\tmp0_377718344486.bk.vir Infected: not-a-virus:AdWare.Win32.VB.bh skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\tmp0_887540299780.bk.vir Infected: not-a-virus:AdWare.Win32.VB.bh skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\tmp1_238729110624.bk.vir Infected: not-a-virus:AdWare.Win32.VB.bh skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\tmp1_732898353811.bk.vir Infected: not-a-virus:AdWare.Win32.VB.bh skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\tmp2_391779322402.bk.vir Infected: not-a-virus:AdWare.Win32.VB.bh skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\tmp2_538623607110.bk.vir Infected: not-a-virus:AdWare.Win32.VB.bh skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\tmp3_12624285292.bk.vir Infected: not-a-virus:AdWare.Win32.VB.bh skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\tmp3_206889346973.bk.vir Infected: not-a-virus:AdWare.Win32.VB.bh skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\tmp4_147694747792.bk.vir Infected: not-a-virus:AdWare.Win32.VB.bh skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\Winlogon.bak.bak.vir Infected: Trojan.Win32.Patched.bm skipped
C:\QooBox\Quarantine\D\Downloads\Limewire PRO 4.17.0.zip.vir/Limewire PRO 4.17.0.EXE/data0000.cab/14XR6~1.EXE Infected: Backdoor.Win32.Agobot.aqs skipped
C:\QooBox\Quarantine\D\Downloads\Limewire PRO 4.17.0.zip.vir/Limewire PRO 4.17.0.EXE/data0000.cab Infected: Backdoor.Win32.Agobot.aqs skipped
C:\QooBox\Quarantine\D\Downloads\Limewire PRO 4.17.0.zip.vir/Limewire PRO 4.17.0.EXE Infected: Backdoor.Win32.Agobot.aqs skipped
C:\QooBox\Quarantine\D\Downloads\Limewire PRO 4.17.0.zip.vir ZIP: infected - 3 skipped
C:\QooBox\Quarantine\D\Program Files\Kazaa\kazaa.exe.vir/TopSearch.dll Infected: not-a-virus:AdWare.Win32.Altnet.d skipped
C:\QooBox\Quarantine\D\Program Files\Kazaa\kazaa.exe.vir CAB: infected - 1 skipped
C:\QooBox\Quarantine\D\Program Files\Kazaa\kazaa.exe.vir Execryptor: infected - 1 skipped
C:\QooBox\Quarantine\D\Sime stalker\Limewire PRO 4.17.0\Limewire PRO 4.17.0.EXE.vir/data0000.cab/14XR6~1.EXE Infected: Backdoor.Win32.Agobot.aqs skipped
C:\QooBox\Quarantine\D\Sime stalker\Limewire PRO 4.17.0\Limewire PRO 4.17.0.EXE.vir/data0000.cab Infected: Backdoor.Win32.Agobot.aqs skipped
C:\QooBox\Quarantine\D\Sime stalker\Limewire PRO 4.17.0\Limewire PRO 4.17.0.EXE.vir Rsrc-Package: infected - 2 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{CFEE2263-3668-4B34-A622-ACB960E9A3AE}\RP17\A0006013.sys Infected: not-a-virus:AdWare.Win32.VB.bh skipped
C:\System Volume Information\_restore{CFEE2263-3668-4B34-A622-ACB960E9A3AE}\RP17\A0006016.exe Infected: not-a-virus:AdTool.Win32.WhenU.t skipped
C:\System Volume Information\_restore{CFEE2263-3668-4B34-A622-ACB960E9A3AE}\RP17\A0006018.dll Infected: not-a-virus:AdTool.Win32.WhenU.r skipped
C:\System Volume Information\_restore{CFEE2263-3668-4B34-A622-ACB960E9A3AE}\RP17\A0006019.exe Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\System Volume Information\_restore{CFEE2263-3668-4B34-A622-ACB960E9A3AE}\RP17\A0006041.dll Infected: not-a-virus:AdWare.Win32.OneStep.a skipped
C:\System Volume Information\_restore{CFEE2263-3668-4B34-A622-ACB960E9A3AE}\RP17\A0006042.exe Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\System Volume Information\_restore{CFEE2263-3668-4B34-A622-ACB960E9A3AE}\RP24\A0007174.sys Infected: Trojan-Downloader.Win32.Delf.evt skipped
C:\System Volume Information\_restore{CFEE2263-3668-4B34-A622-ACB960E9A3AE}\RP25\A0007629.exe Infected: Backdoor.Win32.Agobot.aqs skipped
C:\System Volume Information\_restore{CFEE2263-3668-4B34-A622-ACB960E9A3AE}\RP25\A0007630.EXE Infected: Backdoor.Win32.VB.cds skipped
C:\System Volume Information\_restore{CFEE2263-3668-4B34-A622-ACB960E9A3AE}\RP25\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\Internet Logs\VERONIKA-36JOG3.ldb Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\vaxscsi.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\TEMP\NUP3F4F.tmp Object is locked skipped
C:\WINDOWS\TEMP\ZLT00c79.TMP Object is locked skipped
C:\WINDOWS\TEMP\ZLT01f04.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\logs\starwind.2008-02-27.08-00-17.log Object is locked skipped
D:\RECYCLER\S-1-5-21-1993962763-776561741-839522115-500\De22.doc Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{CFEE2263-3668-4B34-A622-ACB960E9A3AE}\RP17\A0005975.dll Infected: not-a-virus:AdWare.Win32.Altnet.d skipped
D:\System Volume Information\_restore{CFEE2263-3668-4B34-A622-ACB960E9A3AE}\RP25\A0007619.exe/TopSearch.dll Infected: not-a-virus:AdWare.Win32.Altnet.d skipped
D:\System Volume Information\_restore{CFEE2263-3668-4B34-A622-ACB960E9A3AE}\RP25\A0007619.exe CAB: infected - 1 skipped
D:\System Volume Information\_restore{CFEE2263-3668-4B34-A622-ACB960E9A3AE}\RP25\A0007619.exe Execryptor: infected - 1 skipped
D:\System Volume Information\_restore{CFEE2263-3668-4B34-A622-ACB960E9A3AE}\RP25\A0007638.EXE/data0000.cab/14XR6~1.EXE Infected: Backdoor.Win32.Agobot.aqs skipped
D:\System Volume Information\_restore{CFEE2263-3668-4B34-A622-ACB960E9A3AE}\RP25\A0007638.EXE/data0000.cab Infected: Backdoor.Win32.Agobot.aqs skipped
D:\System Volume Information\_restore{CFEE2263-3668-4B34-A622-ACB960E9A3AE}\RP25\A0007638.EXE Rsrc-Package: infected - 2 skipped
Scan process completed.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:24:38, on 27.2.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
d:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Fast.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Crawler\Toolbar\CToolbar.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60327
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_custo ... TbId=60327
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Amazing%20Adventures%20The%20Lost%20Tomb/Images/stg_drm.ocx
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Scrabble/Images/armhelper.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{F095ED02-C1BB-4548-A5A3-ABEF8A029A77}: NameServer = 192.168.1.1
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - d:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - Unknown owner - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8143 bytes

Malwarebytes' Anti-Malware 1.05
Database version: 414

Scan type: Full Scan (A:\|C:\|D:\|)
Objects scanned: 106517
Time elapsed: 26 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Program Files\HP\Digital Imaging\bin\hpqmif08.dll (Trojan.Downloader) -> No action taken.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{4c53f186-5376-913e-6bb7-1002d734c888} (Trojan.Downloader) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{085de4b8-c8fe-4017-86df-103fe31c39ab} (Trojan.Downloader) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{42693d23-6964-45f4-ad8e-1077ce972d8d} (Trojan.Downloader) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{6d04ab11-637e-4a88-8a1b-84bc5a0d193e} (Trojan.Downloader) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{6d04ab11-637e-4a88-8a1b-84bc5a0d193e} (Trojan.Downloader) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\HP\Digital Imaging\bin\hpqmif08.dll (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{CFEE2263-3668-4B34-A622-ACB960E9A3AE}\RP17\A0006041.dll (Adware.OneStepSearch) -> No action taken.
C:\System Volume Information\_restore{CFEE2263-3668-4B34-A622-ACB960E9A3AE}\RP17\A0006042.exe (Adware.OneStepSearch) -> No action taken.

p.s. Autoplay works! Thanks, man!
p.s. Is this ZoneAlarm protecting me from backdoor master or its already has holes when im using IE or Modzilla? I have two suspicious programs on zonealarms list that wanted acess internet: 1. Generic Host Process for Win32 Service (file name C:/windows/system32/svchost.exe, file size 14KB)
2. Run a DLL as an App (file name C:/windows/system32/rundll32.exe, file size 32KB)
Also, i blocked three atemts yesterday notifying me that someone wants to get acess to my computer. I saw his ip adress but its dynamical so it doesnt worth shit.
MAKE HASTE!! Please :oops:

Just for test ive updated A2 and did a deep scan with it and look what that FAMOUS antimalware 30$ worth tool found (im using free version but it has the same scanner as comercial):

a-squared Free - Version 3.1
Last update: 27.2.2008 11:35:38

Scan settings:

Objects: Memory, Traces, Cookies, C:\, D:\
Scan archives: On
Heuristics: On
ADS Scan: On

Scan start: 27.2.2008 11:36:37

Key: HKEY_USERS\S-1-5-21-1220945662-1229272821-725345543-1003\software\kazaa detected: Trace.Registry.KaZaA
Value: HKEY_USERS\S-1-5-21-1220945662-1229272821-725345543-1003\Software\BST\bsplayerv1 --> AppPath detected: Trace.Registry.BSplayer
Value: HKEY_USERS\S-1-5-21-1220945662-1229272821-725345543-1003\Software\BST\bsplayerv1 --> AppVer detected: Trace.Registry.BSplayer

Scanned

Files: 53004
Traces: 378253
Cookies: 23
Processes: 36

Found

Files: 0
Traces: 3
Cookies: 0
Processes: 0
Registry keys: 0

Scan end: 27.2.2008 12:03:08
Scan time: 0:26:31
This A2 should be put in Hall of shame! Its complitely useless!
simeseko
Regular Member
 
Posts: 15
Joined: February 13th, 2008, 1:25 pm

Re: Hell opened its gates!

Unread postby Simon V. » February 27th, 2008, 8:24 am

Hi :)

All the files Kaspersky found were located in the backup folders of Combofix, which should be gone when you follow the instructions for uninstalling Combofix in my previous post.

Is this ZoneAlarm protecting me from backdoor master or its already has holes when im using IE or Modzilla? I have two suspicious programs on zonealarms list that wanted acess internet: 1. Generic Host Process for Win32 Service (file name C:/windows/system32/svchost.exe, file size 14KB)
2. Run a DLL as an App (file name C:/windows/system32/rundll32.exe, file size 32KB)

Those two files are legit and should be allowed connection with the internet.

Open Malwarebytes' Anti-Malware. Once the program has loaded, select Perform quick scan, then click Scan.

  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • You can also access the log by doing the following:

    • Click on the Malwarebytes' Anti-Malware icon to launch the program.
    • Click on the Logs tab.
    • Click on the log at the bottom of those listed to highlight it.
    • Click Open.

Post the log in your next reply, and tell me whether you're still experiencing problems.
User avatar
Simon V.
MRU Emeritus
MRU Emeritus
 
Posts: 3388
Joined: November 11th, 2006, 3:35 pm
Location: Antwerp, Belgium

Re: Hell opened its gates!

Unread postby simeseko » February 27th, 2008, 9:20 am

Thanks, man. Ive reboot after cleaning as prompt.
Here is the log:

Malwarebytes' Anti-Malware 1.05
Database version: 414

Scan type: Quick Scan
Objects scanned: 27474
Time elapsed: 3 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Program Files\HP\Digital Imaging\bin\hpqmif08.dll (Trojan.Downloader) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{4c53f186-5376-913e-6bb7-1002d734c888} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{085de4b8-c8fe-4017-86df-103fe31c39ab} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{42693d23-6964-45f4-ad8e-1077ce972d8d} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6d04ab11-637e-4a88-8a1b-84bc5a0d193e} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6d04ab11-637e-4a88-8a1b-84bc5a0d193e} (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\HP\Digital Imaging\bin\hpqmif08.dll (Trojan.Downloader) -> Delete on reboot.

Tell me please your sugestion; if i reinstall nod, maybe this v2.1 patch wont work so ill lose it. Also, i will deinstall spyware terminator and instal Windows defender + all those things you sugested before. What do you think, kind sir?
simeseko
Regular Member
 
Posts: 15
Joined: February 13th, 2008, 1:25 pm

Re: Hell opened its gates!

Unread postby Simon V. » February 27th, 2008, 10:19 am

Hi :)

Tell me please your sugestion; if i reinstall nod, maybe this v2.1 patch wont work so ill lose it. Also, i will deinstall spyware terminator and instal Windows defender + all those things you sugested before. What do you think, kind sir?

What v2.1 patch are you talking about? Is it a program update for Nod32? If so, that should be no problem to reinstall too.

I wouldn't install Windows Defender. You don't want to overload your computer with security programs. Keep Malwarebytes' Anti-Malware and install the programs I recommended and you'll be good.
User avatar
Simon V.
MRU Emeritus
MRU Emeritus
 
Posts: 3388
Joined: November 11th, 2006, 3:35 pm
Location: Antwerp, Belgium

Re: Hell opened its gates!

Unread postby simeseko » February 27th, 2008, 12:35 pm

Help me please! I know this is off topic but ive installed all updates from AutopatcherXP and now windows media player 11 doesnt want to start cause um not using validated version. It seems with this autopatcher ive installed genuien windovs tool. Tell me how to remove it, for the love of God! My girlfriend will kill me!! I cant install back WMP10 cause it prompts me that its not compatible whit my updated version anymore! Please how to remuve that tool? It has a name KB892130 but i cant find it in Ad or remuve programs! HELP!!
simeseko
Regular Member
 
Posts: 15
Joined: February 13th, 2008, 1:25 pm

Re: Hell opened its gates!

Unread postby Simon V. » February 27th, 2008, 12:40 pm

Wait... Where did you download AutopatcherXP from? And why?
User avatar
Simon V.
MRU Emeritus
MRU Emeritus
 
Posts: 3388
Joined: November 11th, 2006, 3:35 pm
Location: Antwerp, Belgium

Re: Hell opened its gates!

Unread postby simeseko » February 27th, 2008, 1:21 pm

i had it on a cd from magazine. I have xp pro that was already been used. Help me please! How to make this WMP11 to work? :(
simeseko
Regular Member
 
Posts: 15
Joined: February 13th, 2008, 1:25 pm

Re: Hell opened its gates!

Unread postby Simon V. » February 27th, 2008, 1:27 pm

simeseko wrote:i had it on a cd from magazine. I have xp pro that was already been used. Help me please! How to make this WMP11 to work? :(

Please try to uninstall WMP11 and then install WMP10 from this link > http://www.microsoft.com/windows/window ... fault.aspx

What do you mean by 'I have xp pro that was already been used'?
User avatar
Simon V.
MRU Emeritus
MRU Emeritus
 
Posts: 3388
Joined: November 11th, 2006, 3:35 pm
Location: Antwerp, Belgium

Re: Hell opened its gates!

Unread postby simeseko » February 27th, 2008, 2:07 pm

It is a copy that was registered to a firm that doesnt exist anymore. I integrated sp2 in it with nLite and it works perfectly (i dont have to go on net to activate it no matter how many times i install it). Ive installed IE7 without problem but this WMP11 is making me troubles. I know it would work if only i didnt install that windows genuien tool from updates, cause i tried it at home and it worked normally. If you know a way to make it work, Please tell me. I know its not completly legal but there will be a special place in heaven waiting for you if you do this for me.
There has to be some way to disable this Windows genuine advantige.
simeseko
Regular Member
 
Posts: 15
Joined: February 13th, 2008, 1:25 pm

Re: Hell opened its gates!

Unread postby Simon V. » February 27th, 2008, 2:56 pm

There has to be some way to disable this Windows genuine advantige.

There's a way to disable anything, but I'm not the person that will help you doing it.

As I understand it, your copy of Windows is not legal and this is unacceptable, not only because of security reasons. I cannot assist you anymore with the problems that you are currently experiencing. This topic will be closed.
User avatar
Simon V.
MRU Emeritus
MRU Emeritus
 
Posts: 3388
Joined: November 11th, 2006, 3:35 pm
Location: Antwerp, Belgium

Re: Hell opened its gates!

Unread postby Elrond » February 27th, 2008, 4:30 pm

This topic is now closed.
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem
Advertisement
Register to Remove

Previous

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 44 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware