Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Urgant-h00009276

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Urgant-h00009276

Unread postby h00009276 » November 26th, 2008, 11:50 am

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:47:52 PM, on 11/26/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\VerbAce\VerbAce.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe
C:\Program Files\3M\PSN2Lite\Psn2Lite.exe
C:\Program Files\Ela-Salaty\Salaty.exe
C:\PROGRA~1\3M\PSN2Lite\PSNGive.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.crawler.com/search/dispatche ... p=aus&qkw=%s&tbid=60001
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://hct-portal.hct.ac.ae/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_custo ... TbId=60001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60001
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dnl.crawler.com/support/sa_custo ... TbId=60001
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.31.0.5:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [VerbAce] C:\Program Files\VerbAce\VerbAce.exe -AutoRun
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [pdfSaver3] "C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [00279938011395930140068964252711] C:\Program Files\Antivirus 2009\av2009.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Ela-Salaty.lnk = C:\Program Files\Ela-Salaty\Salaty.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSN2Lite\Psn2Lite.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://www.pandasecurity.com/activescan ... stubie.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/l2/bin/cortvrml.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-03.sun.com/s/ESD5/JSCDL/ ... 586-jc.cab
O16 - DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} (YYGInstantPlay Control) - http://www.yoyogames.com/downloads/activex/YoYo.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} - http://www.photodex.com/pxplay.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {EAC139A9-D22D-4C29-8D1C-252BE63750F9} - http://www.cooliris.com/shared/plinstll.cab
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 10347 bytes
h00009276
Active Member
 
Posts: 7
Joined: November 26th, 2008, 11:11 am
Advertisement
Register to Remove

Re: Urgant-h00009276

Unread postby MikeSwim07 » November 26th, 2008, 6:25 pm

Hello, and Image to the Malware Removal forums.
My name is Michael I'll be glad to help you with your computer problems.

HijackThis logs can take some time to research, so please be patient with me. I know that you need
your computer working as quickly as possible, and I will work hard to help see that happen.

Please be patient and I'd be grateful if you would note the following:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.

Please note: All of my posts need to be checked by a teacher, so please be patient while I attempt to remove your malware.

Make an uninstall list using HijackThis
To access the Uninstall Manager you would do the following:
  • Start HijackThis
  • Click on the Config button
  • Click on the Misc Tools button
  • Click on the Open Uninstall Manager button.
  • Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Save the file to your desktop.

Please post this log on your next reply.

Thanks, Michael
MikeSwim07
Regular Member
 
Posts: 4215
Joined: August 27th, 2007, 9:44 am
Location: Gone

Re: Urgant-h00009276

Unread postby h00009276 » November 27th, 2008, 2:33 am

Add or Remove Adobe Creative Suite 3 Design Premium
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe BridgeTalk Plugin CS3
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Creative Suite 3 Design Premium
Adobe Default Language CS3
Adobe Device Central CS3
Adobe Dreamweaver CS3
Adobe ExtendScript Toolkit 2
Adobe ExtendScript Toolkit 2
Adobe Extension Manager CS3
Adobe Flash CS3
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Flash Video Encoder
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Illustrator CS3
Adobe InDesign CS3
Adobe InDesign CS3 Icon Handler
Adobe Linguistics CS3
Adobe MotionPicture Color Files
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Setup
Adobe Setup
Adobe Setup
Adobe SING CS3
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe Version Cue CS3 Server {ko_KR}
Adobe WAS CS3
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
AHV content for Acrobat and Flash
CCleaner (remove only)
Conexant HDA D110 MDC V.92 Modem
Dell ResourceCD
Ela-Salaty
Google Talk (remove only)
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
Inspiration 7.5
Intel(R) Graphics Media Accelerator Driver
Intel(R) PROSet/Wireless Software
Java(TM) 6 Update 10
Kaspersky Anti-Virus 7.0
Kaspersky Anti-Virus 7.0
K-Lite Mega Codec Pack 1.53
mCore
mDriver
mDrWiFi
Messenger Plus! Live
mHlpDell
Microsoft .NET Framework 2.0
Microsoft .NET Framework 3.0
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional
Microsoft Text-to-Speech Engine 4.0 (English)
Microsoft Windows Alternative Mouse Pointers
mIWA
mLogView
mMHouse
mPfMgr
mPfWiz
mProSafe
mSSO
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser (KB933579)
mWlsSafe
mWMI
mXML
mZConfig
Nero 6 Ultra Edition
PDF Settings
PDF-XChange 3.0
Post-it® Software Notes Lite Version 2
RealPlayer
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
SUPERAntiSpyware Professional
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
VideoLAN VLC media player 0.8.6c
Windows Communication Foundation
Windows Driver Package - Ricoh Company Memorystick Host Controller (07/09/2005 1.00.01.12)
Windows Driver Package - Ricoh Company MMC Host Controller (07/14/2005 1.00.00.06)
Windows Driver Package - Ricoh Company xD-Picture Card/SmartMedia Host Controller (07/14/2005 1.00.02.04)
Windows Imaging Component
Windows Live Messenger
Windows Presentation Foundation
Windows Registry Guide 2003
Windows Workflow Foundation
Windows XP Service Pack 3
WinRAR archiver
h00009276
Active Member
 
Posts: 7
Joined: November 26th, 2008, 11:11 am

Re: Urgant-h00009276

Unread postby MikeSwim07 » November 28th, 2008, 8:23 am

Download and Run ComboFix

Please visit this webpage for instructions for downloading ComboFix at your DESKTOP :
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.

Additional links to download the tool:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Note: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. A guide to do this can be found here.
    The ones that need to be closed/disabled are:
    Kaspersky Anti-Virus

  • Click Yes to allow ComboFix to continue scanning for malware.
  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.
MikeSwim07
Regular Member
 
Posts: 4215
Joined: August 27th, 2007, 9:44 am
Location: Gone

Re: Urgant-h00009276

Unread postby h00009276 » November 28th, 2008, 7:05 pm

This warning message appeared when I wanted to install the ComboFix:Image
h00009276
Active Member
 
Posts: 7
Joined: November 26th, 2008, 11:11 am

Re: Urgant-h00009276

Unread postby h00009276 » November 28th, 2008, 7:28 pm

Sorry, I have solved the problem of the warning message.
h00009276
Active Member
 
Posts: 7
Joined: November 26th, 2008, 11:11 am

Re: Urgant-h00009276

Unread postby h00009276 » November 28th, 2008, 7:28 pm

ComboFix 08-11-28.02 - ADMIN 2008-11-29 3:11:23.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1256.971.1033.18.280 [GMT 4:00]
Running from: c:\documents and settings\ADMIN\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\ADMIN\Application Data\BITS
c:\documents and settings\ADMIN\Application Data\BITS\BITS.ini
c:\documents and settings\ADMIN\Application Data\BITS\DHTTable.dat
c:\documents and settings\ADMIN\Application Data\BITS\UPnP.ini
c:\program files\FlashGet Network
c:\program files\FlashGet Network\FlashGet universal\dbtrans_verbose.log
c:\program files\FlashGet Network\FlashGet universal\fgoption.ini
c:\program files\FlashGet Network\FlashGet universal\P2PCfg.ini
c:\program files\FlashGet Network\FlashGet universal\p2spmgr.ini
c:\program files\FlashGet Network\FlashGet universal\p4spmgr.ini
c:\program files\FlashGet Network\FlashGet universal\Profiles\config.dat
c:\program files\FlashGet Network\FlashGet universal\Profiles\tasks.dat
c:\program files\FlashGet Network\FlashGet universal\transaction.log
c:\windows\system32\GNVENqru.ini
c:\windows\system32\GNVENqru.ini2
c:\windows\system32\gwgogqra.ini2
c:\windows\system32\gwgogqra.tmp
c:\windows\system32\ieupdates.exe.tmp
c:\windows\system32\iuexkvbd.ini
c:\windows\system32\mcrh.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CSNETMANAGERXP


((((((((((((((((((((((((( Files Created from 2008-10-28 to 2008-11-28 )))))))))))))))))))))))))))))))
.

2008-11-26 22:39 . 2008-11-26 22:39 54,156 --ah----- c:\windows\QTFont.qfn
2008-11-26 22:39 . 2008-11-26 22:39 1,409 --a------ c:\windows\QTFont.for
2008-11-26 20:00 . 2008-11-26 20:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-11-26 19:59 . 2008-11-27 07:15 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-11-26 19:59 . 2008-11-26 19:59 <DIR> d-------- c:\documents and settings\ADMIN\Application Data\SUPERAntiSpyware.com
2008-11-26 19:57 . 2008-11-26 19:57 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-26 19:47 . 2008-11-26 19:47 <DIR> d-------- c:\program files\Trend Micro
2008-11-26 08:27 . 2008-11-26 08:27 <DIR> d-------- c:\windows\Sun
2008-11-26 08:26 . 2008-11-26 08:25 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-26 08:26 . 2008-11-26 08:25 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-11-26 08:25 . 2008-11-26 08:25 <DIR> d-------- c:\program files\Java
2008-11-24 11:21 . 2008-11-24 11:21 <DIR> d-------- c:\program files\Panda Security
2008-11-24 10:18 . 2008-11-24 10:18 34,494 --a------ c:\windows\system32\m2.ico
2008-11-24 01:42 . 2008-11-25 00:35 <DIR> d-------- c:\windows\system32\bee_rules_screensaver dir
2008-11-18 18:44 . 2008-11-25 01:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\Messenger Plus!
2008-11-18 17:11 . 2008-11-18 17:11 <DIR> d-------- c:\program files\Windows Live
2008-11-18 17:11 . 2008-11-18 17:11 <DIR> d-------- c:\program files\Messenger Plus! Live
2008-11-18 00:34 . 2008-11-18 16:11 <DIR> d-------- c:\windows\SxsCaPendDel
2008-11-13 10:03 . 2008-10-24 15:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-13 10:02 . 2008-09-04 21:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-12 07:00 . 2008-11-18 00:34 <DIR> d-------- c:\documents and settings\ADMIN\Application Data\ADPHONE
2008-11-12 06:50 . 2008-11-12 07:04 <DIR> d-------- c:\documents and settings\ADMIN\Application Data\VoipBuster
2008-11-12 05:04 . 2008-11-12 05:04 <DIR> d-------- C:\profiles
2008-11-07 08:51 . 2008-11-07 08:51 <DIR> d-------- c:\documents and settings\ADMIN\Application Data\dvdcss
2008-11-06 20:03 . 2008-04-14 04:12 159,232 --a------ c:\windows\system32\ptpusd.dll
2008-11-06 20:03 . 2008-04-13 22:45 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2008-11-06 20:03 . 2008-04-13 22:45 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys
2008-11-06 20:03 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2008-10-29 22:05 . 2008-09-08 14:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys
2008-10-29 22:04 . 2008-08-14 14:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-29 22:04 . 2008-08-14 14:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-29 22:04 . 2008-08-14 13:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-29 22:04 . 2008-08-14 13:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-10-29 22:04 . 2008-09-15 16:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys
2008-10-29 22:03 . 2008-10-15 20:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-28 23:17 17,857,312 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-11-28 23:17 1,251,104 --sha-w c:\windows\system32\drivers\fidbox2.dat
2008-11-28 23:15 245,336 --sha-w c:\windows\system32\drivers\fidbox.idx
2008-11-28 23:15 122,420 --sha-w c:\windows\system32\drivers\fidbox2.idx
2008-11-28 22:31 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab
2008-11-26 03:55 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-24 20:41 --------- d-----w c:\program files\Save Flash
2008-11-18 13:11 --------- d-----w c:\program files\MSN Messenger
2008-10-26 08:39 --------- d-----w c:\program files\TechSmith
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-15 09:08 --------- d-----w c:\program files\Common Files\xing shared
2008-10-15 09:08 --------- d-----w c:\program files\Common Files\Real
2008-10-15 09:07 499,712 ----a-w c:\windows\system32\msvcp71.dll
2008-10-08 15:02 --------- d-----w c:\program files\Inspiration 7.5
2008-10-07 10:29 --------- d-----w c:\documents and settings\All Users\Application Data\YoYoGames
2008-09-30 12:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-25 04:47 35,344 ----a-w c:\documents and settings\ADMIN\Application Data\GDIPFONTCACHEV1.DAT
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-09-08 05:43 348,160 ----a-w c:\windows\system32\msvcr71.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"pdfSaver3"="c:\program files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe" [2004-09-05 380928]
"swg"="c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-09-18 171448]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-11-27 1805552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-02 3739648]
"VerbAce"="c:\program files\VerbAce\VerbAce.exe" [2008-09-01 139264]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 623992]
"Adobe_ID0EYTHM"="c:\progra~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 1884160]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-15 185872]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-26 136600]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 c:\windows\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\ADMIN\Start Menu\Programs\Startup\
Ela-Salaty.lnk - c:\program files\Ela-Salaty\Salaty.exe [2007-03-05 5353984]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
Post-it? Software Notes Lite.lnk - c:\program files\3M\PSN2Lite\Psn2Lite.exe [2002-08-09 520192]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-11-27 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-11-27 07:15 352256 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.X264"= x264vfw.dll
"VIDC.3iv2"= 3ivxVfWCodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2007-04-04 24344]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{032e1b48-7eff-11dd-ae91-0016415a9f41}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ca60538a-8300-11dd-ae96-0016415a9f41}]
\Shell\Auto\command - sal.xls.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sal.xls.exe
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-pdfSaver3 - (no file)


.
------- Supplementary Scan -------
.
uStart Page = https://hct-portal.hct.ac.ae/
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyServer = 10.31.0.5:8080
uInternet Settings,ProxyOverride = *.local;<local>
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

c:\windows\Downloaded Program Files\ewidoOnlineScan.dll - O16 -: {193C772A-87BE-4B19-A7BB-445B226FE9A1}
hxxp://downloads.ewido.net/ewidoOnlineScan.cab

c:\windows\Downloaded Program Files\YYGInstantPlay.ocx - O16 -: {C49134CC-B5EF-458C-A442-E8DFE7B4645F}
hxxp://www.yoyogames.com/downloads/activex/YoYo.cab
c:\windows\Downloaded Program Files\YYGInstantPlay.inf

c:\windows\Downloaded Program Files\plinstll.dll - O16 -: {EAC139A9-D22D-4C29-8D1C-252BE63750F9}
hxxp://www.cooliris.com/shared/plinstll.cab
c:\windows\Downloaded Program Files\plinstll.inf
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-29 03:16:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1376)
c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\miscr3.dll
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\klogon.dll

- - - - - - - > 'lsass.exe'(1432)
c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\dnsq.dll
c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\miscr3.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\igfxsrvc.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
c:\progra~1\3M\PSN2Lite\PSNGive.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2008-11-29 3:23:21 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-28 23:23:16

Pre-Run: 60,608,991,232 bytes free
Post-Run: 60,657,795,072 bytes free

231 --- E O F --- 2008-11-14 05:42:32
h00009276
Active Member
 
Posts: 7
Joined: November 26th, 2008, 11:11 am

Re: Urgant-h00009276

Unread postby MikeSwim07 » November 29th, 2008, 12:42 pm

Flash Disinfector

  • Please download Flash_Disinfector and save it to your desktop.
  • Double click to run it.
  • You will be prompted to plug in your flash drive. Plug it in.
  • Flash_Disinfector will start disinfecting your flash and hard drives. This takes a few seconds. Your desktop will disappear in the meantime.
  • When done, a message box will appear. Click OK. Your desktop should now appear. If it doesn't, press Ctrl + Shift + Esc to open Task Manager.
  • Click on File > New Task (Run...). Type in explorer.exe and press Enter. Your desktop should now appear.

Run CFScript

Open Notepad and copy/paste the text in the box into the window:

Code: Select all
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ca60538a-8300-11dd-ae96-0016415a9f41}]


Save it to your desktop as CFScript.txt

Refering to the picture below, drag CFScript.txt into ComboFix.exe
Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Please post the ComboFix log and a new Hijackthis log.
MikeSwim07
Regular Member
 
Posts: 4215
Joined: August 27th, 2007, 9:44 am
Location: Gone

Re: Urgant-h00009276

Unread postby h00009276 » November 29th, 2008, 5:20 pm

Hi,

How can I Run CFScript?

Thank you..
h00009276
Active Member
 
Posts: 7
Joined: November 26th, 2008, 11:11 am

Re: Urgant-h00009276

Unread postby MikeSwim07 » November 29th, 2008, 5:53 pm

Please refer to the above pictures.
MikeSwim07
Regular Member
 
Posts: 4215
Joined: August 27th, 2007, 9:44 am
Location: Gone

Re: Urgant-h00009276

Unread postby h00009276 » November 29th, 2008, 11:46 pm

ComboFix 08-11-28.02 - ADMIN 2008-11-30 7:38:06.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1256.971.1033.18.128 [GMT 4:00]
Running from: c:\documents and settings\ADMIN\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\ADMIN\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-10-28 to 2008-11-30 )))))))))))))))))))))))))))))))
.

2008-11-26 20:00 . 2008-11-26 20:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-11-26 19:59 . 2008-11-27 07:15 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-11-26 19:59 . 2008-11-26 19:59 <DIR> d-------- c:\documents and settings\ADMIN\Application Data\SUPERAntiSpyware.com
2008-11-26 19:57 . 2008-11-26 19:57 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-26 19:47 . 2008-11-26 19:47 <DIR> d-------- c:\program files\Trend Micro
2008-11-26 08:27 . 2008-11-26 08:27 <DIR> d-------- c:\windows\Sun
2008-11-26 08:26 . 2008-11-26 08:25 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-26 08:26 . 2008-11-26 08:25 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-11-26 08:25 . 2008-11-26 08:25 <DIR> d-------- c:\program files\Java
2008-11-24 11:21 . 2008-11-24 11:21 <DIR> d-------- c:\program files\Panda Security
2008-11-24 10:18 . 2008-11-24 10:18 34,494 --a------ c:\windows\system32\m2.ico
2008-11-24 01:42 . 2008-11-25 00:35 <DIR> d-------- c:\windows\system32\bee_rules_screensaver dir
2008-11-18 18:44 . 2008-11-25 01:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\Messenger Plus!
2008-11-18 17:11 . 2008-11-18 17:11 <DIR> d-------- c:\program files\Windows Live
2008-11-18 17:11 . 2008-11-18 17:11 <DIR> d-------- c:\program files\Messenger Plus! Live
2008-11-18 00:34 . 2008-11-18 16:11 <DIR> d-------- c:\windows\SxsCaPendDel
2008-11-13 10:03 . 2008-10-24 15:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-13 10:02 . 2008-09-04 21:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-12 07:00 . 2008-11-18 00:34 <DIR> d-------- c:\documents and settings\ADMIN\Application Data\ADPHONE
2008-11-12 06:50 . 2008-11-12 07:04 <DIR> d-------- c:\documents and settings\ADMIN\Application Data\VoipBuster
2008-11-12 05:04 . 2008-11-12 05:04 <DIR> d-------- C:\profiles
2008-11-07 08:51 . 2008-11-07 08:51 <DIR> d-------- c:\documents and settings\ADMIN\Application Data\dvdcss
2008-11-06 20:03 . 2008-04-14 04:12 159,232 --a------ c:\windows\system32\ptpusd.dll
2008-11-06 20:03 . 2008-04-13 22:45 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2008-11-06 20:03 . 2008-04-13 22:45 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys
2008-11-06 20:03 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2008-10-29 22:05 . 2008-09-08 14:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys
2008-10-29 22:04 . 2008-08-14 14:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-29 22:04 . 2008-08-14 14:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-29 22:04 . 2008-08-14 13:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-29 22:04 . 2008-08-14 13:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-10-29 22:04 . 2008-09-15 16:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys
2008-10-29 22:03 . 2008-10-15 20:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-10-20 13:09 . 2008-10-20 13:09 0 --a------ c:\windows\nsreg.dat
2008-10-20 07:48 . 2008-10-20 07:48 <DIR> d-------- C:\My FLVs
2008-10-19 15:37 . 2008-11-26 07:55 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-10-19 15:36 . 2007-02-28 13:32 716,800 --a------ c:\windows\system32\lameACM.acm
2008-10-19 15:36 . 2007-02-28 13:30 593,920 --a------ c:\windows\system32\dpuGUI11.dll
2008-10-19 15:36 . 2007-02-28 13:30 577,536 --a------ c:\windows\system32\divxdec.ax
2008-10-19 15:36 . 2007-02-28 13:30 294,912 --a------ c:\windows\system32\dpu11.dll
2008-10-19 15:36 . 2007-02-28 13:30 57,344 --a------ c:\windows\system32\dpv11.dll
2008-10-19 15:36 . 2007-02-28 13:32 414 --a------ c:\windows\system32\lame_acm.xml
2008-10-15 13:08 . 2008-10-15 13:08 <DIR> d-------- c:\program files\Common Files\xing shared
2008-10-08 19:01 . 2008-10-08 19:02 <DIR> d-------- c:\program files\Inspiration 7.5
2008-10-08 19:01 . 1999-12-17 11:13 86,016 --a------ c:\windows\unvise32.exe
2008-10-07 14:09 . 2008-10-07 14:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\YoYoGames
2008-10-01 12:34 . 2008-10-01 12:34 <DIR> d-------- c:\windows\system32\scripting
2008-10-01 12:34 . 2008-10-01 12:34 <DIR> d-------- c:\windows\system32\en
2008-10-01 12:34 . 2008-10-01 12:34 <DIR> d-------- c:\windows\system32\bits
2008-10-01 12:34 . 2008-10-01 12:34 <DIR> d-------- c:\windows\l2schemas
2008-10-01 12:30 . 2008-10-01 12:34 <DIR> d-------- c:\windows\ServicePackFiles
2008-10-01 12:15 . 2008-10-01 12:15 <DIR> d-------- c:\windows\EHome

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-30 03:42 18,310,688 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-11-30 03:42 1,277,984 --sha-w c:\windows\system32\drivers\fidbox2.dat
2008-11-30 02:55 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab
2008-11-29 22:00 250,520 --sha-w c:\windows\system32\drivers\fidbox.idx
2008-11-29 22:00 124,628 --sha-w c:\windows\system32\drivers\fidbox2.idx
2008-11-24 20:41 --------- d-----w c:\program files\Save Flash
2008-11-18 13:11 --------- d-----w c:\program files\MSN Messenger
2008-10-26 08:39 --------- d-----w c:\program files\TechSmith
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-15 09:08 --------- d-----w c:\program files\Common Files\Real
2008-10-15 09:07 499,712 ----a-w c:\windows\system32\msvcp71.dll
2008-09-30 12:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-25 04:47 35,344 ----a-w c:\documents and settings\ADMIN\Application Data\GDIPFONTCACHEV1.DAT
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-09-08 05:43 348,160 ----a-w c:\windows\system32\msvcr71.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll
2008-08-19 06:42 155,995 ----a-w c:\windows\java\Packages\KPV13T3J.ZIP
2008-08-18 08:09 90,112 ----a-w c:\windows\system32\agsaami.dll
2008-08-18 08:09 610,304 ----a-w c:\windows\system32\agsaamg.dll
2008-08-18 08:09 372,736 ----a-w c:\windows\system32\agsaamc.dll
2008-08-18 08:09 2,535,424 ----a-w c:\windows\system32\agsaamj.dll
2008-08-18 08:09 196,608 ----a-w c:\windows\system32\maag.dll
2008-08-18 08:09 1,986,560 ----a-w c:\windows\system32\akll.dll
2008-08-18 08:09 1,245,184 ----a-w c:\windows\system32\bkll.dll
2008-08-18 08:09 1,212,416 ----a-w c:\windows\system32\ckll.dll
2008-08-14 10:09 2,145,280 ----a-w c:\windows\system32\ntoskrnl.exe
2008-08-14 09:33 2,023,936 ----a-w c:\windows\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((( snapshot@2008-11-29_ 3.22.20.15 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-28 23:16:05 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-11-29 11:06:23 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-11-28 23:16:05 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-11-29 11:06:23 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-11-28 23:16:05 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-11-29 11:06:23 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-11-30 02:55:16 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_2fc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"pdfSaver3"="c:\program files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe" [2004-09-05 380928]
"swg"="c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-09-18 171448]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-11-27 1805552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-02 3739648]
"VerbAce"="c:\program files\VerbAce\VerbAce.exe" [2008-09-01 139264]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 623992]
"Adobe_ID0EYTHM"="c:\progra~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 1884160]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-15 185872]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-26 136600]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 c:\windows\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\ADMIN\Start Menu\Programs\Startup\
Ela-Salaty.lnk - c:\program files\Ela-Salaty\Salaty.exe [2007-03-05 5353984]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
Post-it? Software Notes Lite.lnk - c:\program files\3M\PSN2Lite\Psn2Lite.exe [2002-08-09 520192]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-11-27 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-11-27 07:15 352256 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.X264"= x264vfw.dll
"VIDC.3iv2"= 3ivxVfWCodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2007-04-04 24344]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{032e1b48-7eff-11dd-ae91-0016415a9f41}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-30 07:42:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1372)
c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\miscr3.dll
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\klogon.dll
c:\windows\system32\igfxdev.dll

- - - - - - - > 'lsass.exe'(1428)
c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\dnsq.dll
c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\miscr3.dll
.
Completion time: 2008-11-30 7:43:56
ComboFix-quarantined-files.txt 2008-11-30 03:43:53
ComboFix2.txt 2008-11-28 23:23:22

Pre-Run: 60,454,764,544 bytes free
Post-Run: 60,447,879,168 bytes free

194 --- E O F --- 2008-11-14 05:42:32
h00009276
Active Member
 
Posts: 7
Joined: November 26th, 2008, 11:11 am

Re: Urgant-h00009276

Unread postby MikeSwim07 » December 5th, 2008, 6:58 pm

Sorry for the wait,

Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware and save to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to:

    Update Malwarebytes' Anti-Malware
    Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform Full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please copy and paste the log back into your next reply

    Note:
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Or via the Logs tab when Malwarebytes' Anti-Malware is started.
MikeSwim07
Regular Member
 
Posts: 4215
Joined: August 27th, 2007, 9:44 am
Location: Gone

Re: Urgant-h00009276

Unread postby MikeSwim07 » December 8th, 2008, 9:13 pm

Do you still need help?
MikeSwim07
Regular Member
 
Posts: 4215
Joined: August 27th, 2007, 9:44 am
Location: Gone

Re: Urgant-h00009276

Unread postby Shaba » December 12th, 2008, 3:56 am

Due to lack of response this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland
Advertisement
Register to Remove


Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: pgmigg and 44 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware