Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Infected with various Trojan and adware.(remove to no avail)

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Unread postby godpig » April 9th, 2007, 12:01 pm

Bob4 wrote:Just have to ask to be sure.
You are disabling Spyware doctor before you run the fixes ?

Have you installed Mirc ??
C:\DL\mirc616.exe

yea..i did nt even turn on spyware doctor...to be more sure..i haf jus uninstalled it

and yep...mirc is installed in my com..
godpig
Regular Member
 
Posts: 23
Joined: April 6th, 2007, 3:43 pm
Advertisement
Register to Remove

Unread postby godpig » April 9th, 2007, 12:24 pm

hi..below are the log files :D

for combofix:

"Administrator" - 07-04-10 0:15:39 Service Pack 2
ComboFix 07-04-05 - Running from: "D:\Program Files\Mozilla Firefox"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


D:\WINDOWS\system32\dodolook260.exe
D:\WINDOWS\system32\winepm95.bin
D:\WINDOWS\system32\winlwf58.bin
D:\WINDOWS\system32\winowf48.bin
D:\WINDOWS\system32\winreq96.bin
D:\WINDOWS\system32\winupx93.bin
D:\WINDOWS\system32\Msf3sf.sys
D:\WINDOWS\system32\4.dll
D:\WINDOWS\system32\6.dll
D:\Program Files\Common Files\microsoft shared\msinfo\SysInfo.bak
D:\Program Files\Common Files\microsoft shared\msinfo\SysInfo.vxd
D:\WINDOWS\Debug\UserMode\0DE49.dll
D:\WINDOWS\system32\drivers\ayyowf48.sys
D:\DOCUME~1\ALLUSE~1\APPLIC~1.\Microsoft\PCTools\pctools.dll
D:\DOCUME~1\ALLUSE~1\APPLIC~1\td\a1004.dat
D:\DOCUME~1\ALLUSE~1\APPLIC~1\td\b1004.dat
D:\DOCUME~1\ALLUSE~1\APPLIC~1\td\k1004.dat
D:\DOCUME~1\ALLUSE~1\APPLIC~1\td\p1004.dat
D:\DOCUME~1\ALLUSE~1\APPLIC~1\td\r1004.dat
D:\WINDOWS\system32\mdserivces\services\reg.exe
D:\WINDOWS\system32\bdsupx93\bdsupx93.dll
D:\WINDOWS\system32\bdsupx93\winupx93.bin
D:\WINDOWS\system32\bdsupx93\winupx93.dll
D:\WINDOWS\system32\advport.dll
D:\WINDOWS\system32\d3d1caps.srg
D:\WINDOWS\system32\scia.dll
D:\WINDOWS\system32\score.txt
D:\WINDOWS\system32\toolset.ini
D:\WINDOWS\system32\unibar.exe
D:\WINDOWS\kernel32.exe
D:\WINDOWS\system32\kbnaxp.dll
D:\WINDOWS\system32\xpnap.exe
D:\WINDOWS\config\starter\config.htm
D:\WINDOWS\system32\msrundll.exe
D:\WINDOWS\system32\ims.ini
D:\WINDOWS\system32\wbem\mof\good\esery.mof
D:\WINDOWS\system32\drivers\usb8028x.sys
D:\WINDOWS\system32\player.dll
D:\WINDOWS\usb8028x.log
D:\WINDOWS\system32\FP30PY.dll
D:\DOCUME~1\ALLUSE~1\APPLIC~1.\Microsoft\PCTools
D:\DOCUME~1\ALLUSE~1\APPLIC~1\td
D:\WINDOWS\system32\mdserivces
D:\WINDOWS\system32\winup
D:\Program Files\Common Files\Ruango
D:\WINDOWS\system32\bdsupx93
D:\WINDOWS\system32\ayyowf48.dll
D:\WINDOWS\system32\bdsupx93.dll
D:\WINDOWS\system32\winowf48.dll
D:\WINDOWS\system32\drivers\tnswgk39.sys


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\ayyowf48
-------\BKMARKS
-------\CryptographicServer
-------\ndcia
-------\romman
-------\stdio
-------\tnswgk39
-------\usb8028
-------\usb8028x
-------\WmdmPWD
-------\LEGACY_ACPIDISK
-------\LEGACY_AYYOWF48
-------\LEGACY_BKMARKS
-------\LEGACY_CDNPROT
-------\LEGACY_CRYPTOGRAPHICSERVER
-------\LEGACY_FKWLD
-------\LEGACY_MCHINJDRV
-------\LEGACY_NDCIA
-------\LEGACY_ROMMAN
-------\LEGACY_STDIO
-------\LEGACY_TNSWGK39
-------\LEGACY_USB8028
-------\LEGACY_USB8028X
-------\LEGACY_WMDMPWD


((((((((((((((((((((((((((((((( Files Created from 2007-03-10 to 2007-04-10 ))))))))))))))))))))))))))))))))))


2007-04-10 00:16 0 --a------ D:\WINDOWS\system32\tnswgk39.dll
2007-04-10 00:10 <DIR> d-------- D:\avenger
2007-04-09 21:08 <DIR> d-------- D:\WINDOWS\system32\Kaspersky Lab
2007-04-09 19:48 <DIR> d-------- D:\!KillBox
2007-04-09 13:52 3,968 --a------ D:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-04-08 14:38 <DIR> d-------- D:\Program Files\CCleaner
2007-04-07 22:18 <DIR> d-------- D:\Program Files\KONAMI
2007-04-06 11:28 <DIR> d-------- D:\Program Files\Spyware Doctor
2007-04-06 11:27 172 --a------ D:\WINDOWS\system32\ayyowf48\winowf48.bin
2007-04-06 11:27 <DIR> d-------- D:\WINDOWS\system32\ayyowf48
2007-04-04 16:55 1,168 --a------ D:\WINDOWS\mozver.dat
2007-04-03 23:17 0 --a------ D:\WINDOWS\nsreg.dat
2007-04-03 23:07 <DIR> d-------- D:\WINDOWS\%DownloadedProgramFiles%
2007-04-03 21:03 <DIR> d-------- D:\Program Files\Common Files\scosoft.com
2007-04-03 18:50 <DIR> d-------- D:\WINDOWS\pss
2007-04-03 18:22 <DIR> d-------- D:\DOCUME~1\ADMINI~1\APPLIC~1\Uniblue
2007-04-03 14:46 <DIR> d-------- D:\DOCUME~1\ADMINI~1\APPLIC~1\Lavasoft
2007-04-03 14:45 <DIR> d-------- D:\Program Files\Common Files\Wise Installation Wizard
2007-04-03 11:54 <DIR> d-------- D:\WINDOWS\CSC
2007-04-03 00:25 <DIR> d-------- D:\WINDOWS\system32\yrelwf58
2007-04-03 00:25 <DIR> d-------- D:\WINDOWS\system32\thpepm95
2007-04-03 00:05 33 --a------ D:\WINDOWS\system32\111gPgi0.dll
2007-04-02 23:35 276 --a------ D:\WINDOWS\system32\BF74F43E.dat
2007-04-02 23:35 <DIR> d-------- D:\Program Files\wjpw
2007-03-30 20:53 21,504 --a------ D:\WINDOWS\system32\hidserv.dll
2007-03-28 21:16 <DIR> d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\HHD Software
2007-03-28 21:15 <DIR> d-------- D:\Program Files\HHD Software
2007-03-28 20:58 <DIR> d-------- D:\DOCUME~1\ADMINI~1\APPLIC~1\WinRAR
2007-03-28 20:24 223,128 --a------ D:\WINDOWS\system32\drivers\vaxscsi.sys
2007-03-28 20:24 <DIR> d-------- D:\Program Files\Alcohol Soft
2007-03-28 20:22 96,256 --a------ D:\WINDOWS\system32\drivers\sptd8365.sys
2007-03-28 20:22 642,560 --a------ D:\WINDOWS\system32\drivers\sptd.sys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-03 11:14 -------- d--h----- D:\Program Files\installshield installation information
2007-03-08 23:36 577536 --a------ D:\WINDOWS\system32\user32.dll
2007-03-08 23:36 40960 --a------ D:\WINDOWS\system32\mf3216.dll
2007-03-08 23:36 281600 --a------ D:\WINDOWS\system32\gdi32.dll
2007-03-08 21:47 1843584 --a------ D:\WINDOWS\system32\win32k.sys
2007-03-08 21:33 -------- d-------- D:\Program Files\ea games
2007-02-26 05:14 -------- d-------- D:\Program Files\pplive
2007-02-26 05:10 -------- d-------- D:\Program Files\msn messenger


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="D:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIPTA"="D:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"SoundMan"="SOUNDMAN.EXE"
"ABITManager"="D:\\Program Files\\ABIT\\ABIT Manager\\ABITManager.exe"
"ABITEQ"="D:\\Program Files\\ABIT\\ABIT Manager\\abiteq.exe -M"
"RemoteControl"="\"D:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"TkBellExe"="\"D:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"
"QuickTime Task"="\"D:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"PCSuiteTrayApplication"="D:\\PROGRA~1\\Nokia\\NOKIAP~1\\LAUNCH~1.EXE -onlytray"
"AVG7_CC"="D:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^ruango.lnk]
"path"="D:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\ruango.lnk"
"backup"="D:\\WINDOWS\\pss\\ruango.lnkCommon Startup"
"location"="Common Startup"
"command"="D:\\WINDOWS\\system32\\MSRundll.exe D:\\PROGRA~1\\COMMON~1\\Ruango\\Player.dll,Always"
"item"="ruango"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qlsreq96]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qlsreq96"
"hkey"="HKLM"
"command"="%systemroot%\\system32\\Rundll32.exe \"%systemroot%\\system32\\qlsreq96.dll\",Start"
"inimapping"="0"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{90BC520C-9175-470E-94B8-10FD869D170B}"=""
"{1B4E3287-2C14-F46E-89D0-AADD240C8583}"=""
"{26F0E2C9-F853-42D4-866E-86AA4C8EF58F}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0lsanp\0

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
bthsvcs REG_MULTI_SZ BthServ\0\0

hklm\software\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs*
Hardware



Contents of the 'Scheduled Tasks' folder
D:\WINDOWS\tasks\XoftSpySE 2.job
D:\WINDOWS\tasks\XoftSpySE.job


********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-04-10 0:19:37
D:\ComboFix-quarantined-files.txt ... 07-04-10 00:19


for avenger

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\udonkrvg

*******************

Script file located at: \??\D:\Documents and Settings\cnjqeccx.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at D:\Avenger

*******************

Beginning to process script file:

File D:\Documents and Settings\Administrator\Local Settings\Temp\1271625.exe deleted successfully.


File D:\Documents and Settings\Administrator\Local Settings\Temp\4.exe not found!
Deletion of file D:\Documents and Settings\Administrator\Local Settings\Temp\4.exe failed!

Could not process line:
D:\Documents and Settings\Administrator\Local Settings\Temp\4.exe
Status: 0xc0000034



File D:\Documents and Settings\Administrator\Local Settings\Temp\5.exe not found!
Deletion of file D:\Documents and Settings\Administrator\Local Settings\Temp\5.exe failed!

Could not process line:
D:\Documents and Settings\Administrator\Local Settings\Temp\5.exe
Status: 0xc0000034



File D:\Documents and Settings\Administrator\Local Settings\Temp\Rav31.dll not found!
Deletion of file D:\Documents and Settings\Administrator\Local Settings\Temp\Rav31.dll failed!

Could not process line:
D:\Documents and Settings\Administrator\Local Settings\Temp\Rav31.dll
Status: 0xc0000034

File D:\Documents and Settings\Administrator\Local Settings\Temp\Tmp3.tmp.rom deleted successfully.
File D:\Documents and Settings\Administrator\Local Settings\Temp\Tmp4.tmp.rom deleted successfully.


File D:\Documents and Settings\Administrator\Local Settings\Temp\~Tm2.tmp.rom not found!
Deletion of file D:\Documents and Settings\Administrator\Local Settings\Temp\~Tm2.tmp.rom failed!

Could not process line:
D:\Documents and Settings\Administrator\Local Settings\Temp\~Tm2.tmp.rom
Status: 0xc0000034

File D:\Documents and Settings\Administrator\Local Settings\Temp\~Tm3.tmp.rom deleted successfully.
File D:\WINDOWS\bar.exe deleted successfully.
File D:\Documents and Settings\All Users\Templates\temp.exe deleted successfully.
File D:\Program Files\Internet Explorer\InfoMs.tdm deleted successfully.
File D:\Program Files\Internet Explorer\InfoMs.tp3 deleted successfully.
File D:\WINDOWS\system32\dodolook133.exe deleted successfully.


File D:\WINDOWS\system32\drivers\ndcia.sys not found!
Deletion of file D:\WINDOWS\system32\drivers\ndcia.sys failed!

Could not process line:
D:\WINDOWS\system32\drivers\ndcia.sys
Status: 0xc0000034



File D:\WINDOWS\system32\drivers\romman.sys not found!
Deletion of file D:\WINDOWS\system32\drivers\romman.sys failed!

Could not process line:
D:\WINDOWS\system32\drivers\romman.sys
Status: 0xc0000034

File D:\WINDOWS\system32\drivers\usb8028.sys deleted successfully.
File D:\WINDOWS\system32\1010s.exe deleted successfully.
File D:\WINDOWS\system32\ad_1485.exe deleted successfully.
File D:\WINDOWS\system32\gb01.exe deleted successfully.
File D:\WINDOWS\system32\HelpIE.dll deleted successfully.
File D:\WINDOWS\system32\mshtmlsed.exe deleted successfully.


File D:\WINDOWS\system32\trtbc.dll not found!
Deletion of file D:\WINDOWS\system32\trtbc.dll failed!

Could not process line:
D:\WINDOWS\system32\trtbc.dll
Status: 0xc0000034

File D:\WINDOWS\Temp\base.exe deleted successfully.


File D:\WINDOWS\system32\HelpIE.dll not found!
Deletion of file D:\WINDOWS\system32\HelpIE.dll failed!

Could not process line:
D:\WINDOWS\system32\HelpIE.dll
Status: 0xc0000034

File D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Servere.exe deleted successfully.

Completed script processing.

*******************

Finished! Terminate.
godpig
Regular Member
 
Posts: 23
Joined: April 6th, 2007, 3:43 pm

Unread postby godpig » April 9th, 2007, 12:33 pm

for this 2 files result :
D:\WINDOWS\system32\drivers\tnswgk39.sys

D:\WINDOWS\system32\wbem\ydpuq.dll

JOTTIS reports its as 0kb file or malware might be preventing it from being submitted.Both same results.

for Blacklight report:

04/10/07 00:28:09 [Info]: BlackLight Engine 1.0.61 initialized
04/10/07 00:28:09 [Info]: OS: 5.1 build 2600 (Service Pack 2)
04/10/07 00:28:09 [Note]: 7019 4
04/10/07 00:28:09 [Note]: 7005 0
04/10/07 00:28:12 [Note]: 7006 0
04/10/07 00:28:12 [Note]: 7011 1684
04/10/07 00:28:12 [Note]: 7026 0
04/10/07 00:28:12 [Note]: 7026 0
04/10/07 00:28:14 [Note]: FSRAW library version 1.7.1021
04/10/07 00:30:36 [Note]: 2000 1012
04/10/07 00:30:41 [Note]: 7007 0

and lastly the latest HJT log

Logfile of HijackThis v1.99.1
Scan saved at 12:33:03 AM, on 4/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\WgaTray.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\ABIT\ABIT Manager\ABITManager.exe
D:\Program Files\ABIT\ABIT Manager\abiteq.exe
D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\WINDOWS\system32\rundll32.exe
D:\Program Files\QuickTime\qttask.exe
D:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
D:\PROGRA~1\Grisoft\AVG7\avgcc.exe
D:\WINDOWS\system32\ctfmon.exe
D:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
D:\Program Files\Mozilla Firefox\firefox.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Documents and Settings\Administrator\My Documents\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.singnet.com.sg:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ABITManager] D:\Program Files\ABIT\ABIT Manager\ABITManager.exe
O4 - HKLM\..\Run: [ABITEQ] D:\Program Files\ABIT\ABIT Manager\abiteq.exe -M
O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCSuiteTrayApplication] D:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by119fd.bay119.hotmail.msn.com/r ... nPUpld.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{678B4F31-AB23-40EA-A3DD-B9FCDB9EA25A}: NameServer = 202.156.1.48,202.156.1.68
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

thanks again:D
godpig
Regular Member
 
Posts: 23
Joined: April 6th, 2007, 3:43 pm

Unread postby Bob4 » April 9th, 2007, 1:03 pm

Quick question.
Did you run combo scan first ?
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida

Unread postby godpig » April 9th, 2007, 2:37 pm

erm...i actually forgotten already...
theres a difference??

i tink im following yr steps line by line
godpig
Regular Member
 
Posts: 23
Joined: April 6th, 2007, 3:43 pm

Unread postby Bob4 » April 9th, 2007, 2:53 pm

May I get another combo scan fix please.

1. Double click combofix.exe & follow the prompts.
2. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida

Unread postby godpig » April 10th, 2007, 9:13 am

here u go, sorry for the late reply

"Administrator" - 07-04-10 21:12:01 Service Pack 2
ComboFix 07-04-05 - Running from: "C:\DL"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


D:\WINDOWS\usb8028x.log


((((((((((((((((((((((((((((((( Files Created from 2007-03-10 to 2007-04-10 ))))))))))))))))))))))))))))))))))


2007-04-10 00:16 0 --a------ D:\WINDOWS\system32\tnswgk39.dll
2007-04-10 00:10 <DIR> d-------- D:\avenger
2007-04-09 21:08 <DIR> d-------- D:\WINDOWS\system32\Kaspersky Lab
2007-04-09 19:48 <DIR> d-------- D:\!KillBox
2007-04-09 13:52 3,968 --a------ D:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-04-08 14:38 <DIR> d-------- D:\Program Files\CCleaner
2007-04-07 22:18 <DIR> d-------- D:\Program Files\KONAMI
2007-04-06 11:28 <DIR> d-------- D:\Program Files\Spyware Doctor
2007-04-06 11:27 172 --a------ D:\WINDOWS\system32\ayyowf48\winowf48.bin
2007-04-06 11:27 <DIR> d-------- D:\WINDOWS\system32\ayyowf48
2007-04-04 16:55 1,168 --a------ D:\WINDOWS\mozver.dat
2007-04-03 23:17 0 --a------ D:\WINDOWS\nsreg.dat
2007-04-03 23:07 <DIR> d-------- D:\WINDOWS\%DownloadedProgramFiles%
2007-04-03 21:03 <DIR> d-------- D:\Program Files\Common Files\scosoft.com
2007-04-03 18:50 <DIR> d-------- D:\WINDOWS\pss
2007-04-03 18:22 <DIR> d-------- D:\DOCUME~1\ADMINI~1\APPLIC~1\Uniblue
2007-04-03 14:46 <DIR> d-------- D:\DOCUME~1\ADMINI~1\APPLIC~1\Lavasoft
2007-04-03 14:45 <DIR> d-------- D:\Program Files\Common Files\Wise Installation Wizard
2007-04-03 11:54 <DIR> d-------- D:\WINDOWS\CSC
2007-04-03 00:25 <DIR> d-------- D:\WINDOWS\system32\yrelwf58
2007-04-03 00:25 <DIR> d-------- D:\WINDOWS\system32\thpepm95
2007-04-03 00:05 33 --a------ D:\WINDOWS\system32\111gPgi0.dll
2007-04-02 23:35 276 --a------ D:\WINDOWS\system32\BF74F43E.dat
2007-04-02 23:35 <DIR> d-------- D:\Program Files\wjpw
2007-03-30 20:53 21,504 --a------ D:\WINDOWS\system32\hidserv.dll
2007-03-28 21:16 <DIR> d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\HHD Software
2007-03-28 21:15 <DIR> d-------- D:\Program Files\HHD Software
2007-03-28 20:58 <DIR> d-------- D:\DOCUME~1\ADMINI~1\APPLIC~1\WinRAR
2007-03-28 20:24 223,128 --a------ D:\WINDOWS\system32\drivers\vaxscsi.sys
2007-03-28 20:24 <DIR> d-------- D:\Program Files\Alcohol Soft
2007-03-28 20:22 96,256 --a------ D:\WINDOWS\system32\drivers\sptd8365.sys
2007-03-28 20:22 642,560 --a------ D:\WINDOWS\system32\drivers\sptd.sys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-10 00:44 -------- d-------- D:\Program Files\msn messenger
2007-04-10 00:43 -------- d-------- D:\Program Files\nokia
2007-04-03 11:14 -------- d--h----- D:\Program Files\installshield installation information
2007-03-08 23:36 577536 --a------ D:\WINDOWS\system32\user32.dll
2007-03-08 23:36 40960 --a------ D:\WINDOWS\system32\mf3216.dll
2007-03-08 23:36 281600 --a------ D:\WINDOWS\system32\gdi32.dll
2007-03-08 21:47 1843584 --a------ D:\WINDOWS\system32\win32k.sys
2007-03-08 21:33 -------- d-------- D:\Program Files\ea games


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="D:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIPTA"="D:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"SoundMan"="SOUNDMAN.EXE"
"ABITManager"="D:\\Program Files\\ABIT\\ABIT Manager\\ABITManager.exe"
"ABITEQ"="D:\\Program Files\\ABIT\\ABIT Manager\\abiteq.exe -M"
"RemoteControl"="\"D:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"TkBellExe"="\"D:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"
"QuickTime Task"="\"D:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"AVG7_CC"="D:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^ruango.lnk]
"path"="D:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\ruango.lnk"
"backup"="D:\\WINDOWS\\pss\\ruango.lnkCommon Startup"
"location"="Common Startup"
"command"="D:\\WINDOWS\\system32\\MSRundll.exe D:\\PROGRA~1\\COMMON~1\\Ruango\\Player.dll,Always"
"item"="ruango"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qlsreq96]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qlsreq96"
"hkey"="HKLM"
"command"="%systemroot%\\system32\\Rundll32.exe \"%systemroot%\\system32\\qlsreq96.dll\",Start"
"inimapping"="0"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{90BC520C-9175-470E-94B8-10FD869D170B}"=""
"{1B4E3287-2C14-F46E-89D0-AADD240C8583}"=""
"{26F0E2C9-F853-42D4-866E-86AA4C8EF58F}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0lsanp\0

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
bthsvcs REG_MULTI_SZ BthServ\0\0

hklm\software\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs*
Hardware



Contents of the 'Scheduled Tasks' folder
D:\WINDOWS\tasks\XoftSpySE 2.job
D:\WINDOWS\tasks\XoftSpySE.job


********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-04-10 21:13:17
D:\ComboFix-quarantined-files.txt ... 07-04-10 21:13
D:\ComboFix2.txt ... 07-04-10 00:19
godpig
Regular Member
 
Posts: 23
Joined: April 6th, 2007, 3:43 pm

Unread postby Bob4 » April 10th, 2007, 5:10 pm

Please download the OTMoveIt by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    D:\WINDOWS\system32\ayyowf48
    D:\WINDOWS\system32\MSRundll.exe
    D:\PROGRA~1\COMMON~1\Ruango\Player.dll
    D:\WINDOWS\system32\qlsreq96.dll
    D:\Documents and Settings\All Users\Start Menu\Programs\Startup\ruango.lnk
    D:\\WINDOWS\system32\MSRundll.exe
    D:\\PROGRA~1\COMMON~1\Ruango\Player.dll
    D:\WINDOWS\system32\tnswgk39.dll
    D:\WINDOWS\system32\ayyowf48
    D:\WINDOWS\system32\yrelwf58
    D:\WINDOWS\system32\thpepm95
    D:\WINDOWS\system32\111gPgi0.dll
    D:\WINDOWS\system32\BF74F43E.dat


  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
*If a file or folder cannot be moved immediately, you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine, choose Yes.
  • Close OTMoveIt
**If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
C:\_OTMoveIt\MovedFiles\********_******.log
(where "********_******" is the "date_time")







*Please download System repair ENGine

1. Extract it to Desktop & double click SREng.exe to run it

2. Select 'Smart Scan' & tick "Verify Digital Signatures" (on the bottom)

3. Click on the [Scan] button

4. When finished, click on the [Save Reports] button & save the log to Desktop

5. Post the contents of the log in your next reply.[/quote]



________________________

In your next reply I would like to see:
  • A new HJT log
  • The report from SYstem engine repair
  • The report from OTMOVEIT
  • Tell me what program you have is reporting these trojans.




Please post a new HJT log.
Also seeings you had no anti virus tell me what program was reporting these trojans.
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida

Unread postby godpig » April 11th, 2007, 5:50 am

hi below are the logs u requested for..

OTMoveIt
D:\WINDOWS\system32\ayyowf48 moved successfully.
File/Folder D:\WINDOWS\system32\MSRundll.exe not found.
File/Folder D:\PROGRA~1\COMMON~1\Ruango\Player.dll not found.
File/Folder D:\WINDOWS\system32\qlsreq96.dll not found.
File/Folder D:\Documents and Settings\All Users\Start Menu\Programs\Startup\ruango.lnk not found.
File/Folder D:\\WINDOWS\system32\MSRundll.exe not found.
File/Folder D:\\PROGRA~1\COMMON~1\Ruango\Player.dll not found.
LoadLibrary failed for D:\WINDOWS\system32\tnswgk39.dll
D:\WINDOWS\system32\tnswgk39.dll NOT unregistered.
D:\WINDOWS\system32\tnswgk39.dll moved successfully.
File/Folder D:\WINDOWS\system32\ayyowf48 not found.
D:\WINDOWS\system32\yrelwf58 moved successfully.
D:\WINDOWS\system32\thpepm95 moved successfully.
LoadLibrary failed for D:\WINDOWS\system32\111gPgi0.dll
D:\WINDOWS\system32\111gPgi0.dll NOT unregistered.
D:\WINDOWS\system32\111gPgi0.dll moved successfully.
D:\WINDOWS\system32\BF74F43E.dat moved successfully.

Created on 04/11/2007 17:41:40

SRENG
Code: Select all

2007-04-11,17:46:54

System Repair Engineer 2.4.12.806
Smallfrogs (http://www.KZTechs.com)

Windows XP Professional Service Pack 2 (Build 2600) - Administrative User - Completed Functions Allowed

Follow item(s) have been choosed:
    All Boot Items (Including Registry, Startup Folders, Services and so on)
    Browser Add-ons
    Runing Processes (Including process model information)
    File Associations
    Winsock Provider
    Autorun.Inf
    HOSTS File


Boot Items
Registry
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    <ctfmon.exe><D:\WINDOWS\system32\ctfmon.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    <ATIPTA><D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe>  [ATI Technologies, Inc.]
    <SoundMan><SOUNDMAN.EXE>  [(Verified)Microsoft Windows Publisher]
    <ABITManager><D:\Program Files\ABIT\ABIT Manager\ABITManager.exe>  [ABIT Computer Corporation]
    <ABITEQ><D:\Program Files\ABIT\ABIT Manager\abiteq.exe -M>  []
    <RemoteControl><"D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe">  [Cyberlink Corp.]
    <TkBellExe><"D:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot>  [RealNetworks, Inc.]
    <BluetoothAuthenticationAgent><rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent>  [(Verified)Microsoft Windows Publisher]
    <QuickTime Task><"D:\Program Files\QuickTime\qttask.exe" -atboottime>  [Apple Computer, Inc.]
    <AVG7_CC><D:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP>  [GRISOFT, s.r.o.]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <shell><Explorer.exe>  [(Verified)Microsoft Windows Publisher]
    <Userinit><D:\WINDOWS\system32\userinit.exe,>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <AppInit_DLLs><>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <UIHost><logonui.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    <{90BC520C-9175-470E-94B8-10FD869D170B}><D:\Program Files\Common Files\Microsoft Shared\MSINFO\SysInfo.vxd>  [N/A]
    <{1B4E3287-2C14-F46E-89D0-AADD240C8583}><D:\WINDOWS\system32\6.dll>  [N/A]
    <{26F0E2C9-F853-42D4-866E-86AA4C8EF58F}><D:\WINDOWS\debug\userMode\0DE49.dll>  [N/A]
    <{57B86673-276A-48B2-BAE7-C6DBB3020EB8}><D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll>  [Anti-Malware Development a.s.]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
    <WinlogonNotify: WgaLogon><WgaLogon.dll>  [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
    <WinlogonNotify: WRNotifier><WRLogonNTF.dll>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}]
    <IE7 Uninstall Stub><D:\WINDOWS\system32\ieudinit.exe>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    <qlsreq96><; %systemroot%\system32\Rundll32.exe "%systemroot%\system32\qlsreq96.dll",Start>  [N/A]

==================================
Startup Folders
[Microsoft Office]
  <D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk --> D:\PROGRA~1\MICROS~2\Office\OSA9.EXE [Microsoft Corporation]><N>

==================================
Services
[Ati HotKey Poller / Ati HotKey Poller][Running/Auto Start]
  <D:\WINDOWS\System32\Ati2evxx.exe><ATI Technologies Inc.>
[ATI Smart / ATI Smart][Stopped/Auto Start]
  <D:\WINDOWS\system32\ati2sgag.exe><>
[AVG Anti-Spyware Guard / AVG Anti-Spyware Guard][Running/Auto Start]
  <D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe><Anti-Malware Development a.s.>
[AVG7 Alert Manager Server / Avg7Alrt][Running/Auto Start]
  <D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe><GRISOFT, s.r.o.>
[AVG7 Update Service / Avg7UpdSvc][Running/Auto Start]
  <D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe><GRISOFT, s.r.o.>
[AVG E-mail Scanner / AVGEMS][Running/Auto Start]
  <D:\PROGRA~1\Grisoft\AVG7\avgemc.exe><GRISOFT, s.r.o.>
[BF74F43E / BF74F43E][Stopped/Disabled]
  <D:\WINDOWS\system32\BF74F43E.EXE -service><N/A>
[Background Intelligent Transfer Service / BITS][Stopped/Auto Start]
  <D:\WINDOWS\System32\svchost.exe -k netsvcs-->C:\WINDOWS\system32\qmgr.dll><N/A>
[Office Backup Engine / Hardware][Stopped/Auto Start]
  <D:\WINDOWS\System32\svchost.exe -k netsvcs-->D:\WINDOWS\system32\pyqhg.dll><N/A>
[InstallDriver Table Manager / IDriverT][Stopped/Manual Start]
  <"D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe"><Macrovision Corporation>
[StarWind iSCSI Service / StarWindService][Running/Auto Start]
  <D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe><Rocket Division Software>

==================================
Drivers
[Service for WDM 3D Audio Driver / ALCXSENS][Running/Manual Start]
  <system32\drivers\ALCXSENS.SYS><Sensaura Ltd>
[Service for Realtek AC97 Audio (WDM) / ALCXWDM][Running/Manual Start]
  <system32\drivers\ALCXWDM.SYS><Realtek Semiconductor Corp.>
[ati2mtag / ati2mtag][Running/Manual Start]
  <System32\DRIVERS\ati2mtag.sys><ATI Technologies Inc.>
[AVG Anti-Spyware Driver / AVG Anti-Spyware Driver][Running/System Start]
  <\??\D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys><N/A>
[AVG7 Kernel / Avg7Core][Running/System Start]
  <\SystemRoot\System32\Drivers\avg7core.sys><GRISOFT, s.r.o.>
[AVG7 Wrap Driver / Avg7RsW][Running/System Start]
  <\SystemRoot\System32\Drivers\avg7rsw.sys><GRISOFT, s.r.o.>
[AVG7 Resident Driver XP / Avg7RsXP][Running/System Start]
  <\SystemRoot\System32\Drivers\avg7rsxp.sys><GRISOFT, s.r.o.>
[AVG Anti-Spyware Clean Driver / AvgAsCln][Running/System Start]
  <System32\DRIVERS\AvgAsCln.sys><GRISOFT, s.r.o.>
[AVG7 Clean Driver / AvgClean][Running/System Start]
  <\SystemRoot\System32\Drivers\avgclean.sys><GRISOFT, s.r.o.>
[AVG Network Redirector / AvgTdi][Running/Auto Start]
  <\SystemRoot\System32\Drivers\avgtdi.sys><GRISOFT, s.r.o.>
[bdsupx9 / bdsupx93][Stopped/Boot Start]
  <\SystemRoot\System32\DRIVERS\bdsupx93.sys><N/A>
[fdciafbe / fdciafbe][Stopped/Boot Start]
  <\SystemRoot\system32\drivers\fdciafbe.sys><N/A>
[FT2892 Filter / FT2892][Stopped/Manual Start]
  <system32\DRIVERS\FT2892.sys><Compuware Corporation>
[Linksys Wireless-B USB Network Adapter v2.8 Driver / FVNETusb][Running/Manual Start]
  <System32\DRIVERS\vnet558x.sys><ATMEL>
[NPPTNT2 / NPPTNT2][Running/System Start]
  <\??\D:\WINDOWS\system32\npptNT2.sys><INCA Internet Co., Ltd.>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
  <System32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[qlsreq9 / qlsreq96][Stopped/Boot Start]
  <\SystemRoot\System32\DRIVERS\qlsreq96.sys><N/A>
[Realtek RTL8139/810x Family Fast Ethernet NIC NT Driver / rtl8139][Stopped/Manual Start]
  <System32\DRIVERS\R8139n51.SYS><Realtek Semiconductor Corporation>
[Sony Ericsson Device 045 Driver driver (WDM) / SE2Dbus][Stopped/Manual Start]
  <system32\DRIVERS\SE2Dbus.sys><MCCI>
[Sony Ericsson Device 045 USB WMC Modem Filter / SE2Dmdfl][Stopped/Manual Start]
  <system32\DRIVERS\SE2Dmdfl.sys><MCCI>
[Sony Ericsson Device 045 USB WMC Modem Driver / SE2Dmdm][Stopped/Manual Start]
  <system32\DRIVERS\SE2Dmdm.sys><MCCI>
[Secdrv / Secdrv][Stopped/Manual Start]
  <System32\DRIVERS\secdrv.sys><N/A>
[sptd / sptd][Running/Boot Start]
  <\SystemRoot\System32\Drivers\sptd.sys><N/A>
[SYMIDSCO / SYMIDSCO][Stopped/Manual Start]
  <\??\D:\WINDOWS\System32\Drivers\SYMIDSCO.SYS><N/A>
[thpepm9 / thpepm95][Stopped/Boot Start]
  <\SystemRoot\System32\DRIVERS\thpepm95.sys><N/A>
[vaxscsi / vaxscsi][Running/Manual Start]
  <\SystemRoot\System32\Drivers\vaxscsi.sys><N/A>
[Winbond GPIO Driver1 / WBHWDOCT][Running/Manual Start]
  <System32\drivers\WBHWDOCT.sys><Winbond Electronics Corp.>
[yrelwf5 / yrelwf58][Stopped/Boot Start]
  <\SystemRoot\System32\DRIVERS\yrelwf58.sys><N/A>

==================================
Browser Add-ons
[AcroIEHlprObj Class]
  {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} <D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx, >
[]
  {53707962-6F74-2D53-2644-206D7942484F} <D:\Program Files\Spybot - Search & Destroy\SDHelper.dll, Safer Networking Limited>
[Messenger]
  {FB5F1910-F110-11d2-BB9E-00C04F795683} <D:\Program Files\Messenger\msmsgs.exe, Microsoft Corporation>
[CKAVWebScan Object]
  {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} <D:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll, Kaspersky Lab>
[MSN Photo Upload Tool]
  {4F1E5B1A-2A80-42CA-8532-2D05CB959537} <D:\WINDOWS\Downloaded Program Files\MsnPUpld.dll, Microsoft® Corporation>
[Java Plug-in 1.4.0]
  {8AD9C840-044E-11D1-B3E9-00805F499D93} <C:\Program Files\Java\j2re1.4.0\bin\npjpi140.dll, JavaSoft / Sun Microsystems, Inc.>
[Java Plug-in 1.4.0]
  {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} <C:\Program Files\Java\j2re1.4.0\bin\npjpi140.dll, JavaSoft / Sun Microsystems, Inc.>
[Shockwave Flash Object]
  {D27CDB6E-AE6D-11CF-96B8-444553540000} <D:\WINDOWS\System32\Macromed\Flash\Flash8.ocx, Macromedia, Inc.>
[QuickTime Object]
  {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} <D:\Program Files\QuickTime\QTPlugin.ocx, Apple Computer, Inc.>
[AcroIEHlprObj Class]
  {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} <D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx, >
[Web Browser Applet Control]
  {08B0E5C0-4FCB-11CF-AAA5-00401C608501} <D:\WINDOWS\System32\msjava.dll, Microsoft Corporation>
[CKAVWebScan Object]
  {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} <D:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll, Kaspersky Lab>
[Windows Genuine Advantage Validation Tool]
  {17492023-C23A-453E-A040-C7C580BBF700} <D:\WINDOWS\system32\legitcheckcontrol.dll, Microsoft Corporation>
[HTML Document]
  {25336920-03F9-11CF-8FD0-00AA00686F13} <D:\WINDOWS\system32\mshtml.dll, Microsoft Corporation>
[DHTML Edit Control Safe for Scripting for IE5]
  {2D360201-FFF5-11D1-8D03-00A0C959BC0A} <D:\Program Files\Common Files\Microsoft Shared\Triedit\dhtmled.ocx, Microsoft Corporation>
[XML Document]
  {48123BC4-99D9-11D1-A6B3-00C04FD91555} <%SystemRoot%\System32\msxml3.dll, N/A>
[]
  {53039542-3073-4BEE-8B0D-4E03F37A8DBF} <D:\WINDOWS\system32\4beecfsb.dll, N/A>
[]
  {53707962-6F74-2D53-2644-206D7942484F} <D:\Program Files\Spybot - Search & Destroy\SDHelper.dll, Safer Networking Limited>
[Shell Name Space]
  {55136805-B2DE-11D1-B9F2-00A0C98BC547} <%SystemRoot%\system32\shdocvw.dll, N/A>
[CKAVReportCtrl Object]
  {6117669B-8C2D-41FA-A6D9-9E484B999CF0} <D:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll, Kaspersky Lab>
[WUWebControl Class]
  {6414512B-B978-451D-A0D8-FCFDF33E833C} <D:\WINDOWS\System32\wuweb.dll, Microsoft Corporation>
[Windows Media Player]
  {6BF52A52-394A-11D3-B153-00C04F79FAA6} <D:\WINDOWS\system32\wmp.dll, Microsoft Corporation>
[]
  {7A15A217-1955-4E4A-AE2B-1B294AE19F4F} <D:\WINDOWS\system32\4e4antos.dll, N/A>
[Microsoft Web Browser]
  {8856F961-340A-11D0-A96B-00C04FD705A2} <D:\WINDOWS\system32\shdocvw.dll, Microsoft Corporation>
[SearchAssistantOC]
  {B45FF030-4447-11D2-85DE-00C04FA35C89} <%SystemRoot%\system32\shdocvw.dll, N/A>
[RDS.DataSpace]
  {BD96C556-65A3-11D0-983A-00C04FC29E36} <D:\Program Files\Common Files\System\msadc\msadco.dll, Microsoft Corporation>
[Shockwave Flash Object]
  {D27CDB6E-AE6D-11CF-96B8-444553540000} <D:\WINDOWS\System32\Macromed\Flash\Flash8.ocx, Macromedia, Inc.>

==================================
Running Processes
[PID: 452][\SystemRoot\System32\smss.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 672][\??\D:\WINDOWS\system32\csrss.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1956][D:\WINDOWS\system32\WgaTray.exe]  [Microsoft Corporation, 1.5.0540.0]
[PID: 312][D:\WINDOWS\Explorer.EXE]  [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
    [D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll]  [Anti-Malware Development a.s., 7, 5, 0, 47]
    [D:\Program Files\WinRAR\rarext.dll]  [N/A, ]
[PID: 524][D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe]  [ATI Technologies, Inc., 6.14.10.5134]
    [D:\Program Files\ATI Technologies\ATI Control Panel\atipdsxx.dll]  [ATI Technologies, Inc., 6.14.10.5134]
    [D:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATRPUIXX.ENU]  [ATI Technologies, Inc., 6.14.10.5134]
    [D:\Program Files\ATI Technologies\ATI Control Panel\atipdxxx.dll]  [ATI Technologies, Inc., 6.14.10.5134]
[PID: 2028][D:\WINDOWS\SOUNDMAN.EXE]  [Realtek Semiconductor Corp., 5.1.14]
[PID: 1384][D:\Program Files\ABIT\ABIT Manager\ABITManager.exe]  [ABIT Computer Corporation, 1, 2, 1, 0]
    [D:\Program Files\ABIT\ABIT Manager\AC2003DLL.dll]  [N/A, ]
[PID: 1660][D:\Program Files\ABIT\ABIT Manager\abiteq.exe]  [, 1, 1, 0, 0]
    [D:\Program Files\ABIT\ABIT Manager\Wbcdflsh.dll]  [N/A, ]
[PID: 1720][D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe]  [Cyberlink Corp., 5.00.0000]
    [D:\Program Files\CyberLink\Shared Files\CLRCEngine2.dll]  [CyberLink Corp., 3.20.0000]
[PID: 1788][D:\Program Files\Common Files\Real\Update_OB\realsched.exe]  [RealNetworks, Inc., 0.1.0.3492]
[PID: 1908][D:\WINDOWS\system32\rundll32.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 2116][D:\Program Files\QuickTime\qttask.exe]  [Apple Computer, Inc., 7.0.4]
[PID: 2148][D:\PROGRA~1\Grisoft\AVG7\avgcc.exe]  [GRISOFT, s.r.o., 7.5.0.438]
    [D:\PROGRA~1\Grisoft\AVG7\AvgTMgr.dll]  [GRISOFT, s.r.o., 7.5.0.430]
    [D:\PROGRA~1\Grisoft\AVG7\AvgCtrl.dll]  [GRISOFT, s.r.o., 7.5.0.429]
    [D:\PROGRA~1\Grisoft\AVG7\MFC71.DLL]  [Microsoft Corporation, 7.10.3077.0]
    [D:\WINDOWS\system32\MSVCR71.dll]  [Microsoft Corporation, 7.10.3052.4]
    [D:\WINDOWS\system32\MSVCP71.dll]  [Microsoft Corporation, 7.10.3077.0]
    [D:\PROGRA~1\Grisoft\AVG7\AvgAbout.dll]  [GRISOFT, s.r.o., 7.5.0.434]
    [D:\PROGRA~1\Grisoft\AVG7\AvgTest.dll]  [GRISOFT, s.r.o., 7.5.0.443]
    [D:\PROGRA~1\Grisoft\AVG7\AvgTRes.dll]  [GRISOFT, s.r.o., 7.5.0.437]
    [D:\PROGRA~1\Grisoft\AVG7\AvgSet.dll]  [, ]
    [D:\PROGRA~1\Grisoft\AVG7\avglog.dll]  [GRISOFT, s.r.o., 7.5.0.429]
    [D:\Program Files\Grisoft\AVG7\avgcfg.dll]  [GRISOFT, s.r.o., 7.5.0.442]
    [D:\Program Files\Grisoft\AVG7\avgklib.dll]  [GRISOFT, s.r.o., 7.5.0.434]
    [D:\Program Files\Grisoft\AVG7\avglng.dll]  [GRISOFT, s.r.o., 7.5.0.429]
    [D:\Program Files\Grisoft\AVG7\avgf.dll]  [N/A, ]
    [D:\Program Files\Grisoft\AVG7\AVGRES.DLL]  [N/A, ]
    [D:\Program Files\Grisoft\AVG7\avgcckrn.dll]  [GRISOFT, s.r.o., 7.5.0.445]
    [D:\Program Files\Grisoft\AVG7\avgamsps.dll]  [GRISOFT, s.r.o., 7.5.0.407]
    [D:\Program Files\Grisoft\AVG7\avgvault.dll]  [GRISOFT, s.r.o., 7.5.0.439]
    [D:\Program Files\Grisoft\AVG7\avgrep.dll]  [GRISOFT, s.r.o., 7.5.0.407]
    [D:\Program Files\Grisoft\AVG7\avgunarc.dll]  [GRISOFT, s.r.o., 7.5.0.443]
    [D:\PROGRA~1\Grisoft\AVG7\avgemsui.dll]  [GRISOFT, s.r.o., 7.5.0.434]
    [D:\PROGRA~1\Grisoft\AVG7\avgemcps.dll]  [GRISOFT, s.r.o., 7.5.0.420]
[PID: 2160][D:\WINDOWS\system32\ctfmon.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 2796][D:\WINDOWS\system32\wuauclt.exe]  [Microsoft Corporation, 5.8.0.2469 built by: lab01_n(wmbla)]
[PID: 4040][D:\Program Files\Mozilla Firefox\firefox.exe]  [Mozilla Corporation, 1.8.1.3: 2007030919]
    [D:\Program Files\Mozilla Firefox\js3250.dll]  [Netscape Communications Corporation, 4.0]
    [D:\Program Files\Mozilla Firefox\nspr4.dll]  [Netscape Communications Corporation, 4.6.5]
    [D:\Program Files\Mozilla Firefox\xpcom_core.dll]  [Mozilla Foundation, 1.8.1.3: 2007030919]
    [D:\Program Files\Mozilla Firefox\plc4.dll]  [Netscape Communications Corporation, 4.6.5]
    [D:\Program Files\Mozilla Firefox\plds4.dll]  [Netscape Communications Corporation, 4.6.5]
    [D:\Program Files\Mozilla Firefox\smime3.dll]  [Mozilla Foundation, 3.11.5 Basic ECC]
    [D:\Program Files\Mozilla Firefox\nss3.dll]  [Mozilla Foundation, 3.11.5 Basic ECC]
    [D:\Program Files\Mozilla Firefox\softokn3.dll]  [Mozilla Foundation, 3.11.4 Basic ECC]
    [D:\Program Files\Mozilla Firefox\ssl3.dll]  [Mozilla Foundation, 3.11.5 Basic ECC]
    [D:\Program Files\Mozilla Firefox\xpcom_compat.dll]  [Mozilla Foundation, 1.8.1.3: 2007030919]
    [D:\Program Files\Mozilla Firefox\components\myspell.dll]  [Mozilla Foundation, 1.8.1.3: 2007030919]
    [D:\Program Files\Mozilla Firefox\components\jar50.dll]  [Mozilla Foundation, 1.8.1.3: 2007030919]
    [D:\Program Files\Mozilla Firefox\freebl3.dll]  [Mozilla Foundation, 3.11.4 Basic ECC]
    [D:\Program Files\Mozilla Firefox\nssckbi.dll]  [Mozilla Foundation, 1.62]
    [D:\Program Files\Mozilla Firefox\components\spellchk.dll]  [Mozilla Foundation, 1.8.1.3: 2007030919]
[PID: 2100][D:\Documents and Settings\Administrator\Desktop\SREng.EXE]  [Smallfrogs Studio, 2.4.12.806]

==================================
File Associations
.TXT  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE  OK. ["%1" %*]
.COM  OK. ["%1" %*]
.PIF  OK. ["%1" %*]
.REG  OK. [regedit.exe "%1"]
.BAT  OK. ["%1" %*]
.SCR  OK. ["%1" /S]
.CHM  OK. ["D:\WINDOWS\hh.exe" %1]
.HLP  OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS   OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock Provider
N/A

==================================
Autorun.Inf
N/A

==================================
HOSTS File
127.0.0.1       localhost

==================================
API HOOK
N/A

==================================
Hidden Process
N/A

==================================




as for the program reporting the trojans, its the AVG free tat is reporting. As u have told me to install anti virus in yr previous reply, i went to download and install it
godpig
Regular Member
 
Posts: 23
Joined: April 6th, 2007, 3:43 pm

Unread postby godpig » April 11th, 2007, 5:52 am

Logfile of HijackThis v1.99.1
Scan saved at 5:51:46 PM, on 4/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\WgaTray.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\ABIT\ABIT Manager\ABITManager.exe
D:\Program Files\ABIT\ABIT Manager\abiteq.exe
D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\WINDOWS\system32\rundll32.exe
D:\Program Files\QuickTime\qttask.exe
D:\PROGRA~1\Grisoft\AVG7\avgcc.exe
D:\WINDOWS\system32\ctfmon.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Documents and Settings\Administrator\My Documents\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.singnet.com.sg:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ABITManager] D:\Program Files\ABIT\ABIT Manager\ABITManager.exe
O4 - HKLM\..\Run: [ABITEQ] D:\Program Files\ABIT\ABIT Manager\abiteq.exe -M
O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [qlsreq96] ; %systemroot%\system32\Rundll32.exe "%systemroot%\system32\qlsreq96.dll",Start
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by119fd.bay119.hotmail.msn.com/r ... nPUpld.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{678B4F31-AB23-40EA-A3DD-B9FCDB9EA25A}: NameServer = 202.156.1.48,202.156.1.68
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
godpig
Regular Member
 
Posts: 23
Joined: April 6th, 2007, 3:43 pm

Unread postby godpig » April 13th, 2007, 2:07 pm

hi, so wats the next step i should do?
godpig
Regular Member
 
Posts: 23
Joined: April 6th, 2007, 3:43 pm

Unread postby Bob4 » April 14th, 2007, 6:04 am

I appologize I must of lost track of this topic for a day or so.
I will look at this log soon.
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida

Unread postby godpig » April 14th, 2007, 12:05 pm

heya,no problem.

but my comp is defitnetly getting better...will try n read tis soon :D
godpig
Regular Member
 
Posts: 23
Joined: April 6th, 2007, 3:43 pm

Unread postby Bob4 » April 15th, 2007, 12:45 pm

_____________________________
Submit these files to Jotti
Please go here : http://virusscan.jotti.org/
On top of the page there is a field to add the filepath, copy and paste these filepaths: 1 at a time.

copy each report 1 at a time for me. This will take some time so be paitent.

Some of them will report 0 bytes and not scan. just do them all to be sure.


D:\WINDOWS\system32\BF74F43E.EXE
D:\WINDOWS\debug\userMode\0DE49.dll
D:\WINDOWS\system32\qlsreq96.dll
D:\WINDOWS\system32\6.dll>
D:\WINDOWS\System32\DRIVERS\bdsupx93.sys
D:\WINDOWS\system32\drivers\fdciafbe.sys
D:\WINDOWS\system32\qlsreq96.dll
D:\WINDOWS\System32\DRIVERS\qlsreq96.sys
D:\WINDOWSt\System32\DRIVERS\thpepm95.sys



Then hit Submit
The scan will take a while before the result comes up so please be patient.
Then copy the result and post it here in this thread.

If Jotti's service load is too high, you can use the following scanner instead:
http://www.virustotal.com/xhtml/index_en.html


Post the reports from all those files please.
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida

Unread postby godpig » April 15th, 2007, 4:38 pm

there u go, got this reports all from jotti

D:\WINDOWS\system32\BF74F43E.EXE
The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file
D:\WINDOWS\debug\userMode\0DE49.dll
The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file
D:\WINDOWS\system32\qlsreq96.dll
The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file
D:\WINDOWS\system32\6.dll
The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file
D:\WINDOWS\System32\DRIVERS\bdsupx93.sys
The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file
D:\WINDOWS\system32\drivers\fdciafbe.sys
The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file
D:\WINDOWS\system32\qlsreq96.dll
The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file
D:\WINDOWS\System32\DRIVERS\qlsreq96.sys
The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file
D:\WINDOWSt\System32\DRIVERS\thpepm95.sys
The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file
godpig
Regular Member
 
Posts: 23
Joined: April 6th, 2007, 3:43 pm
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 285 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware