Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

I need to remove pop ups and winspy 2007 it keeps d/ling to

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

I need to remove pop ups and winspy 2007 it keeps d/ling to

Unread postby tonydat1ger » August 17th, 2007, 10:30 am

This is my log from Hijaclthis

Logfile of HijackThis v1.99.1
Scan saved at 7:23:26 AM, on 8/17/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\mavjuual.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\AOL\1161728750\ee\AOLSoftware.exe
C:\WINDOWS\svhost.exe
C:\Program Files\Online Services\hory22011.exe
C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe
C:\WINDOWS\system32\lrdsrngr.exe
C:\WINDOWS\retadpu77.exe
C:\Documents and Settings\anna\Desktop\applications\fix computer\HijackThis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\System32\lsasss.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [mavjuual] C:\WINDOWS\System32\mavjuual.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1161728750\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [svhost] "C:\WINDOWS\svhost.exe"
O4 - HKLM\..\Run: [hory] C:\Program Files\Online Services\hory22011.exe
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe"
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\rwinsmdt.exe CHD003
O4 - HKLM\..\Run: [{3B-B0-0B-BC-ZN}] C:\WINDOWS\system32\lrdsrngr.exe CHD003
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu77.exe 61A847B5BBF72815358B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKCU\..\Run: [mavjuual] C:\WINDOWS\System32\mavjuual.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\lrdsrngr.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\rwinsmdt.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 6504367468
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 6504204625
O20 - AppInit_DLLs:
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Pml Driver HPZ12 - Unknown owner - C:\WINDOWS\System32\HPZipm12.exe (file missing)
tonydat1ger
Active Member
 
Posts: 14
Joined: August 16th, 2007, 4:40 pm
Advertisement
Register to Remove

Unread postby Shaba » August 19th, 2007, 9:51 am

Hi tonydat1ger

First install one antivirus from below:

Looking over your log, it seems you don't have any evidence of an anti-virus software.

Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors NOW:

1) Antivir PersonalEdition Classic- Free anti-virus software for Windows. Detects and removes more than 50,000 viruses. Free support.
2) avast! 4 Home Edition - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
3) AVG Anti-Virus Free Edition - Free edition of the AVG anti-virus program for Windows.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.

After that:

1. Download combofix from one of these links:
Link1
Link2
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Please download the following program and save it to your desktop:

http://noahdfear.geekstogo.com/FindAWF.exe

Once downloaded, double-click on the file to run it. Press 1 and enter.When it is done there will be a file called awf.txt on your desktop. Please post the contents of that file as a reply to this topic.

Post:

- a fresh HijackThis log
- combofix report
- findawf report
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

COMBOFIX LOG, HIJACKTHIS LOG, AND AWF LOG

Unread postby tonydat1ger » August 20th, 2007, 12:08 pm

HERE IS THE AWF LOG.


Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Mon 08/20/2007
The current time is: 8:04:56.46


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\ADOBE\PHOTOS~1\3.0\APPS\BAK

06/07/2005 12:46 AM 57,344 apdproxy.exe
1 File(s) 57,344 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

57344 Jun 7 2005 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak\apdproxy.exe"


end of report

THIS IS THE HIJACKTHIS. LOG

Logfile of HijackThis v1.99.1
Scan saved at 8:30:01 AM, on 8/20/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\mavjuual.exe
C:\Program Files\Common Files\AOL\1161728750\ee\AOLSoftware.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
c:\windows\system32\lrdsrngr.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\rwinsmdt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\mstsc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\anna\Desktop\applications\fix computer\HijackThis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [mavjuual] C:\WINDOWS\System32\mavjuual.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1161728750\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [svhost] "C:\WINDOWS\svhost.exe"
O4 - HKLM\..\Run: [{3B-B0-0B-BC-ZN}] c:\windows\system32\lrdsrngr.exe CHD003
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\System32\rwinsmdt.exe CHD003
O4 - HKCU\..\Run: [mavjuual] C:\WINDOWS\System32\mavjuual.exe
O4 - HKCU\..\Run: [Scsb] "C:\DOCUME~1\anna\MYDOCU~1\SSTEM3~1\mmc.exe" -vt yazb
O4 - HKCU\..\Run: [Mxkgud] "C:\Program Files\??pPatch\n?pdb.exe"
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\lrdsrngr.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\rwinsmdt.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 6504367468
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 6504204625
O20 - AppInit_DLLs:
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Pml Driver HPZ12 - Unknown owner - C:\WINDOWS\System32\HPZipm12.exe (file missing)

THIS IS THE COMBOFIX LOG.

ComboFix 07-08-17.2 - "anna" 2007-08-19 20:26:53.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.54 [GMT -7:00]
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\ALLUSE~1\APPLIC~1.\salesmonitor
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\ProductCode
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiSpyware 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiSpyware 2007\Data\ProductCode
C:\DOCUME~1\anna\APPLIC~1.\asembl~1
C:\DOCUME~1\anna\APPLIC~1\..\err.log
C:\DOCUME~1\anna\APPLIC~1\install.dat
C:\DOCUME~1\anna\APPLIC~1\WinTouch\wintouch.cfg
C:\DOCUME~1\anna\APPLIC~1\WinTouch\WTUninstaller.exe
C:\DOCUME~1\anna\LOCALS~1\APPLIC~1.\microsoft\internet explorer\filters
C:\DOCUME~1\anna\LOCALS~1\APPLIC~1.\microsoft\internet explorer\filters\filter.drv
C:\DOCUME~1\anna\LOCALS~1\APPLIC~1.\microsoft\internet explorer\filters\IExpl32d.exe
C:\DOCUME~1\anna\LOCALS~1\APPLIC~1.\microsoft\internet explorer\filters\MSIEHelper.dll
C:\DOCUME~1\anna\LOCALS~1\APPLIC~1.\microsoft\internet explorer\filters\prx475a.dll
C:\DOCUME~1\anna\LOCALS~1\APPLIC~1.\microsoft\internet explorer\filters\prx482b.dll
C:\DOCUME~1\anna\LOCALS~1\APPLIC~1.\microsoft\internet explorer\filters\prx531e.dll
C:\DOCUME~1\anna\LOCALS~1\APPLIC~1.\microsoft\internet explorer\filters\prx64ew.dll
C:\DOCUME~1\anna\LOCALS~1\APPLIC~1.\microsoft\internet explorer\filters\prx66b.dll
C:\DOCUME~1\anna\LOCALS~1\APPLIC~1.\microsoft\internet explorer\filters\prx71ctw.dll
C:\DOCUME~1\anna\LOCALS~1\APPLIC~1.\microsoft\internet explorer\filters\prx72ctw.dll
C:\DOCUME~1\anna\LOCALS~1\APPLIC~1.\microsoft\internet explorer\filters\prx75ctw.dll
C:\DOCUME~1\anna\LOCALS~1\APPLIC~1.\microsoft\internet explorer\filters\prx76ctw.dll
C:\DOCUME~1\anna\LOCALS~1\APPLIC~1.\microsoft\internet explorer\filters\prx78ctw.dll
C:\DOCUME~1\anna\LOCALS~1\APPLIC~1.\microsoft\internet explorer\filters\prx80w.dll
C:\DOCUME~1\anna\LOCALS~1\APPLIC~1.\microsoft\internet explorer\prndrv.dll
C:\DOCUME~1\anna\MYDOCU~1.\sstem3~1
C:\DOCUME~1\anna\MYDOCU~1.\sstem3~1\mmc.exe
C:\DOCUME~1\anna\MYDOCU~1.\sstem3~1\s?stem32\
C:\DOCUME~1\anna\STARTM~1\Programs.\Outerinfo
C:\DOCUME~1\anna\STARTM~1\Programs.\Outerinfo\Terms.lnk
C:\DOCUME~1\anna\STARTM~1\Programs.\Outerinfo\Uninstall.lnk
C:\DOCUME~1\anna\STARTM~1\Programs\Startup.\TA_Start.lnk
C:\Program Files\Common Files\winantispyware 2007
C:\Program Files\Common Files\winantispyware 2007\err.log
C:\Program Files\Common Files\WinAntiSpyware 2007\err.log
C:\Program Files\Common Files\WinAntiSpyware 2007\j.exe
C:\Program Files\Common Files\winantispyware 2007\j.exe
C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe
C:\Program Files\Common Files\winantispyware 2007\WAS7Mon.exe
C:\Program Files\Common Files\Yazzle1122OinAdmin.exe
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\Program Files\ComPlus Applications\lavumave.dll
C:\Program Files\ComPlus Applications\lavumave741.dll
C:\Program Files\ComPlus Applications\profsybypru.html
C:\Program Files\inetget2
C:\Program Files\Online Services\hory22011.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\OiUninstaller.exe
C:\Program Files\outerinfo\outerinfo.ico
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\ppatch~1
C:\Program Files\ppatch~1\n?pdb.exe
C:\Program Files\spysheriff
C:\Program Files\spysheriff\Uninstall.exe
C:\Program Files\svhost
C:\Program Files\svhost\wr-1-0000077.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\fse
C:\Temp\fse\tmpZTF.log
C:\WINDOWS\b104.exe
C:\WINDOWS\b122.exe
C:\WINDOWS\b128.exe
C:\WINDOWS\b138.exe
C:\WINDOWS\DOWNLO~1\UWA7P_0001_N91M0809NetInstaller.exe
C:\WINDOWS\stem~1
C:\WINDOWS\svhost.exe
C:\WINDOWS\system32\_000003_.tmp.dll
C:\WINDOWS\system32\_000005_.tmp.dll
C:\WINDOWS\system32\_000007_.tmp.dll
C:\WINDOWS\system32\_000010_.tmp.dll
C:\WINDOWS\system32\_000018_.tmp.dll
C:\WINDOWS\system32\drivers\fopn.sys
C:\WINDOWS\system32\drivers\hd_dirs.cfg
C:\WINDOWS\system32\drivers\hd_files.cfg
C:\WINDOWS\system32\drivers\hd_proc.cfg
C:\WINDOWS\system32\drivers\hd_rkeys.cfg
C:\WINDOWS\system32\drivers\hd_rvals.cfg
C:\WINDOWS\system32\drivers\hd_self.cfg
C:\WINDOWS\system32\drivers\hflt_ipf.sys
C:\WINDOWS\system32\drivers\runtime2.sy_
C:\WINDOWS\system32\drivers\secdrv.sys
C:\WINDOWS\system32\dwdsrngt.exe
C:\WINDOWS\system32\efhkj.bak1
C:\WINDOWS\system32\efhkj.bak2
C:\WINDOWS\system32\efhkj.ini
C:\WINDOWS\system32\ewpncfhq.dll
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\system32\f02WtR\f02WtR1065.exe
C:\WINDOWS\system32\f10WtR
C:\WINDOWS\system32\f10WtR\f10WtR1099.exe
C:\WINDOWS\system32\H1
C:\WINDOWS\system32\H1\dl22011.exe
C:\WINDOWS\system32\ipv6mons.dll
C:\WINDOWS\system32\jerh.dll
C:\WINDOWS\system32\jkhfe.dll
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\pmnkiji.dll
C:\WINDOWS\system32\rqrrrol.dll
C:\WINDOWS\system32\rwinsmdt.exe
C:\WINDOWS\system32\sklitfgr.dll
C:\WINDOWS\system32\ujxhxheg.dll
C:\WINDOWS\system32\V1
C:\WINDOWS\system32\vteciybu.dll
C:\WINDOWS\system32\winpfz32.sys
C:\WINDOWS\system32\wnsintsv.exe
C:\WINDOWS\system32\wvuutut.dll
C:\WINDOWS\system32\xxyyxus.dll
C:\WINDOWS\system32\zxdnt3d.cfg
C:\WINDOWS\tk58.exe
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\winhp32.exe
C:\WINDOWS\wr.txt


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CMDSERVICE
-------\LEGACY_FOPN
-------\LEGACY_HFLT_IPF
-------\LEGACY_NDNET1
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_QTSJXIGW
-------\LEGACY_RUNTIME
-------\LEGACY_RUNTIME2
-------\LEGACY_UXSPXVEL
-------\cmdService
-------\hflt_ipf
-------\qtsjxigw
-------\uxspxvel


((((((((((((((((((((((((( Files Created from 2007-07-20 to 2007-08-20 )))))))))))))))))))))))))))))))


2007-08-19 20:24 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-19 20:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AntiVir PersonalEdition Classic
2007-08-17 11:24 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\NetMon
2007-08-16 15:46 43,542 --a------ C:\WINDOWS\system32\nnnkjif.dll
2007-08-16 03:00 593,408 --a------ C:\WINDOWS\system32\h323msp.dll
2007-08-16 03:00 548,352 --a------ C:\WINDOWS\system32\rtcdll.dll
2007-08-16 03:00 439,808 --a------ C:\WINDOWS\system32\ipnathlp.dll
2007-08-15 16:01 52,758 --a------ C:\WINDOWS\system32\lrdsrngr.exe
2007-08-15 12:46 43,542 --a------ C:\WINDOWS\system32\qommjki.dll
2007-08-15 10:31 <DIR> d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\NetMon
2007-08-15 10:30 43,542 --a------ C:\WINDOWS\system32\rqrpqpm.dll
2007-08-15 10:30 43,542 --------- C:\WINDOWS\system32\tuvwvtq.dll
2007-08-15 10:30 <DIR> d--hs---- C:\WINDOWS\bkVX
2007-08-15 10:30 <DIR> d-------- C:\WINDOWS\system32\tmps9
2007-08-15 10:30 <DIR> d-------- C:\WINDOWS\system32\chkconfig
2007-08-15 10:30 <DIR> d-------- C:\Temp
2007-08-15 09:01 92,160 --a------ C:\WINDOWS\system32\cscdll.dll
2007-08-15 09:01 433,152 --a------ C:\WINDOWS\system32\drivers\mrxsmb.sys
2007-08-15 09:01 166,656 --a------ C:\WINDOWS\system32\drivers\rdbss.sys
2007-08-15 08:38 971,264 --a------ C:\WINDOWS\system32\msgina.dll
2007-08-15 08:38 681,984 --a------ C:\WINDOWS\system32\lsasrv.dll
2007-08-15 08:38 595,968 --a------ C:\WINDOWS\system32\xpsp2res.dll
2007-08-15 08:38 51,712 --a------ C:\WINDOWS\system32\msasn1.dll
2007-08-15 08:38 36,864 --a------ C:\WINDOWS\system32\mf3216.dll
2007-08-15 08:38 260,608 --a------ C:\WINDOWS\system32\gdi32.dll
2007-08-15 08:38 136,704 --a------ C:\WINDOWS\system32\schannel.dll
2007-08-15 08:37 26,112 --a------ C:\WINDOWS\system32\xpsp1hfm.exe
2007-08-14 16:06 <DIR> d-------- C:\Program Files\WinBudget
2007-08-10 07:21 79,872 --a------ C:\WINDOWS\system32\srvsvc.dll
2007-08-09 14:48 991,232 --a------ C:\WINDOWS\system32\esent.dll
2007-08-07 15:49 32,512 --a------ C:\WINDOWS\system32\drivers\amdk7.sys
2007-08-07 15:49 3,584 --a------ C:\WINDOWS\system32\dsprpres.dll
2007-08-07 15:49 29,696 --a------ C:\WINDOWS\system32\asr_pfu.exe
2007-08-07 15:49 12,288 --a------ C:\WINDOWS\system32\encapi.dll
2007-08-07 15:49 10,752 --a------ C:\WINDOWS\system32\spiisupd.exe
2007-08-07 15:48 97,792 --a------ C:\WINDOWS\system32\mqtgsvc.exe
2007-08-07 15:48 9,216 --a------ C:\WINDOWS\system32\wuauserv.dll
2007-08-07 15:48 88,576 --a------ C:\WINDOWS\system32\mqsec.dll
2007-08-07 15:48 73,728 --a------ C:\WINDOWS\system32\tlntsess.exe
2007-08-07 15:48 7,680 --a------ C:\WINDOWS\system32\bitsprx2.dll
2007-08-07 15:48 7,168 --a------ C:\WINDOWS\system32\tlntsvrp.dll
2007-08-07 15:48 7,168 --a------ C:\WINDOWS\system32\bitsprx3.dll
2007-08-07 15:48 67,584 --a------ C:\WINDOWS\system32\tlntsvr.exe
2007-08-07 15:48 67,584 --a------ C:\WINDOWS\system32\fdeploy.dll
2007-08-07 15:48 67,456 --a------ C:\WINDOWS\system32\drivers\mqac.sys
2007-08-07 15:48 61,440 --a------ C:\WINDOWS\system32\openfiles.exe
2007-08-07 15:48 608,768 --a------ C:\WINDOWS\system32\mqqm.dll
2007-08-07 15:48 57,856 --a------ C:\WINDOWS\system32\tlntadmn.exe
2007-08-07 15:48 57,856 --a------ C:\WINDOWS\system32\nwwks.dll
2007-08-07 15:48 55,808 --a------ C:\WINDOWS\system32\mqlogmgr.dll
2007-08-07 15:48 55,296 --a------ C:\WINDOWS\system32\logman.exe
2007-08-07 15:48 545,792 --a------ C:\WINDOWS\system32\wsecedit.dll
2007-08-07 15:48 488,960 --a------ C:\WINDOWS\system32\gpedit.dll
2007-08-07 15:48 478,720 --a------ C:\WINDOWS\system32\mqsnap.dll
2007-08-07 15:48 47,616 --a------ C:\WINDOWS\system32\eventcreate.exe
2007-08-07 15:48 467,456 --a------ C:\WINDOWS\system32\mqutil.dll
2007-08-07 15:48 45,056 --a------ C:\WINDOWS\system32\cipher.exe
2007-08-07 15:48 44,544 --a------ C:\WINDOWS\system32\mqupgrd.dll
2007-08-07 15:48 44,032 --a------ C:\WINDOWS\system32\mqdscli.dll
2007-08-07 15:48 403,456 --a------ C:\WINDOWS\system32\winbrand.dll
2007-08-07 15:48 4,608 --a------ C:\WINDOWS\system32\mqsvc.exe
2007-08-07 15:48 361,984 --a------ C:\WINDOWS\system32\qmgr.dll
2007-08-07 15:48 331,776 --a------ C:\WINDOWS\system32\winhttp.dll
2007-08-07 15:48 277,504 --a------ C:\WINDOWS\system32\appmgr.dll
2007-08-07 15:48 27,648 --a------ C:\WINDOWS\system32\pidgen.dll
2007-08-07 15:48 27,136 --a------ C:\WINDOWS\system32\asr_fmt.exe
2007-08-07 15:48 24,576 --a------ C:\WINDOWS\system32\efsadu.dll
2007-08-07 15:48 231,936 --a------ C:\WINDOWS\system32\tracerpt.exe
2007-08-07 15:48 23,040 --a------ C:\WINDOWS\system32\proxycfg.exe
2007-08-07 15:48 218,112 --a------ C:\WINDOWS\system32\sbe.dll
2007-08-07 15:48 214,016 --a------ C:\WINDOWS\system32\mqoa.dll
2007-08-07 15:48 187,904 --a------ C:\WINDOWS\system32\xpsp1res.dll
2007-08-07 15:48 183,808 --a------ C:\WINDOWS\system32\gptext.dll
2007-08-07 15:48 182,880 --a------ C:\WINDOWS\system32\iuengine.dll
2007-08-07 15:48 172,032 --a------ C:\WINDOWS\system32\mssap.dll
2007-08-07 15:48 17,408 --a------ C:\WINDOWS\system32\mqbkup.exe
2007-08-07 15:48 165,888 --a------ C:\WINDOWS\system32\mqrt.dll
2007-08-07 15:48 164,352 --a------ C:\WINDOWS\system32\mqtrig.dll
2007-08-07 15:48 16,896 --a------ C:\WINDOWS\system32\secedit.exe
2007-08-07 15:48 156,672 --a------ C:\WINDOWS\system32\appmgmts.dll
2007-08-07 15:48 156,544 --a------ C:\WINDOWS\system32\drivers\nwrdr.sys
2007-08-07 15:48 155,648 --a------ C:\WINDOWS\system32\encdec.dll
2007-08-07 15:48 14,848 --a------ C:\WINDOWS\system32\mqise.dll
2007-08-07 15:48 130,048 --a------ C:\WINDOWS\system32\mqad.dll
2007-08-07 15:48 115,200 --a------ C:\WINDOWS\system32\mqrtdep.dll
2007-08-07 15:48 115,200 --a------ C:\WINDOWS\system32\dpcdll.dll
2007-08-07 15:48 113,664 --a------ C:\WINDOWS\system32\schtasks.exe
2007-08-07 15:48 113,152 --a------ C:\WINDOWS\system32\gpresult.exe
2007-08-07 15:48 110,080 --a------ C:\WINDOWS\system32\sbeio.dll
2007-08-07 15:48 103,936 --a------ C:\WINDOWS\system32\rsnotify.exe
2007-08-07 15:48 1,135,616 --a------ C:\WINDOWS\system32\ntbackup.exe
2007-08-07 15:46 995,384 --a------ C:\WINDOWS\system32\mfc42u.dll
2007-08-07 15:46 995,383 --a------ C:\WINDOWS\system32\mfc42.dll
2007-08-07 15:46 99,840 --a------ C:\WINDOWS\system32\iexpress.exe
2007-08-07 15:46 99,840 --a------ C:\WINDOWS\system32\dmsynth.dll
2007-08-07 15:46 98,816 --a------ C:\WINDOWS\system32\clipbrd.exe
2007-08-07 15:46 98,304 --a------ C:\WINDOWS\system32\actxprxy.dll
2007-08-07 15:46 94,720 --a------ C:\WINDOWS\system32\dmusic.dll
2007-08-07 15:46 92,160 --a------ C:\WINDOWS\system32\krnl386.exe
2007-08-07 15:46 91,648 --a------ C:\WINDOWS\system32\loadperf.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-19 20:38 --------- d-------- C:\Program Files\Online Services
2007-08-19 20:05 76288 --a------ C:\WINDOWS\system32\mgkamgk.dll
2007-08-17 10:08 17024 --a------ C:\WINDOWS\system32\drivers\yggdxyqj.sys
2007-08-15 16:08 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-08-15 09:13 43520 --a------ C:\WINDOWS\system32\conrekwl.dll
2007-08-13 08:34 64512 --a------ C:\WINDOWS\system32\jrvcbuto.dll
2007-08-09 15:05 --------- d-------- C:\Program Files\Messenger
2007-08-07 16:04 --------- d-------- C:\Program Files\Windows NT
2007-08-07 16:04 --------- d-------- C:\Program Files\Movie Maker
2007-08-07 08:37 751616 --a------ C:\WINDOWS\system32\xrxbkits.dll
2007-08-03 08:54 --------- d-------- C:\Program Files\Common Files\Intuit
2007-08-03 08:53 --------- d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2007-08-03 08:46 --------- d-------- C:\Program Files\vplaces
2007-08-01 15:20 --------- d-------- C:\Program Files\Yahoo!
2007-07-26 15:23 --------- d-------- C:\Program Files\Mahjong Jade Expedition
2007-07-20 09:52 94208 --a------ C:\WINDOWS\system32\yyofmlca(2).dll
2007-07-20 09:52 63488 --a------ C:\WINDOWS\system32\jrvcbuto(2).dll
2007-07-20 09:52 41984 --a------ C:\WINDOWS\system32\hrqmtzrp(2).dll
2007-07-20 09:52 121856 --a------ C:\WINDOWS\system32\qkdwzgjk(6).dll
2007-07-13 07:06 12416 --a------ C:\WINDOWS\system32\drivers\yggdxyqj(2).sys
2007-07-11 08:49 --------- d-------- C:\DOCUME~1\anna\APPLIC~1\MSN6
2007-07-06 08:54 123392 --a------ C:\WINDOWS\system32\qkdwzgjk(9).dll
2007-07-06 08:54 123392 --a------ C:\WINDOWS\system32\qkdwzgjk(8).dll
2007-07-06 08:54 123392 --a------ C:\WINDOWS\system32\qkdwzgjk(7).dll
2007-07-03 10:57 --------- d-------- C:\Program Files\AIM6
2007-07-02 08:33 --------- d--h----- C:\Program Files\WindowsUpdate
2007-06-29 13:47 --------- d-------- C:\Program Files\Jasc Software Inc
2007-06-29 13:46 --------- d-------- C:\Program Files\Common Files\InstallShield
2007-06-29 08:35 65024 --a------ C:\WINDOWS\system32\jrvcbuto(3).dll
2007-06-29 08:35 39424 --a------ C:\WINDOWS\system32\hrqmtzrp(5).dll
2007-06-29 08:35 39424 --a------ C:\WINDOWS\system32\hrqmtzrp(4).dll
2007-06-29 08:35 39424 --a------ C:\WINDOWS\system32\hrqmtzrp(3).dll
2007-06-21 13:12 --------- d-------- C:\Program Files\MSN Games
2007-06-18 08:51 684567 --a------ C:\WINDOWS\system32\libeay32.dll
2007-06-18 08:51 147729 --a------ C:\WINDOWS\system32\libssl32.dll
2007-06-18 08:48 750592 --a------ C:\WINDOWS\system32\xrxbkits(7).dll
2007-06-18 08:48 750592 --a------ C:\WINDOWS\system32\xrxbkits(6).dll
2007-06-18 08:48 750592 --a------ C:\WINDOWS\system32\xrxbkits(5).dll
2007-06-18 08:22 92672 --a------ C:\WINDOWS\system32\yyofmlca(5).dll
2007-06-18 08:22 92672 --a------ C:\WINDOWS\system32\yyofmlca(4).dll
2007-06-18 08:22 92672 --a------ C:\WINDOWS\system32\yyofmlca(3).dll
2007-06-18 08:22 750592 --a------ C:\WINDOWS\system32\xrxbkits(3).dll
2007-06-18 08:22 140288 --a------ C:\WINDOWS\system32\qkdwzgjk(5).dll
2007-05-31 08:22 684567 --a------ C:\WINDOWS\system32\libeay32(3).dll
2007-05-31 08:22 147729 --a------ C:\WINDOWS\system32\libssl32(3).dll
2007-05-30 08:09 750592 --a------ C:\WINDOWS\system32\xrxbkits(2).dll
2007-05-30 08:09 122368 --a------ C:\WINDOWS\system32\qkdwzgjk(2).dll
2005-07-29 23:24:26 472 --sha-r C:\WINDOWS\bkVX\v4pr.vbs


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06203B78-837C-4063-BF7D-63AB25EBB469}]
2007-08-19 20:05 76288 --a------ c:\windows\system32\mgkamgk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0F1B11D1-25E0-4A3D-A0A0-9F88AA167D27}]
2007-08-19 20:05 76288 --a------ c:\windows\system32\mgkamgk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{12F1FD07-9F94-481F-9D48-6C1031720095}]
2007-08-19 20:05 76288 --a------ c:\windows\system32\mgkamgk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1771F6B9-5FA6-4CA7-9DDF-76A64F65BF7E}]
2007-08-19 20:05 76288 --a------ c:\windows\system32\mgkamgk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1A6FA265-BAE5-4DD7-889A-08AC9F1C4B7B}]
2007-08-19 20:05 76288 --a------ c:\windows\system32\mgkamgk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1C2DFEC3-D83B-466D-B350-FF41F7F91CCE}]
2007-08-19 20:05 76288 --a------ c:\windows\system32\mgkamgk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1CFF73C9-AEF5-4E80-B8B1-5BC3577BB39B}]
2007-08-19 20:05 76288 --a------ c:\windows\system32\mgkamgk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25B52E74-E9D3-45A6-A2A9-D480D92B93B7}]
2007-08-19 20:05 76288 --a------ c:\windows\system32\mgkamgk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2962413C-E9B8-4090-BC43-9747949A9972}]
2007-08-19 20:05 76288 --a------ c:\windows\system32\mgkamgk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2C474378-82D5-4C91-BEB3-75BA270135BA}]
2007-08-19 20:05 76288 --a------ c:\windows\system32\mgkamgk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2DFC0242-6631-4A27-8EE3-51AFEFFD2D73}]
2007-08-19 20:05 76288 --a------ c:\windows\system32\mgkamgk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{303B02A9-0441-4025-8AFC-27B10F3B396E}]
2007-08-19 20:05 76288 --a------ c:\windows\system32\mgkamgk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{35720027-E062-474C-B3B8-21252BB8AFC5}]
2007-08-19 20:05 76288 --a------ c:\windows\system32\mgkamgk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3D54E7BA-0127-4A94-96DE-629BDBD8EB8C}]
2007-08-19 20:05 76288 --a------ c:\windows\system32\mgkamgk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{46C38867-99B5-42D4-99DF-FF08DF45B07E}]
2007-08-19 20:05 76288 --a------ c:\windows\system32\mgkamgk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{49A27C3B-332D-4CFE-A56D-09E8F5605CD3}]
2007-08-19 20:05 76288 --a------ c:\windows\system32\mgkamgk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4B58B2BB-8106-49E8-B381-143C0ABEF2F4}]
2007-08-19 20:05 76288 --a------ c:\windows\system32\mgkamgk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4FF273EC-ED80-4EE7-B226-C71FC333CF5F}]
2007-08-19 20:05 76288 --a------ c:\windows\system32\mgkamgk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{55E8C715-6A63-4A0F-B202-E765890941B8}]
2007-08-19 20:05 76288 --a------ c:\windows\system32\mgkamgk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{56915FDB-C76B-434E-9840-2B48729972EC}]
2007-08-19 20:05 76288 --a------ c:\windows\system32\mgkamgk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5711FB03-8861-4089-B7AF-BBB46A682357}]
2007-08-19 20:05 76288 --a------ c:\windows\system32\mgkamgk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{57D6708C-88E2-4CAB-9FA4-78BB8CA3A3C4}]
2007-08-15 10:30 43542 --------- C:\WINDOWS\System32\tuvwvtq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{591C8375-01B4-4DD3-AF61-7A485CAD1B34}]
2007-08-19 20:05 76288 --a------ c:\windows\system32\mgkamgk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{64D712D1-84D9-281C-CE7D-32439D631863}]
2007-03-29 11:04 10240 --a------ C:\WINDOWS\system\bpmtcs32.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{71C48846-FE00-4669-BC29-C39B6DB01E33}]
2007-08-19 20:05 76288 --a------ c:\windows\system32\mgkamgk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{720E190D-CF3D-4459-B3C8-B648CD582F5D}]
2007-08-19 20:05 76288 --a------ c:\windows\system32\mgkamgk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7B5FF37A-7FDA-4B4C-A090-42B2A895FC0E}]
2007-08-19 20:05 76288 --a------ c:\windows\system32\mgkamgk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7CD094AB-EEB0-4AD4-B55A-A001C7C218ED}]
2007-08-19 20:05 76288 --a------ c:\windows\system32\mgkamgk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7F9B1CD6-3EE7-46FD-B616-545AF70D2AA2}]
2007-08-19 20:05 76288 --a------ c:\windows\system32\mgkamgk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{87B925C6-B69B-4F1A-8997-B352E6BBA682}]
2007-08-19 20:05 76288 --a------ c:\windows\system32\mgkamgk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8ADC3CBD-6FAB-4773-BC6A-446F489191DC}]
2007-08-19 20:05 76288 --a------ c:\windows\system32\mgkamgk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8B7FE812-5458-497D-8771-1FA6C73231E7}]
2007-08-19 20:05 76288 --a------ c:\windows\system32\mgkamgk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8D412E38-EFA7-4B8F-8022-DEEA52AAD4D5}]
2007-08-19 20:05 76288 --a------ c:\windows\system32\mgkamgk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9422AC7B-BE7E-41A5-A56B-F6CFCDF21C7B}]
2007-08-19 20:05 76288 --a------ c:\windows\system32\mgkamgk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95882480-2E0B-473A-B507-AA1BB8D45BA6}]
2007-08-13 08:34 64512 --a------ c:\windows\system32\jrvcbuto.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95F1FB4F-BFE7-483E-B71B-427CADEC3E29}]
2007-08-19 20:05 76288 --a------ c:\windows\system32\mgkamgk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9D2777CD-F812-4B44-B548-1698011DA9E4}]
2007-08-19 20:05 76288 --a------ c:\windows\system32\mgkamgk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9E8D2E39-48B5-4272-B49D-A102B58124FD}]
2007-08-19 20:05 76288 --a------ c:\windows\system32\mgkamgk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A240E485-B800-4FB7-A0CF-C498165BED9A}]
2007-08-19 20:05 76288 --a------ c:\windows\system32\mgkamgk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A5001AFE-D7F4-4DE0-AD75-C71A633401D2}]
2007-08-19 20:05 76288 --a------ c:\windows\system32\mgkamgk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A6F94888-7FCF-414C-8C5B-021A679D5C4F}]
2007-08-19 20:05 76288 --a------ c:\windows\system32\mgkamgk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A91D010E-DEF7-4D79-808A-108169EE2387}]
2007-08-19 20:05 76288 --a------ c:\windows\system32\mgkamgk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AE1409A0-A2BA-4A6C-816F-288A577113E5}]
2007-08-19 20:05 76288 --a------ c:\windows\system32\mgkamgk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AF76DB65-C423-4813-973C-E83167CF8B25}]
2007-08-19 20:05 76288 --a------ c:\windows\system32\mgkamgk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B98AB7AF-4870-4154-8D11-662458D2643D}]
2007-08-19 20:05 76288 --a------ c:\windows\system32\mgkamgk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C72FD44E-C6EE-482A-BAAF-4C68ACF163B6}]
2007-08-19 20:05 76288 --a------ c:\windows\system32\mgkamgk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CFC731D7-AC8F-4D54-86B9-12B6EE78172D}]
2007-08-19 20:05 76288 --a------ c:\windows\system32\mgkamgk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D34299E9-3AEE-4935-AAA2-7FA2B6DB8311}]
2007-08-19 20:05 76288 --a------ c:\windows\system32\mgkamgk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DDD75832-AF5B-49A7-AF7A-772C3253D010}]
2007-08-19 20:05 76288 --a------ c:\windows\system32\mgkamgk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E72D207F-9D6A-4D95-A948-68EA4CFD5569}]
2007-08-19 20:05 76288 --a------ c:\windows\system32\mgkamgk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EB2B20BB-DA2E-4FFA-B099-1DADAB3E7AB9}]
2007-08-19 20:05 76288 --a------ c:\windows\system32\mgkamgk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F395538D-5594-4663-B9FD-318F1F58297F}]
2007-08-19 20:05 76288 --a------ c:\windows\system32\mgkamgk.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" []
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 09:59]
"mavjuual"="C:\WINDOWS\System32\mavjuual.exe" [2007-03-29 11:04]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2002-08-29 00:41]
"HostManager"="C:\Program Files\Common Files\AOL\1161728750\ee\AOLSoftware.exe" [2006-05-09 17:24]
"svhost"="C:\WINDOWS\svhost.exe" []
"{3B-B0-0B-BC-ZN}"="C:\WINDOWS\system32\lrdsrngr.exe" [2007-08-15 16:01]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2007-04-02 10:35]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mavjuual"="C:\WINDOWS\System32\mavjuual.exe" [2007-03-29 11:04]
"Uniblue SpeedUpMyPC"="" []
"Scsb"="C:\DOCUME~1\anna\MYDOCU~1\SSTEM3~1\mmc.exe" []
"Mxkgud"="C:\Program Files\??pPatch\n?pdb.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 21:05:56]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\ComPlus Applications\profsybypru.html
FriendlyName=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57D6708C-88E2-4CAB-9FA4-78BB8CA3A3C4}"= C:\WINDOWS\System32\tuvwvtq.dll [2007-08-15 10:30 43542]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvwvtq]
tuvwvtq.dll 2007-08-15 10:30 43542 C:\WINDOWS\system32\tuvwvtq.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^anna^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\anna\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^anna^Start Menu^Programs^Startup^Think-Adz.lnk]
path=C:\Documents and Settings\anna\Start Menu\Programs\Startup\Think-Adz.lnk
backup=C:\WINDOWS\pss\Think-Adz.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

R0 avgntmgr;avgntmgr;C:\WINDOWS\System32\DRIVERS\avgntmgr.sys
R1 avgntdd;avgntdd;C:\WINDOWS\System32\DRIVERS\avgntdd.sys
R1 avipbb;avipbb;C:\WINDOWS\System32\DRIVERS\avipbb.sys
R1 ssmdrv;ssmdrv;C:\WINDOWS\System32\DRIVERS\ssmdrv.sys
R2 Pctspk;PCTEL Speaker Phone;C:\WINDOWS\system32\pctspk.exe
R3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\System32\DRIVERS\ptserlp.sys

*Newly Created Service* - ALG
*Newly Created Service* - IPNAT
*Newly Created Service* - QTSJXIGW

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Microsoft Webcam Enhance V2.1]
C:\WINDOWS\runtfs32.exe

Contents of the 'Scheduled Tasks' folder
2007-08-16 23:14:00 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job - C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
2007-08-06 23:08:59 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job - C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-20 07:57:51
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-20 7:59:46 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-20 07:59

--- E O F ---
tonydat1ger
Active Member
 
Posts: 14
Joined: August 16th, 2007, 4:40 pm

Unread postby Shaba » August 20th, 2007, 12:22 pm

Hi

Rename HijackThis.exe to scanner.exe

After that:

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

C:\WINDOWS\system32\drivers\yggdxyqj.sys

Repeat step for these:

C:\WINDOWS\system32\conrekwl.dll
C:\WINDOWS\system32\jrvcbuto.dll
C:\WINDOWS\system32\xrxbkits.dll
C:\WINDOWS\system32\qkdwzgjk(6).dll
C:\WINDOWS\system32\yyofmlca(2).dll
C:\WINDOWS\system32\hrqmtzrp(5).dll
C:\WINDOWS\runtfs32.exe

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

Post:

- a fresh HijackThis log
- vundofix report
- jotti/virustotal results
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Hijackthislog, vundofix report, and virustotal results

Unread postby tonydat1ger » August 20th, 2007, 4:35 pm

VIRUSTOTAL REPORT

File conrekwl.dll received on 08.20.2007 20:16:03 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 11/32 (34.38%)
Loading server information...
Your file is queued in position: 2.
Estimated start time is between 46 and 66 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2007.8.21.0 2007.08.20 -
AntiVir 7.4.1.62 2007.08.20 TR/Dldr.ConHook.Gen
Authentium 4.93.8 2007.08.20 Possibly a new variant of W32/CrazyCrunch-based!Maximus
Avast 4.7.1029.0 2007.08.20 -
AVG 7.5.0.484 2007.08.20 BHO.APC
BitDefender 7.2 2007.08.20 Trojan.Conhook.Y
CAT-QuickHeal 9.00 2007.08.20 -
ClamAV 0.91 2007.08.20 -
DrWeb 4.33 2007.08.20 -
eSafe 7.0.15.0 2007.08.20 -
eTrust-Vet 31.1.5069 2007.08.18 -
Ewido 4.0 2007.08.20 -
FileAdvisor 1 2007.08.20 -
Fortinet 2.91.0.0 2007.08.20 -
F-Prot 4.3.2.48 2007.08.20 W32/CrazyCrunch-based!Maximus
F-Secure 6.70.13030.0 2007.08.20 W32/BHO.QG
Ikarus T3.1.1.12 2007.08.20 Trojan.Conhook.Y
Kaspersky 4.0.2.24 2007.08.20 -
McAfee 5101 2007.08.20 -
Microsoft 1.2803 2007.08.20 -
NOD32v2 2471 2007.08.20 -
Norman 5.80.02 2007.08.20 W32/BHO.QG
Panda 9.0.0.4 2007.08.19 Suspicious file
Prevx1 V2 2007.08.20 Generic.Malware
Rising 19.36.60.00 2007.08.19 -
Sophos 4.20.0 2007.08.12 -
Sunbelt 2.2.907.0 2007.08.18 -
Symantec 10 2007.08.20 -
TheHacker 6.1.8.171 2007.08.20 -
VBA32 3.12.2.2 2007.08.20 -
VirusBuster 4.3.26:9 2007.08.20 -
Webwasher-Gateway 6.0.1 2007.08.20 Trojan.Dldr.ConHook.Gen
Additional information
File size: 43520 bytes
MD5: 2bc4e3a20f7a2732ebd3c194f94ff1b7
SHA1: 2d2b9b0bbaebc8193f196c4a82a50da05ce7befd
packers: MORPHINE, UPX
Prevx info: http://fileinfo.prevx.com/fileinfo.asp? ... 006F342467


File jrvcbuto.dll received on 08.20.2007 20:44:10 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 8/32 (25%)
Loading server information...
Your file is queued in position: 3.
Estimated start time is between 52 and 75 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2007.8.21.0 2007.08.20 -
AntiVir 7.4.1.62 2007.08.20 TR/Dldr.ConHook.Gen
Authentium 4.93.8 2007.08.20 -
Avast 4.7.1029.0 2007.08.20 -
AVG 7.5.0.484 2007.08.20 -
BitDefender 7.2 2007.08.20 Trojan.Conhook.Y
CAT-QuickHeal 9.00 2007.08.20 -
ClamAV 0.91 2007.08.20 -
DrWeb 4.33 2007.08.20 -
eSafe 7.0.15.0 2007.08.20 -
eTrust-Vet 31.1.5069 2007.08.18 -
Ewido 4.0 2007.08.20 -
FileAdvisor 1 2007.08.20 -
Fortinet 2.91.0.0 2007.08.20 -
F-Prot 4.3.2.48 2007.08.20 -
F-Secure 6.70.13030.0 2007.08.20 W32/BHO.QG
Ikarus T3.1.1.12 2007.08.20 -
Kaspersky 4.0.2.24 2007.08.20 -
McAfee 5101 2007.08.20 -
Microsoft 1.2803 2007.08.20 -
NOD32v2 2471 2007.08.20 -
Norman 5.80.02 2007.08.20 W32/BHO.QG
Panda 9.0.0.4 2007.08.19 Suspicious file
Prevx1 V2 2007.08.20 Generic.Malware
Rising 19.36.60.00 2007.08.19 -
Sophos 4.20.0 2007.08.12 -
Sunbelt 2.2.907.0 2007.08.18 -
Symantec 10 2007.08.20 Trojan Horse
TheHacker 6.1.8.171 2007.08.20 -
VBA32 3.12.2.2 2007.08.20 -
VirusBuster 4.3.26:9 2007.08.20 -
Webwasher-Gateway 6.0.1 2007.08.20 Trojan.Dldr.ConHook.Gen
Additional information
File size: 64512 bytes
MD5: 53294575b21766086c53e29337a75f19
SHA1: 2d11da21193f4b5f43f2aa4affee29fa55f8639e
packers: MORPHINE, UPX
packers: Morphine
Prevx info: http://fileinfo.prevx.com/fileinfo.asp? ... 002F73A617


File xrxbkits.dll_ received on 08.20.2007 20:53:56 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 7/32 (21.88%)
Loading server information...
Your file is queued in position: 2.
Estimated start time is between 46 and 66 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2007.8.21.0 2007.08.20 -
AntiVir 7.4.1.62 2007.08.20 TR/Dldr.ConHook.Gen
Authentium 4.93.8 2007.08.20 -
Avast 4.7.1029.0 2007.08.20 -
AVG 7.5.0.484 2007.08.20 BHO.AMF
BitDefender 7.2 2007.08.20 Trojan.Conhook.Y
CAT-QuickHeal 9.00 2007.08.20 -
ClamAV 0.91 2007.08.20 -
DrWeb 4.33 2007.08.20 -
eSafe 7.0.15.0 2007.08.20 -
eTrust-Vet 31.1.5069 2007.08.18 -
Ewido 4.0 2007.08.20 -
FileAdvisor 1 2007.08.20 -
Fortinet 2.91.0.0 2007.08.20 -
F-Prot 4.3.2.48 2007.08.20 -
F-Secure 6.70.13030.0 2007.08.20 W32/BHO.QG
Ikarus T3.1.1.12 2007.08.20 -
Kaspersky 4.0.2.24 2007.08.20 -
McAfee 5101 2007.08.20 -
Microsoft 1.2803 2007.08.20 -
NOD32v2 2471 2007.08.20 -
Norman 5.80.02 2007.08.20 W32/BHO.QG
Panda 9.0.0.4 2007.08.19 Suspicious file
Prevx1 V2 2007.08.20 -
Rising 19.36.60.00 2007.08.19 -
Sophos 4.20.0 2007.08.12 -
Sunbelt 2.2.907.0 2007.08.18 -
Symantec 10 2007.08.20 -
TheHacker 6.1.8.171 2007.08.20 -
VBA32 3.12.2.2 2007.08.20 -
VirusBuster 4.3.26:9 2007.08.20 -
Webwasher-Gateway 6.0.1 2007.08.20 Trojan.Dldr.ConHook.Gen
Additional information
File size: 751616 bytes
MD5: 535fd66204dcd902e4c5d908b4c7026a
SHA1: affb5e8ab507348cc8e03f60ad34a9ad7c22b9af
packers: MORPHINE, UPX, UPX, UPX, UPX
packers: Morphine



File qkdwzgjk_6_.dll_ received on 08.20.2007 21:01:32 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 7/32 (21.88%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 40 and 58 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2007.8.21.0 2007.08.20 -
AntiVir 7.4.1.62 2007.08.20 TR/Dldr.ConHook.Gen
Authentium 4.93.8 2007.08.20 -
Avast 4.7.1029.0 2007.08.20 -
AVG 7.5.0.484 2007.08.20 -
BitDefender 7.2 2007.08.20 Trojan.Conhook.Y
CAT-QuickHeal 9.00 2007.08.20 -
ClamAV 0.91 2007.08.20 -
DrWeb 4.33 2007.08.20 -
eSafe 7.0.15.0 2007.08.20 -
eTrust-Vet 31.1.5069 2007.08.18 -
Ewido 4.0 2007.08.20 -
FileAdvisor 1 2007.08.20 -
Fortinet 2.91.0.0 2007.08.20 -
F-Prot 4.3.2.48 2007.08.20 -
F-Secure 6.70.13030.0 2007.08.20 W32/BHO.QG
Ikarus T3.1.1.12 2007.08.20 -
Kaspersky 4.0.2.24 2007.08.20 -
McAfee 5101 2007.08.20 -
Microsoft 1.2803 2007.08.20 -
NOD32v2 2471 2007.08.20 -
Norman 5.80.02 2007.08.20 W32/BHO.QG
Panda 9.0.0.4 2007.08.19 Suspicious file
Prevx1 V2 2007.08.20 -
Rising 19.36.60.00 2007.08.19 Trojan.Win32.Agent.vja
Sophos 4.20.0 2007.08.12 -
Sunbelt 2.2.907.0 2007.08.18 -
Symantec 10 2007.08.20 -
TheHacker 6.1.8.171 2007.08.20 -
VBA32 3.12.2.2 2007.08.20 -
VirusBuster 4.3.26:9 2007.08.20 -
Webwasher-Gateway 6.0.1 2007.08.20 Trojan.Dldr.ConHook.Gen
Additional information
File size: 121856 bytes
MD5: 56e58269b5549a6ef54abacece87be6f
SHA1: c80a5e2332f4730a56a2bb45a0305a306d995049
packers: MORPHINE, UPX
packers: Morphine


File yyofmlca_2_.dll_ received on 08.20.2007 21:09:28 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 9/32 (28.13%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 40 and 58 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2007.8.21.0 2007.08.20 -
AntiVir 7.4.1.62 2007.08.20 TR/Dldr.ConHook.Gen
Authentium 4.93.8 2007.08.20 -
Avast 4.7.1029.0 2007.08.20 -
AVG 7.5.0.484 2007.08.20 BHO.AN
BitDefender 7.2 2007.08.20 Trojan.Conhook.Y
CAT-QuickHeal 9.00 2007.08.20 -
ClamAV 0.91 2007.08.20 -
DrWeb 4.33 2007.08.20 Trojan.Sentinel
eSafe 7.0.15.0 2007.08.20 -
eTrust-Vet 31.1.5069 2007.08.18 -
Ewido 4.0 2007.08.20 -
FileAdvisor 1 2007.08.20 -
Fortinet 2.91.0.0 2007.08.20 -
F-Prot 4.3.2.48 2007.08.20 -
F-Secure 6.70.13030.0 2007.08.20 W32/BHO.QG
Ikarus T3.1.1.12 2007.08.20 -
Kaspersky 4.0.2.24 2007.08.20 -
McAfee 5101 2007.08.20 -
Microsoft 1.2803 2007.08.20 -
NOD32v2 2471 2007.08.20 -
Norman 5.80.02 2007.08.20 W32/BHO.QG
Panda 9.0.0.4 2007.08.19 Suspicious file
Prevx1 V2 2007.08.20 -
Rising 19.36.60.00 2007.08.19 Trojan.Win32.Agent.vic
Sophos 4.20.0 2007.08.12 -
Sunbelt 2.2.907.0 2007.08.18 -
Symantec 10 2007.08.20 -
TheHacker 6.1.8.171 2007.08.20 -
VBA32 3.12.2.2 2007.08.20 -
VirusBuster 4.3.26:9 2007.08.20 -
Webwasher-Gateway 6.0.1 2007.08.20 Trojan.Dldr.ConHook.Gen
Additional information
File size: 94208 bytes
MD5: fbe08d64a5d3fcd2ebe7c066592f87ec
SHA1: d8700422e466b9f141832c2cd2f341a60e7011bf
packers: MORPHINE, UPX, BINARYRES, MORPHINE
packers: Morphine


File hrqmtzrp_5_.dll_ received on 08.20.2007 22:16:51 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 8/32 (25%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 40 and 58 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2007.8.21.0 2007.08.20 -
AntiVir 7.4.1.62 2007.08.20 TR/Dldr.ConHook.Gen
Authentium 4.93.8 2007.08.20 Possibly a new variant of W32/CrazyCrunch-based!Maximus
Avast 4.7.1029.0 2007.08.20 -
AVG 7.5.0.484 2007.08.20 Obfustat.SO
BitDefender 7.2 2007.08.20 Trojan.Dldr.Conhook.AQ
CAT-QuickHeal 9.00 2007.08.20 -
ClamAV 0.91 2007.08.20 -
DrWeb 4.33 2007.08.20 -
eSafe 7.0.15.0 2007.08.20 -
eTrust-Vet 31.1.5069 2007.08.18 -
Ewido 4.0 2007.08.20 -
FileAdvisor 1 2007.08.20 -
Fortinet 2.91.0.0 2007.08.20 -
F-Prot 4.3.2.48 2007.08.20 W32/CrazyCrunch-based!Maximus
F-Secure 6.70.13030.0 2007.08.20 -
Ikarus T3.1.1.12 2007.08.20 -
Kaspersky 4.0.2.24 2007.08.20 -
McAfee 5101 2007.08.20 -
Microsoft 1.2803 2007.08.20 -
NOD32v2 2471 2007.08.20 -
Norman 5.80.02 2007.08.20 -
Panda 9.0.0.4 2007.08.19 Suspicious file
Prevx1 V2 2007.08.20 Generic.Malware
Rising 19.36.60.00 2007.08.19 -
Sophos 4.20.0 2007.08.12 -
Sunbelt 2.2.907.0 2007.08.18 -
Symantec 10 2007.08.20 -
TheHacker 6.1.8.171 2007.08.20 -
VBA32 3.12.2.2 2007.08.20 -
VirusBuster 4.3.26:9 2007.08.20 -
Webwasher-Gateway 6.0.1 2007.08.20 Trojan.Dldr.ConHook.Gen
Additional information
File size: 39424 bytes
MD5: 5c001b1bfb0f2f368dc58562e4c976f2
SHA1: c584aed9de1170d305f83a189c40eef31403bcc4
packers: MORPHINE, UPX
Prevx info: http://fileinfo.prevx.com/fileinfo.asp? ... 00EC35EB9E


C:\WINDOWS\runtfs32.exe

this file was not found

<BR>
<BR>
<B>HIJACKTHIS LOG</B>

Logfile of HijackThis v1.99.1
Scan saved at 11:08:11 AM, on 8/20/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\AOL\1161728750\ee\aolsoftware.exe
C:\WINDOWS\System32\wuauclt.exe
C:\windows\system32\lrdsrngr.exe
C:\WINDOWS\System32\rwinsmdt.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\mavjuual.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\rwinsmdt.exe
C:\Documents and Settings\anna\Desktop\applications\fix computer\HijackThis\scanner.exe.exe

O2 - BHO: (no name) - {06203B78-837C-4063-BF7D-63AB25EBB469} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0F1B11D1-25E0-4A3D-A0A0-9F88AA167D27} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {12F1FD07-9F94-481F-9D48-6C1031720095} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {1771F6B9-5FA6-4CA7-9DDF-76A64F65BF7E} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {1A6FA265-BAE5-4DD7-889A-08AC9F1C4B7B} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {1C2DFEC3-D83B-466D-B350-FF41F7F91CCE} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {1CFF73C9-AEF5-4E80-B8B1-5BC3577BB39B} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {25B52E74-E9D3-45A6-A2A9-D480D92B93B7} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {2962413C-E9B8-4090-BC43-9747949A9972} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {2C474378-82D5-4C91-BEB3-75BA270135BA} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {2DFC0242-6631-4A27-8EE3-51AFEFFD2D73} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {303B02A9-0441-4025-8AFC-27B10F3B396E} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {35720027-E062-474C-B3B8-21252BB8AFC5} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {3D54E7BA-0127-4A94-96DE-629BDBD8EB8C} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {44218730-94E0-4b24-BBF0-C3D8B2BCE2C3} - C:\WINDOWS\System32\ivabeudd.dll
O2 - BHO: (no name) - {46C38867-99B5-42D4-99DF-FF08DF45B07E} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {47514715-8D03-4577-B029-54A590D9809D} - C:\WINDOWS\System32\awtqq.dll (file missing)
O2 - BHO: (no name) - {49A27C3B-332D-4CFE-A56D-09E8F5605CD3} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {4B58B2BB-8106-49E8-B381-143C0ABEF2F4} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {4FF273EC-ED80-4EE7-B226-C71FC333CF5F} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {55E8C715-6A63-4A0F-B202-E765890941B8} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {56915FDB-C76B-434E-9840-2B48729972EC} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {5711FB03-8861-4089-B7AF-BBB46A682357} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {57D6708C-88E2-4CAB-9FA4-78BB8CA3A3C4} - C:\WINDOWS\System32\tuvwvtq.dll
O2 - BHO: (no name) - {591C8375-01B4-4DD3-AF61-7A485CAD1B34} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: Image Helper - {64D712D1-84D9-281C-CE7D-32439D631863} - C:\WINDOWS\system\bpmtcs32.dll (file missing)
O2 - BHO: (no name) - {71C48846-FE00-4669-BC29-C39B6DB01E33} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {720E190D-CF3D-4459-B3C8-B648CD582F5D} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {7B5FF37A-7FDA-4B4C-A090-42B2A895FC0E} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {7CD094AB-EEB0-4AD4-B55A-A001C7C218ED} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {7F9B1CD6-3EE7-46FD-B616-545AF70D2AA2} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {87B925C6-B69B-4F1A-8997-B352E6BBA682} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {8ADC3CBD-6FAB-4773-BC6A-446F489191DC} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {8B7FE812-5458-497D-8771-1FA6C73231E7} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {8D412E38-EFA7-4B8F-8022-DEEA52AAD4D5} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {9422AC7B-BE7E-41A5-A56B-F6CFCDF21C7B} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {95882480-2E0B-473A-B507-AA1BB8D45BA6} - c:\windows\system32\jrvcbuto.dll
O2 - BHO: (no name) - {95F1FB4F-BFE7-483E-B71B-427CADEC3E29} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {9D2777CD-F812-4B44-B548-1698011DA9E4} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {9E8D2E39-48B5-4272-B49D-A102B58124FD} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {A240E485-B800-4FB7-A0CF-C498165BED9A} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {A5001AFE-D7F4-4DE0-AD75-C71A633401D2} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {A6F94888-7FCF-414C-8C5B-021A679D5C4F} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {A91D010E-DEF7-4D79-808A-108169EE2387} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {AE1409A0-A2BA-4A6C-816F-288A577113E5} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {AF76DB65-C423-4813-973C-E83167CF8B25} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {B98AB7AF-4870-4154-8D11-662458D2643D} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {C72FD44E-C6EE-482A-BAAF-4C68ACF163B6} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {CFC731D7-AC8F-4D54-86B9-12B6EE78172D} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {D34299E9-3AEE-4935-AAA2-7FA2B6DB8311} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {DDD75832-AF5B-49A7-AF7A-772C3253D010} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {E72D207F-9D6A-4D95-A948-68EA4CFD5569} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {EB2B20BB-DA2E-4FFA-B099-1DADAB3E7AB9} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {F395538D-5594-4663-B9FD-318F1F58297F} - c:\windows\system32\mgkamgk.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [mavjuual] C:\WINDOWS\System32\mavjuual.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1161728750\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [svhost] "C:\WINDOWS\svhost.exe"
O4 - HKLM\..\Run: [{3B-B0-0B-BC-ZN}] C:\windows\system32\lrdsrngr.exe CHD003
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\System32\rwinsmdt.exe CHD003
O4 - HKCU\..\Run: [mavjuual] C:\WINDOWS\System32\mavjuual.exe
O4 - HKCU\..\Run: [Scsb] "C:\DOCUME~1\anna\MYDOCU~1\SSTEM3~1\mmc.exe" -vt yazb
O4 - HKCU\..\Run: [Mxkgud] "C:\Program Files\??pPatch\n?pdb.exe"
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\lrdsrngr.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\rwinsmdt.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 6504367468
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 6504204625
O20 - AppInit_DLLs:
O20 - Winlogon Notify: tuvwvtq - C:\WINDOWS\SYSTEM32\tuvwvtq.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Pml Driver HPZ12 - Unknown owner - C:\WINDOWS\System32\HPZipm12.exe (file missing)


<B>VUNDOFIX REPORT</B>


VundoFix V6.5.7

Checking Java version...

Sun Java not detected
Scan started at 11:00:12 AM 8/20/2007

Listing files found while scanning....

C:\WINDOWS\System32\awtqq.dll
C:\windows\system32\mgkamgk.dll
C:\WINDOWS\System32\qqtwa.bak1
C:\WINDOWS\System32\qqtwa.ini

Beginning removal...

Attempting to delete C:\WINDOWS\System32\awtqq.dll
C:\WINDOWS\System32\awtqq.dll Has been deleted!

Attempting to delete C:\windows\system32\mgkamgk.dll
C:\windows\system32\mgkamgk.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\qqtwa.bak1
C:\WINDOWS\System32\qqtwa.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\System32\qqtwa.ini
C:\WINDOWS\System32\qqtwa.ini Has been deleted!

Performing Repairs to the registry.
Done!
tonydat1ger
Active Member
 
Posts: 14
Joined: August 16th, 2007, 4:40 pm

Unread postby Shaba » August 21st, 2007, 2:44 am

Hi

Download suspicious file packer from here

Unzip it to desktop, open it & paste in the list of files below, press next & it will create an archive (zip/cab file) on desktop

C:\WINDOWS\system32\drivers\yggdxyqj.sys
C:\WINDOWS\system32\conrekwl.dll
C:\WINDOWS\system32\jrvcbuto.dll
C:\WINDOWS\system32\xrxbkits.dll
C:\WINDOWS\system32\qkdwzgjk(6).dll
C:\WINDOWS\system32\yyofmlca(2).dll
C:\WINDOWS\system32\hrqmtzrp(5).dll

Go to spykiller

Press new topic, make threads title "Files for Shaba"
Include to your message a link to here, then attach the cab/zip file to your message and post the topic
If you cant locate it through the browse button just copy/paste the filename and path.

After that:

Open HijackThis, click do a system scan only and checkmark these:

O2 - BHO: (no name) - {06203B78-837C-4063-BF7D-63AB25EBB469} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {0F1B11D1-25E0-4A3D-A0A0-9F88AA167D27} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {12F1FD07-9F94-481F-9D48-6C1031720095} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {1771F6B9-5FA6-4CA7-9DDF-76A64F65BF7E} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {1A6FA265-BAE5-4DD7-889A-08AC9F1C4B7B} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {1C2DFEC3-D83B-466D-B350-FF41F7F91CCE} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {1CFF73C9-AEF5-4E80-B8B1-5BC3577BB39B} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {25B52E74-E9D3-45A6-A2A9-D480D92B93B7} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {2962413C-E9B8-4090-BC43-9747949A9972} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {2C474378-82D5-4C91-BEB3-75BA270135BA} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {2DFC0242-6631-4A27-8EE3-51AFEFFD2D73} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {303B02A9-0441-4025-8AFC-27B10F3B396E} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {35720027-E062-474C-B3B8-21252BB8AFC5} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {3D54E7BA-0127-4A94-96DE-629BDBD8EB8C} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {44218730-94E0-4b24-BBF0-C3D8B2BCE2C3} - C:\WINDOWS\System32\ivabeudd.dll
O2 - BHO: (no name) - {46C38867-99B5-42D4-99DF-FF08DF45B07E} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {47514715-8D03-4577-B029-54A590D9809D} - C:\WINDOWS\System32\awtqq.dll (file missing)
O2 - BHO: (no name) - {49A27C3B-332D-4CFE-A56D-09E8F5605CD3} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {4B58B2BB-8106-49E8-B381-143C0ABEF2F4} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {4FF273EC-ED80-4EE7-B226-C71FC333CF5F} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {55E8C715-6A63-4A0F-B202-E765890941B8} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {56915FDB-C76B-434E-9840-2B48729972EC} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {5711FB03-8861-4089-B7AF-BBB46A682357} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {57D6708C-88E2-4CAB-9FA4-78BB8CA3A3C4} - C:\WINDOWS\System32\tuvwvtq.dll
O2 - BHO: (no name) - {591C8375-01B4-4DD3-AF61-7A485CAD1B34} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: Image Helper - {64D712D1-84D9-281C-CE7D-32439D631863} - C:\WINDOWS\system\bpmtcs32.dll (file missing)
O2 - BHO: (no name) - {71C48846-FE00-4669-BC29-C39B6DB01E33} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {720E190D-CF3D-4459-B3C8-B648CD582F5D} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {7B5FF37A-7FDA-4B4C-A090-42B2A895FC0E} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {7CD094AB-EEB0-4AD4-B55A-A001C7C218ED} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {7F9B1CD6-3EE7-46FD-B616-545AF70D2AA2} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {87B925C6-B69B-4F1A-8997-B352E6BBA682} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {8ADC3CBD-6FAB-4773-BC6A-446F489191DC} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {8B7FE812-5458-497D-8771-1FA6C73231E7} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {8D412E38-EFA7-4B8F-8022-DEEA52AAD4D5} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {9422AC7B-BE7E-41A5-A56B-F6CFCDF21C7B} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {95882480-2E0B-473A-B507-AA1BB8D45BA6} - c:\windows\system32\jrvcbuto.dll
O2 - BHO: (no name) - {95F1FB4F-BFE7-483E-B71B-427CADEC3E29} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {9D2777CD-F812-4B44-B548-1698011DA9E4} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {9E8D2E39-48B5-4272-B49D-A102B58124FD} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {A240E485-B800-4FB7-A0CF-C498165BED9A} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {A5001AFE-D7F4-4DE0-AD75-C71A633401D2} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {A6F94888-7FCF-414C-8C5B-021A679D5C4F} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {A91D010E-DEF7-4D79-808A-108169EE2387} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {AE1409A0-A2BA-4A6C-816F-288A577113E5} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {AF76DB65-C423-4813-973C-E83167CF8B25} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {B98AB7AF-4870-4154-8D11-662458D2643D} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {C72FD44E-C6EE-482A-BAAF-4C68ACF163B6} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {CFC731D7-AC8F-4D54-86B9-12B6EE78172D} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {D34299E9-3AEE-4935-AAA2-7FA2B6DB8311} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {DDD75832-AF5B-49A7-AF7A-772C3253D010} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {E72D207F-9D6A-4D95-A948-68EA4CFD5569} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {EB2B20BB-DA2E-4FFA-B099-1DADAB3E7AB9} - c:\windows\system32\mgkamgk.dll (file missing)
O2 - BHO: (no name) - {F395538D-5594-4663-B9FD-318F1F58297F} - c:\windows\system32\mgkamgk.dll (file missing)
O4 - HKLM\..\Run: [mavjuual] C:\WINDOWS\System32\mavjuual.exe
O4 - HKLM\..\Run: [svhost] "C:\WINDOWS\svhost.exe"
O4 - HKLM\..\Run: [{3B-B0-0B-BC-ZN}] C:\windows\system32\lrdsrngr.exe CHD003
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\System32\rwinsmdt.exe CHD003
O4 - HKCU\..\Run: [mavjuual] C:\WINDOWS\System32\mavjuual.exe
O4 - HKCU\..\Run: [Scsb] "C:\DOCUME~1\anna\MYDOCU~1\SSTEM3~1\mmc.exe" -vt yazb
O4 - HKCU\..\Run: [Mxkgud] "C:\Program Files\??pPatch\n?pdb.exe"
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\lrdsrngr.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\rwinsmdt.exe
O20 - AppInit_DLLs:
O20 - Winlogon Notify: tuvwvtq - C:\WINDOWS\SYSTEM32\tuvwvtq.dll


Close all windows including browser and press fix checked.

Reboot.

Open notepad and copy/paste the text in the quotebox below into it:

Code: Select all
File::
C:\WINDOWS\system32\nnnkjif.dll
C:\WINDOWS\system32\lrdsrngr.exe
C:\WINDOWS\system32\qommjki.dll
C:\WINDOWS\system32\rqrpqpm.dll
C:\WINDOWS\system32\tuvwvtq.dll 
C:\WINDOWS\system32\mgkamgk.dll
C:\WINDOWS\system32\drivers\yggdxyqj.sys
C:\WINDOWS\system32\conrekwl.dll
C:\WINDOWS\system32\jrvcbuto.dll 
C:\WINDOWS\system32\xrxbkits.dll 
C:\WINDOWS\system32\yyofmlca(2).dll
C:\WINDOWS\system32\jrvcbuto(2).dll
C:\WINDOWS\system32\hrqmtzrp(2).dll
C:\WINDOWS\system32\qkdwzgjk(6).dll
C:\WINDOWS\system32\drivers\yggdxyqj(2).sys
C:\WINDOWS\system32\qkdwzgjk(9).dll
C:\WINDOWS\system32\qkdwzgjk(8).dll
C:\WINDOWS\system32\qkdwzgjk(7).dll 
C:\WINDOWS\system32\jrvcbuto(3).dll
C:\WINDOWS\system32\hrqmtzrp(5).dll
C:\WINDOWS\system32\hrqmtzrp(4).dll
C:\WINDOWS\system32\hrqmtzrp(3).dll
C:\WINDOWS\system32\xrxbkits(7).dll
C:\WINDOWS\system32\xrxbkits(6).dll
C:\WINDOWS\system32\xrxbkits(5).dll
C:\WINDOWS\system32\yyofmlca(5).dll
C:\WINDOWS\system32\yyofmlca(4).dll
C:\WINDOWS\system32\yyofmlca(3).dll
C:\WINDOWS\system32\xrxbkits(3).dll
C:\WINDOWS\system32\qkdwzgjk(5).dll
C:\WINDOWS\system32\libeay32(3).dll
C:\WINDOWS\system32\libssl32(3).dll
C:\WINDOWS\system32\xrxbkits(2).dll
C:\WINDOWS\system32\qkdwzgjk(2).dll 

Folder::
C:\DOCUME~1\LOCALS~1\APPLIC~1\NetMon
C:\DOCUME~1\NETWOR~1\APPLIC~1\NetMon
C:\WINDOWS\bkVX
C:\WINDOWS\system32\tmps9
C:\WINDOWS\system32\chkconfig
C:\Temp 

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^anna^Start Menu^Programs^Startup^TA_Start.lnk]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^anna^Start Menu^Programs^Startup^Think-Adz.lnk]


Save this as "CFScript"

Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

New Hijackthis log, Combofix Log

Unread postby tonydat1ger » August 21st, 2007, 1:38 pm

ComboFix 07-08-17.2 - "anna" 2007-08-21 10:18:15.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.87 [GMT -7:00]
Command switches used :: C:\Documents and Settings\anna\Desktop\applications\fix computer\combofix\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\nnnkjif.dll
C:\WINDOWS\system32\lrdsrngr.exe
C:\WINDOWS\system32\qommjki.dll
C:\WINDOWS\system32\rqrpqpm.dll
C:\WINDOWS\system32\tuvwvtq.dll
C:\WINDOWS\system32\mgkamgk.dll
C:\WINDOWS\system32\drivers\yggdxyqj.sys
C:\WINDOWS\system32\conrekwl.dll
C:\WINDOWS\system32\jrvcbuto.dll
C:\WINDOWS\system32\xrxbkits.dll
C:\WINDOWS\system32\yyofmlca(2).dll
C:\WINDOWS\system32\jrvcbuto(2).dll
C:\WINDOWS\system32\hrqmtzrp(2).dll
C:\WINDOWS\system32\qkdwzgjk(6).dll
C:\WINDOWS\system32\drivers\yggdxyqj(2).sys
C:\WINDOWS\system32\qkdwzgjk(9).dll
C:\WINDOWS\system32\qkdwzgjk(8).dll
C:\WINDOWS\system32\qkdwzgjk(7).dll
C:\WINDOWS\system32\jrvcbuto(3).dll
C:\WINDOWS\system32\hrqmtzrp(5).dll
C:\WINDOWS\system32\hrqmtzrp(4).dll
C:\WINDOWS\system32\hrqmtzrp(3).dll
C:\WINDOWS\system32\xrxbkits(7).dll
C:\WINDOWS\system32\xrxbkits(6).dll
C:\WINDOWS\system32\xrxbkits(5).dll
C:\WINDOWS\system32\yyofmlca(5).dll
C:\WINDOWS\system32\yyofmlca(4).dll
C:\WINDOWS\system32\yyofmlca(3).dll
C:\WINDOWS\system32\xrxbkits(3).dll
C:\WINDOWS\system32\qkdwzgjk(5).dll
C:\WINDOWS\system32\libeay32(3).dll
C:\WINDOWS\system32\libssl32(3).dll
C:\WINDOWS\system32\xrxbkits(2).dll
C:\WINDOWS\system32\qkdwzgjk(2).dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\LOCALS~1\APPLIC~1\NetMon
C:\DOCUME~1\LOCALS~1\APPLIC~1\NetMon\domains.txt
C:\DOCUME~1\LOCALS~1\APPLIC~1\NetMon\log.txt
C:\DOCUME~1\NETWOR~1\APPLIC~1\NetMon
C:\DOCUME~1\NETWOR~1\APPLIC~1\NetMon\domains.txt
C:\DOCUME~1\NETWOR~1\APPLIC~1\NetMon\log.txt
C:\Temp
C:\WINDOWS\bkVX
C:\WINDOWS\bkVX\v4pr.vbs
C:\WINDOWS\system32\awtqr.dll
C:\WINDOWS\system32\chkconfig
C:\WINDOWS\system32\chkconfig\d770125.exe
C:\WINDOWS\system32\conrekwl.dll
C:\WINDOWS\system32\drivers\yggdxyqj(2).sys
C:\WINDOWS\system32\drivers\yggdxyqj.sys
C:\WINDOWS\system32\dwdsrngt.exe
C:\WINDOWS\system32\hrqmtzrp(2).dll
C:\WINDOWS\system32\hrqmtzrp(3).dll
C:\WINDOWS\system32\hrqmtzrp(4).dll
C:\WINDOWS\system32\hrqmtzrp(5).dll
C:\WINDOWS\system32\ivabeudd.dll
C:\WINDOWS\system32\jrvcbuto(2).dll
C:\WINDOWS\system32\jrvcbuto(3).dll
C:\WINDOWS\system32\jrvcbuto.dll
C:\WINDOWS\system32\libeay32(3).dll
C:\WINDOWS\system32\libssl32(3).dll
C:\WINDOWS\system32\lrdsrngr.exe
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\nnnkjif.dll
C:\WINDOWS\system32\qkdwzgjk(2).dll
C:\WINDOWS\system32\qkdwzgjk(5).dll
C:\WINDOWS\system32\qkdwzgjk(6).dll
C:\WINDOWS\system32\qkdwzgjk(7).dll
C:\WINDOWS\system32\qkdwzgjk(8).dll
C:\WINDOWS\system32\qkdwzgjk(9).dll
C:\WINDOWS\system32\qommjki.dll
C:\WINDOWS\system32\rqrpqpm.dll
C:\WINDOWS\system32\rqtwa.bak1
C:\WINDOWS\system32\rqtwa.ini
C:\WINDOWS\system32\rwinsmdt.exe
C:\WINDOWS\system32\sjqecuwk.dll
C:\WINDOWS\system32\tmps9
C:\WINDOWS\system32\tmps9\MTIDoxN1.exe
C:\WINDOWS\system32\tuvwvtq.dll
C:\WINDOWS\system32\winpfz32.sys
C:\WINDOWS\system32\xrxbkits(2).dll
C:\WINDOWS\system32\xrxbkits(3).dll
C:\WINDOWS\system32\xrxbkits(5).dll
C:\WINDOWS\system32\xrxbkits(6).dll
C:\WINDOWS\system32\xrxbkits(7).dll
C:\WINDOWS\system32\xrxbkits.dll
C:\WINDOWS\system32\yyofmlca(2).dll
C:\WINDOWS\system32\yyofmlca(3).dll
C:\WINDOWS\system32\yyofmlca(4).dll
C:\WINDOWS\system32\yyofmlca(5).dll
C:\WINDOWS\system32\zxdnt3d.cfg


((((((((((((((((((((((((( Files Created from 2007-07-21 to 2007-08-21 )))))))))))))))))))))))))))))))


2007-08-20 11:00 <DIR> d-------- C:\VundoFix Backups
2007-08-19 20:24 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-19 20:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AntiVir PersonalEdition Classic
2007-08-16 03:00 593,408 --a------ C:\WINDOWS\system32\h323msp.dll
2007-08-16 03:00 548,352 --a------ C:\WINDOWS\system32\rtcdll.dll
2007-08-16 03:00 439,808 --a------ C:\WINDOWS\system32\ipnathlp.dll
2007-08-15 09:01 92,160 --a------ C:\WINDOWS\system32\cscdll.dll
2007-08-15 09:01 433,152 --a------ C:\WINDOWS\system32\drivers\mrxsmb.sys
2007-08-15 09:01 166,656 --a------ C:\WINDOWS\system32\drivers\rdbss.sys
2007-08-15 08:38 971,264 --a------ C:\WINDOWS\system32\msgina.dll
2007-08-15 08:38 681,984 --a------ C:\WINDOWS\system32\lsasrv.dll
2007-08-15 08:38 595,968 --a------ C:\WINDOWS\system32\xpsp2res.dll
2007-08-15 08:38 51,712 --a------ C:\WINDOWS\system32\msasn1.dll
2007-08-15 08:38 36,864 --a------ C:\WINDOWS\system32\mf3216.dll
2007-08-15 08:38 260,608 --a------ C:\WINDOWS\system32\gdi32.dll
2007-08-15 08:38 136,704 --a------ C:\WINDOWS\system32\schannel.dll
2007-08-15 08:37 26,112 --a------ C:\WINDOWS\system32\xpsp1hfm.exe
2007-08-14 16:06 <DIR> d-------- C:\Program Files\WinBudget
2007-08-10 07:21 79,872 --a------ C:\WINDOWS\system32\srvsvc.dll
2007-08-09 14:48 991,232 --a------ C:\WINDOWS\system32\esent.dll
2007-08-07 15:49 32,512 --a------ C:\WINDOWS\system32\drivers\amdk7.sys
2007-08-07 15:49 3,584 --a------ C:\WINDOWS\system32\dsprpres.dll
2007-08-07 15:49 29,696 --a------ C:\WINDOWS\system32\asr_pfu.exe
2007-08-07 15:49 12,288 --a------ C:\WINDOWS\system32\encapi.dll
2007-08-07 15:49 10,752 --a------ C:\WINDOWS\system32\spiisupd.exe
2007-08-07 15:48 97,792 --a------ C:\WINDOWS\system32\mqtgsvc.exe
2007-08-07 15:48 9,216 --a------ C:\WINDOWS\system32\wuauserv.dll
2007-08-07 15:48 88,576 --a------ C:\WINDOWS\system32\mqsec.dll
2007-08-07 15:48 73,728 --a------ C:\WINDOWS\system32\tlntsess.exe
2007-08-07 15:48 7,680 --a------ C:\WINDOWS\system32\bitsprx2.dll
2007-08-07 15:48 7,168 --a------ C:\WINDOWS\system32\tlntsvrp.dll
2007-08-07 15:48 7,168 --a------ C:\WINDOWS\system32\bitsprx3.dll
2007-08-07 15:48 67,584 --a------ C:\WINDOWS\system32\tlntsvr.exe
2007-08-07 15:48 67,584 --a------ C:\WINDOWS\system32\fdeploy.dll
2007-08-07 15:48 67,456 --a------ C:\WINDOWS\system32\drivers\mqac.sys
2007-08-07 15:48 61,440 --a------ C:\WINDOWS\system32\openfiles.exe
2007-08-07 15:48 608,768 --a------ C:\WINDOWS\system32\mqqm.dll
2007-08-07 15:48 57,856 --a------ C:\WINDOWS\system32\tlntadmn.exe
2007-08-07 15:48 57,856 --a------ C:\WINDOWS\system32\nwwks.dll
2007-08-07 15:48 55,808 --a------ C:\WINDOWS\system32\mqlogmgr.dll
2007-08-07 15:48 55,296 --a------ C:\WINDOWS\system32\logman.exe
2007-08-07 15:48 545,792 --a------ C:\WINDOWS\system32\wsecedit.dll
2007-08-07 15:48 488,960 --a------ C:\WINDOWS\system32\gpedit.dll
2007-08-07 15:48 478,720 --a------ C:\WINDOWS\system32\mqsnap.dll
2007-08-07 15:48 47,616 --a------ C:\WINDOWS\system32\eventcreate.exe
2007-08-07 15:48 467,456 --a------ C:\WINDOWS\system32\mqutil.dll
2007-08-07 15:48 45,056 --a------ C:\WINDOWS\system32\cipher.exe
2007-08-07 15:48 44,544 --a------ C:\WINDOWS\system32\mqupgrd.dll
2007-08-07 15:48 44,032 --a------ C:\WINDOWS\system32\mqdscli.dll
2007-08-07 15:48 403,456 --a------ C:\WINDOWS\system32\winbrand.dll
2007-08-07 15:48 4,608 --a------ C:\WINDOWS\system32\mqsvc.exe
2007-08-07 15:48 361,984 --a------ C:\WINDOWS\system32\qmgr.dll
2007-08-07 15:48 331,776 --a------ C:\WINDOWS\system32\winhttp.dll
2007-08-07 15:48 277,504 --a------ C:\WINDOWS\system32\appmgr.dll
2007-08-07 15:48 27,648 --a------ C:\WINDOWS\system32\pidgen.dll
2007-08-07 15:48 27,136 --a------ C:\WINDOWS\system32\asr_fmt.exe
2007-08-07 15:48 24,576 --a------ C:\WINDOWS\system32\efsadu.dll
2007-08-07 15:48 231,936 --a------ C:\WINDOWS\system32\tracerpt.exe
2007-08-07 15:48 23,040 --a------ C:\WINDOWS\system32\proxycfg.exe
2007-08-07 15:48 218,112 --a------ C:\WINDOWS\system32\sbe.dll
2007-08-07 15:48 214,016 --a------ C:\WINDOWS\system32\mqoa.dll
2007-08-07 15:48 187,904 --a------ C:\WINDOWS\system32\xpsp1res.dll
2007-08-07 15:48 183,808 --a------ C:\WINDOWS\system32\gptext.dll
2007-08-07 15:48 182,880 --a------ C:\WINDOWS\system32\iuengine.dll
2007-08-07 15:48 172,032 --a------ C:\WINDOWS\system32\mssap.dll
2007-08-07 15:48 17,408 --a------ C:\WINDOWS\system32\mqbkup.exe
2007-08-07 15:48 165,888 --a------ C:\WINDOWS\system32\mqrt.dll
2007-08-07 15:48 164,352 --a------ C:\WINDOWS\system32\mqtrig.dll
2007-08-07 15:48 16,896 --a------ C:\WINDOWS\system32\secedit.exe
2007-08-07 15:48 156,672 --a------ C:\WINDOWS\system32\appmgmts.dll
2007-08-07 15:48 156,544 --a------ C:\WINDOWS\system32\drivers\nwrdr.sys
2007-08-07 15:48 155,648 --a------ C:\WINDOWS\system32\encdec.dll
2007-08-07 15:48 14,848 --a------ C:\WINDOWS\system32\mqise.dll
2007-08-07 15:48 130,048 --a------ C:\WINDOWS\system32\mqad.dll
2007-08-07 15:48 115,200 --a------ C:\WINDOWS\system32\mqrtdep.dll
2007-08-07 15:48 115,200 --a------ C:\WINDOWS\system32\dpcdll.dll
2007-08-07 15:48 113,664 --a------ C:\WINDOWS\system32\schtasks.exe
2007-08-07 15:48 113,152 --a------ C:\WINDOWS\system32\gpresult.exe
2007-08-07 15:48 110,080 --a------ C:\WINDOWS\system32\sbeio.dll
2007-08-07 15:48 103,936 --a------ C:\WINDOWS\system32\rsnotify.exe
2007-08-07 15:48 1,135,616 --a------ C:\WINDOWS\system32\ntbackup.exe
2007-08-07 15:46 995,384 --a------ C:\WINDOWS\system32\mfc42u.dll
2007-08-07 15:46 995,383 --a------ C:\WINDOWS\system32\mfc42.dll
2007-08-07 15:46 99,840 --a------ C:\WINDOWS\system32\iexpress.exe
2007-08-07 15:46 99,840 --a------ C:\WINDOWS\system32\dmsynth.dll
2007-08-07 15:46 98,816 --a------ C:\WINDOWS\system32\clipbrd.exe
2007-08-07 15:46 98,304 --a------ C:\WINDOWS\system32\actxprxy.dll
2007-08-07 15:46 94,720 --a------ C:\WINDOWS\system32\dmusic.dll
2007-08-07 15:46 92,160 --a------ C:\WINDOWS\system32\krnl386.exe
2007-08-07 15:46 91,648 --a------ C:\WINDOWS\system32\loadperf.dll
2007-08-07 15:46 91,648 --a------ C:\WINDOWS\system32\ahui.exe
2007-08-07 15:46 9,728 --a------ C:\WINDOWS\system32\gpkrsrc.dll
2007-08-07 15:46 9,216 --a------ C:\WINDOWS\system32\icaapi.dll
2007-08-07 15:46 9,216 --a------ C:\WINDOWS\system32\dumprep.exe
2007-08-07 15:46 85,504 --a------ C:\WINDOWS\system32\catsrvps.dll
2007-08-07 15:46 84,992 --a------ C:\WINDOWS\system32\dskquota.dll
2007-08-07 15:46 80,384 --a------ C:\WINDOWS\system32\mciavi32.dll
2007-08-07 15:46 80,384 --a------ C:\WINDOWS\system32\cabview.dll
2007-08-07 15:46 8,832 --a------ C:\WINDOWS\system32\framebuf.dll
2007-08-07 15:46 8,704 --a------ C:\WINDOWS\system32\lprhelp.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-20 15:15 --------- d-------- C:\DOCUME~1\anna\APPLIC~1\Corel
2007-08-19 20:38 --------- d-------- C:\Program Files\Online Services
2007-08-15 16:08 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-08-09 15:05 --------- d-------- C:\Program Files\Messenger
2007-08-07 16:04 --------- d-------- C:\Program Files\Windows NT
2007-08-07 16:04 --------- d-------- C:\Program Files\Movie Maker
2007-08-03 08:54 --------- d-------- C:\Program Files\Common Files\Intuit
2007-08-03 08:53 --------- d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2007-08-03 08:46 --------- d-------- C:\Program Files\vplaces
2007-08-01 15:20 --------- d-------- C:\Program Files\Yahoo!
2007-07-26 15:23 --------- d-------- C:\Program Files\Mahjong Jade Expedition
2007-07-11 08:49 --------- d-------- C:\DOCUME~1\anna\APPLIC~1\MSN6
2007-07-03 10:57 --------- d-------- C:\Program Files\AIM6
2007-07-02 08:33 --------- d--h----- C:\Program Files\WindowsUpdate
2007-06-29 13:47 --------- d-------- C:\Program Files\Jasc Software Inc
2007-06-29 13:46 --------- d-------- C:\Program Files\Common Files\InstallShield
2007-06-21 13:12 --------- d-------- C:\Program Files\MSN Games
2007-06-18 08:51 684567 --a------ C:\WINDOWS\system32\libeay32.dll
2007-06-18 08:51 147729 --a------ C:\WINDOWS\system32\libssl32.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" []
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 09:59]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2002-08-29 00:41]
"HostManager"="C:\Program Files\Common Files\AOL\1161728750\ee\AOLSoftware.exe" [2006-05-09 17:24]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2007-04-02 10:35]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Uniblue SpeedUpMyPC"="" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 21:05:56]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\ComPlus Applications\profsybypru.html
FriendlyName=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvwvtq]
tuvwvtq.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

R0 avgntmgr;avgntmgr;C:\WINDOWS\System32\DRIVERS\avgntmgr.sys
R1 avgntdd;avgntdd;C:\WINDOWS\System32\DRIVERS\avgntdd.sys
R1 avipbb;avipbb;C:\WINDOWS\System32\DRIVERS\avipbb.sys
R1 ssmdrv;ssmdrv;C:\WINDOWS\System32\DRIVERS\ssmdrv.sys
R2 Pctspk;PCTEL Speaker Phone;C:\WINDOWS\system32\pctspk.exe
R3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\System32\DRIVERS\ptserlp.sys


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Microsoft Webcam Enhance V2.1]
C:\WINDOWS\runtfs32.exe

Contents of the 'Scheduled Tasks' folder
2007-08-16 23:14:00 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job - C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
2007-08-06 23:08:59 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job - C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-21 10:25:02
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-21 10:27:01 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-21 10:26
C:\ComboFix2.txt ... 2007-08-20 07:59

--- E O F ---



Logfile of HijackThis v1.99.1
Scan saved at 10:28:27 AM, on 8/21/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Common Files\AOL\1161728750\ee\AOLSoftware.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cmd.exe
C:\ComboFix\vfind.cfexe
C:\Documents and Settings\anna\Desktop\applications\fix computer\HijackThis\scanner.exe.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1161728750\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 6504367468
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 6504204625
O20 - Winlogon Notify: tuvwvtq - tuvwvtq.dll (file missing)
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Pml Driver HPZ12 - Unknown owner - C:\WINDOWS\System32\HPZipm12.exe (file missing)
tonydat1ger
Active Member
 
Posts: 14
Joined: August 16th, 2007, 4:40 pm

Unread postby Shaba » August 21st, 2007, 1:41 pm

Hi

Much better :)

Open HijackThis, click do a system scan only and checkmark this:

O20 - Winlogon Notify: tuvwvtq - tuvwvtq.dll (file missing)

Close all windows including browser and press fix checked.

Reboot.

First we'll need to backup registry:

Start -> Run -> regedit -> ok. Then File -> Export. Give it a name and press Save.

Save text below as fix.reg on Notepad (save it as all files (*.*)) on Desktop

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source=-

It should look like this -> Image

Doubleclick fix.reg, press Yes and ok.

(In case you are unsure how to create a reg file, take a look here with screenshots.)

Install one of the firewall below:

Looking over your log, it seems you don't have any evidence of a third party firewall.

As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:

1) Comodo
2) Sunbelt/Kerio
3) Agnitum
4) ZoneAlarm

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

After that:

Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:

    o Scan using the following Anti-Virus database:

    + Extended (If available otherwise Standard)

    o Scan Options:

    + Scan Archives
    + Scan Mail Bases

  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Post:

- a fresh HijackThis log
- kaspersky report
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Hijackthis log, Kaspersky log

Unread postby tonydat1ger » August 21st, 2007, 7:41 pm

Logfile of HijackThis v1.99.1
Scan saved at 4:38:43 PM, on 8/21/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\1161728750\ee\AOLSoftware.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\mstsc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\anna\Desktop\applications\fix computer\HijackThis\scanner.exe.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1161728750\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 6504367468
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 6504204625
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Pml Driver HPZ12 - Unknown owner - C:\WINDOWS\System32\HPZipm12.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe



-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, August 21, 2007 4:40:24 PM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 21/08/2007
Kaspersky Anti-Virus database records: 386812
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 60062
Number of viruses found: 20
Number of infected objects: 49
Number of suspicious objects: 0
Duration of the scan process: 04:50:58

Infected Object Name / Virus Name / Last Action
C:\anr0008.exe Object is locked skipped
C:\Documents and Settings\anna\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\anna\Desktop\$ntservicepackuninstall$\secdrv.sys Object is locked skipped
C:\Documents and Settings\anna\Desktop\applications\fix computer\HijackThis\backups\backup-20070821-095826-196.dll Object is locked skipped
C:\Documents and Settings\anna\Desktop\Musik\Music2\### magalenha samba ### (New.Album).wma Infected: Trojan-Downloader.WMA.Wimad.d skipped
C:\Documents and Settings\anna\Local Settings\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped
C:\Documents and Settings\anna\Local Settings\Application Data\Microsoft\Terminal Server Client\Cache\bcache2.bmc Object is locked skipped
C:\Documents and Settings\anna\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\anna\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\anna\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\anna\Local Settings\History\History.IE5\MSHist012007082120070822\index.dat Object is locked skipped
C:\Documents and Settings\anna\Local Settings\Temp\~DFF19E.tmp Object is locked skipped
C:\Documents and Settings\anna\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\anna\ntuser.dat Object is locked skipped
C:\Documents and Settings\anna\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Downloads\MahJong_JADESetup-dm[1].exe Infected: not-a-virus:AdWare.Win32.Trymedia.b skipped
C:\Downloads\MahJong_JADESetup-dm[2].exe Infected: not-a-virus:AdWare.Win32.Trymedia.b skipped
C:\QooBox\Quarantine\C\DOCUME~1\anna\LOCALS~1\APPLIC~1\Microsoft\Internet Explorer\Filters\prx475a.dll.vir Infected: SpamTool.Win32.Agent.am skipped
C:\QooBox\Quarantine\C\DOCUME~1\anna\MYDOCU~1\SSTEM3~1\mmc.exe.vir Object is locked skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\WinAntiSpyware 2007\j.exe.vir Infected: not-a-virus:Downloader.Win32.WinFixer.x skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe.vir Infected: not-a-virus:Downloader.Win32.WinFixer.x skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1122OinAdmin.exe.vir Object is locked skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1122OinUninstaller.exe.vir Object is locked skipped
C:\QooBox\Quarantine\C\Program Files\ComPlus Applications\lavumave.dll.vir Object is locked skipped
C:\QooBox\Quarantine\C\Program Files\ComPlus Applications\lavumave741.dll.vir Object is locked skipped
C:\QooBox\Quarantine\C\Program Files\Online Services\hory22011.exe.vir Object is locked skipped
C:\QooBox\Quarantine\C\Program Files\Outerinfo\OiUninstaller.exe.vir/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.fk skipped
C:\QooBox\Quarantine\C\Program Files\Outerinfo\OiUninstaller.exe.vir/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped
C:\QooBox\Quarantine\C\Program Files\Outerinfo\OiUninstaller.exe.vir NSIS: infected - 2 skipped
C:\QooBox\Quarantine\C\WINDOWS\DOWNLO~1\UWA7P_0001_N91M0809NetInstaller.exe.vir Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\chkconfig\d770125.exe.vir Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\conrekwl.dll.vir Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\hflt_ipf.sys.vir Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\dwdsrngt.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\f10WtR\f10WtR1099.exe.vir Infected: Trojan-Downloader.Win32.VB.awj skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\jkhfe.dll.vir Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\lrdsrngr.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\nnnkjif.dll.vir Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\pmnkiji.dll.vir Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\qkdwzgjk(6).dll.vir Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\qkdwzgjk(7).dll.vir Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\qkdwzgjk(8).dll.vir Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\qkdwzgjk(9).dll.vir Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\qommjki.dll.vir Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\rwinsmdt.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.r skipped
C:\QooBox\Quarantine\catchme2007-08-20_ 75745.40.zip/WinTouch.exe Infected: Trojan-Downloader.Win32.Agent.buo skipped
C:\QooBox\Quarantine\catchme2007-08-20_ 75745.40.zip ZIP: infected - 1 skipped
C:\QooBox\Quarantine\catchme2007-08-21_102453.37.zip/tuvwvtq.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\QooBox\Quarantine\catchme2007-08-21_102453.37.zip ZIP: infected - 1 skipped
C:\System Volume Information\_restore{F647C863-1F50-467E-85B8-FF814C0C54AE}\RP0\A0000029.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.r skipped
C:\System Volume Information\_restore{F647C863-1F50-467E-85B8-FF814C0C54AE}\RP0\A0000038.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\System Volume Information\_restore{F647C863-1F50-467E-85B8-FF814C0C54AE}\RP0\A0000039.exe Infected: not-a-virus:Downloader.Win32.WinFixer.w skipped
C:\System Volume Information\_restore{F647C863-1F50-467E-85B8-FF814C0C54AE}\RP0\A0000506.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\System Volume Information\_restore{F647C863-1F50-467E-85B8-FF814C0C54AE}\RP0\A0000510.exe/data0005 Infected: Trojan-Downloader.Win32.VB.awj skipped
C:\System Volume Information\_restore{F647C863-1F50-467E-85B8-FF814C0C54AE}\RP0\A0000510.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{F647C863-1F50-467E-85B8-FF814C0C54AE}\RP0\A0000524.exe Infected: Rootkit.Win32.Agent.ey skipped
C:\System Volume Information\_restore{F647C863-1F50-467E-85B8-FF814C0C54AE}\RP0\A0000527.exe Infected: not-virus:Hoax.Win32.Renos.fl skipped
C:\System Volume Information\_restore{F647C863-1F50-467E-85B8-FF814C0C54AE}\RP0\A0000798.exe Infected: Trojan-Downloader.Win32.VB.awj skipped
C:\System Volume Information\_restore{F647C863-1F50-467E-85B8-FF814C0C54AE}\RP0\A0000802.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.r skipped
C:\System Volume Information\_restore{F647C863-1F50-467E-85B8-FF814C0C54AE}\RP0\A0000808.exe Infected: not-a-virus:Downloader.Win32.WinFixer.x skipped
C:\System Volume Information\_restore{F647C863-1F50-467E-85B8-FF814C0C54AE}\RP0\A0001828.exe/file2 Infected: not-a-virus:Downloader.Win32.WinFixer.t skipped
C:\System Volume Information\_restore{F647C863-1F50-467E-85B8-FF814C0C54AE}\RP0\A0001828.exe Inno: infected - 1 skipped
C:\System Volume Information\_restore{F647C863-1F50-467E-85B8-FF814C0C54AE}\RP0\A0001854.exe Infected: not-a-virus:Downloader.Win32.WinFixer.l skipped
C:\System Volume Information\_restore{F647C863-1F50-467E-85B8-FF814C0C54AE}\RP0\A0004907.exe Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
C:\System Volume Information\_restore{F647C863-1F50-467E-85B8-FF814C0C54AE}\RP0\A0004909.exe Infected: not-a-virus:Downloader.Win32.WinFixer.t skipped
C:\System Volume Information\_restore{F647C863-1F50-467E-85B8-FF814C0C54AE}\RP0\A0004914.dll Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{F647C863-1F50-467E-85B8-FF814C0C54AE}\RP2\A0004977.dll Object is locked skipped
C:\System Volume Information\_restore{F647C863-1F50-467E-85B8-FF814C0C54AE}\RP2\A0004983.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.r skipped
C:\System Volume Information\_restore{F647C863-1F50-467E-85B8-FF814C0C54AE}\RP2\A0005002.dll Infected: SpamTool.Win32.Agent.am skipped
C:\System Volume Information\_restore{F647C863-1F50-467E-85B8-FF814C0C54AE}\RP2\A0005003.dll Object is locked skipped
C:\System Volume Information\_restore{F647C863-1F50-467E-85B8-FF814C0C54AE}\RP2\A0005013.exe Infected: not-a-virus:Downloader.Win32.WinFixer.x skipped
C:\System Volume Information\_restore{F647C863-1F50-467E-85B8-FF814C0C54AE}\RP2\A0005014.exe Infected: not-a-virus:Downloader.Win32.WinFixer.x skipped
C:\System Volume Information\_restore{F647C863-1F50-467E-85B8-FF814C0C54AE}\RP2\A0005015.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.fk skipped
C:\System Volume Information\_restore{F647C863-1F50-467E-85B8-FF814C0C54AE}\RP2\A0005015.exe/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped
C:\System Volume Information\_restore{F647C863-1F50-467E-85B8-FF814C0C54AE}\RP2\A0005015.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{F647C863-1F50-467E-85B8-FF814C0C54AE}\RP2\A0005022.exe Infected: Trojan-Downloader.Win32.VB.awj skipped
C:\System Volume Information\_restore{F647C863-1F50-467E-85B8-FF814C0C54AE}\RP2\A0005040.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\System Volume Information\_restore{F647C863-1F50-467E-85B8-FF814C0C54AE}\RP3\A0005229.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.r skipped
C:\System Volume Information\_restore{F647C863-1F50-467E-85B8-FF814C0C54AE}\RP3\A0005238.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\System Volume Information\_restore{F647C863-1F50-467E-85B8-FF814C0C54AE}\RP3\A0005240.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\System Volume Information\_restore{F647C863-1F50-467E-85B8-FF814C0C54AE}\RP3\A0005391.exe Object is locked skipped
C:\System Volume Information\_restore{F647C863-1F50-467E-85B8-FF814C0C54AE}\RP3\change.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWA7P_0001_N91M0809NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\PT3.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{C6F6C780-44FA-479F-AA41-D5EB6501F105}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.idx Object is locked skipped
C:\WINDOWS\system32\drivers\yggdxyqj(3).sys Infected: Rootkit.Win32.Podnuha.a skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\mmrywbeh.exe Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\TEMP\ZLT020c5.TMP Object is locked skipped
C:\WINDOWS\TEMP\ZLT020cc.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
tonydat1ger
Active Member
 
Posts: 14
Joined: August 16th, 2007, 4:40 pm

Unread postby Shaba » August 22nd, 2007, 10:29 am

Hi

Empty this folder:

C:\QooBox\Quarantine

Delete these:

C:\Downloads\MahJong_JADESetup-dm[1].exe
C:\Downloads\MahJong_JADESetup-dm[2].exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWA7P_0001_N91M0809NetInstaller.exe
C:\WINDOWS\system32\drivers\yggdxyqj(3).sys

Empty Recycle Bin

Re-scan with kaspersky

Post:

- a fresh HijackThis log
- kaspersky report
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

hijackthis, kaspersky

Unread postby tonydat1ger » August 22nd, 2007, 7:52 pm

HI! THANKS ALOT, MY COMPUTER IS RUNNING BETTER.

Logfile of HijackThis v1.99.1
Scan saved at 4:49:39 PM, on 8/22/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\AOL\1161728750\ee\aolsoftware.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\anna\Desktop\applications\fix computer\HijackThis\scanner.exe.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1161728750\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 6504367468
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 6504204625
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Pml Driver HPZ12 - Unknown owner - C:\WINDOWS\System32\HPZipm12.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe



-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, August 22, 2007 2:11:52 PM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 22/08/2007
Kaspersky Anti-Virus database records: 387215
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 62677
Number of viruses found: 20
Number of infected objects: 49
Number of suspicious objects: 0
Duration of the scan process: 04:46:26

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\anna\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\anna\Desktop\Musik\Music2\### magalenha samba ### (New.Album).wma Infected: Trojan-Downloader.WMA.Wimad.d skipped
C:\Documents and Settings\anna\Local Settings\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped
C:\Documents and Settings\anna\Local Settings\Application Data\Microsoft\Terminal Server Client\Cache\bcache2.bmc Object is locked skipped
C:\Documents and Settings\anna\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\anna\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\anna\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\anna\Local Settings\History\History.IE5\MSHist012007082220070823\index.dat Object is locked skipped
C:\Documents and Settings\anna\Local Settings\Temporary Internet Files\Content.IE5\49CTQNSX\400x360_top-black[1].gif Object is locked skipped
C:\Documents and Settings\anna\Local Settings\Temporary Internet Files\Content.IE5\49CTQNSX\mediahitcounter[2].ashx Object is locked skipped
C:\Documents and Settings\anna\Local Settings\Temporary Internet Files\Content.IE5\49CTQNSX\token[5].ashx Object is locked skipped
C:\Documents and Settings\anna\Local Settings\Temporary Internet Files\Content.IE5\49CTQNSX\UserStatusChange[2].html Object is locked skipped
C:\Documents and Settings\anna\Local Settings\Temporary Internet Files\Content.IE5\5R7RPX4E\std_5c74df6d8a1eaf85113361051897699e[1].mp3 Object is locked skipped
C:\Documents and Settings\anna\Local Settings\Temporary Internet Files\Content.IE5\5R7RPX4E\UserStatusChange[4].html Object is locked skipped
C:\Documents and Settings\anna\Local Settings\Temporary Internet Files\Content.IE5\5R7RPX4E\UserStatusChange[6].html Object is locked skipped
C:\Documents and Settings\anna\Local Settings\Temporary Internet Files\Content.IE5\BE0JN109\UserStatusChange[2].html Object is locked skipped
C:\Documents and Settings\anna\Local Settings\Temporary Internet Files\Content.IE5\BE0JN109\UserStatusChange[4].html Object is locked skipped
C:\Documents and Settings\anna\Local Settings\Temporary Internet Files\Content.IE5\BE0JN109\UserStatusChange[5].html Object is locked skipped
C:\Documents and Settings\anna\Local Settings\Temporary Internet Files\Content.IE5\BE0JN109\UserStatusChange[6].html Object is locked skipped
C:\Documents and Settings\anna\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\anna\Local Settings\Temporary Internet Files\Content.IE5\S1CNWNOF\UserStatusChange[2].html Object is locked skipped
C:\Documents and Settings\anna\ntuser.dat Object is locked skipped
C:\Documents and Settings\anna\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\RECYCLER\S-1-5-21-602162358-73586283-725345543-1007\Dc2\DOCUME~1\anna\LOCALS~1\APPLIC~1\Microsoft\Internet Explorer\Filters\prx475a.dll.vir Infected: SpamTool.Win32.Agent.am skipped
C:\RECYCLER\S-1-5-21-602162358-73586283-725345543-1007\Dc2\Program Files\Common Files\WinAntiSpyware 2007\j.exe.vir Infected: not-a-virus:Downloader.Win32.WinFixer.x skipped
C:\RECYCLER\S-1-5-21-602162358-73586283-725345543-1007\Dc2\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe.vir Infected: not-a-virus:Downloader.Win32.WinFixer.x skipped
C:\RECYCLER\S-1-5-21-602162358-73586283-725345543-1007\Dc2\Program Files\Outerinfo\OiUninstaller.exe.vir/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.fk skipped
C:\RECYCLER\S-1-5-21-602162358-73586283-725345543-1007\Dc2\Program Files\Outerinfo\OiUninstaller.exe.vir/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped
C:\RECYCLER\S-1-5-21-602162358-73586283-725345543-1007\Dc2\Program Files\Outerinfo\OiUninstaller.exe.vir NSIS: infected - 2 skipped
C:\RECYCLER\S-1-5-21-602162358-73586283-725345543-1007\Dc2\WINDOWS\DOWNLO~1\UWA7P_0001_N91M0809NetInstaller.exe.vir Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\RECYCLER\S-1-5-21-602162358-73586283-725345543-1007\Dc2\WINDOWS\system32\dwdsrngt.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\RECYCLER\S-1-5-21-602162358-73586283-725345543-1007\Dc2\WINDOWS\system32\f10WtR\f10WtR1099.exe.vir Infected: Trojan-Downloader.Win32.VB.awj skipped
C:\RECYCLER\S-1-5-21-602162358-73586283-725345543-1007\Dc2\WINDOWS\system32\lrdsrngr.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\RECYCLER\S-1-5-21-602162358-73586283-725345543-1007\Dc2\WINDOWS\system32\rwinsmdt.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.r skipped
C:\RECYCLER\S-1-5-21-602162358-73586283-725345543-1007\Dc5.zip/WinTouch.exe Infected: Trojan-Downloader.Win32.Agent.buo skipped
C:\RECYCLER\S-1-5-21-602162358-73586283-725345543-1007\Dc5.zip ZIP: infected - 1 skipped
C:\RECYCLER\S-1-5-21-602162358-73586283-725345543-1007\Dc6.zip/tuvwvtq.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\RECYCLER\S-1-5-21-602162358-73586283-725345543-1007\Dc6.zip ZIP: infected - 1 skipped
C:\RECYCLER\S-1-5-21-602162358-73586283-725345543-1007\Dc7.exe Infected: not-a-virus:AdWare.Win32.Trymedia.b skipped
C:\RECYCLER\S-1-5-21-602162358-73586283-725345543-1007\Dc8.exe Infected: not-a-virus:AdWare.Win32.Trymedia.b skipped
C:\RECYCLER\S-1-5-21-602162358-73586283-725345543-1007\Dc9.sys Infected: Rootkit.Win32.Podnuha.a skipped
C:\System Volume Information\_restore{F647C863-1F50-467E-85B8-FF814C0C54AE}\RP0\A0000029.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.r skipped
C:\System Volume Information\_restore{F647C863-1F50-467E-85B8-FF814C0C54AE}\RP0\A0000038.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\System Volume Information\_restore{F647C863-1F50-467E-85B8-FF814C0C54AE}\RP0\A0000039.exe Infected: not-a-virus:Downloader.Win32.WinFixer.w skipped
C:\System Volume Information\_restore{F647C863-1F50-467E-85B8-FF814C0C54AE}\RP0\A0000506.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\System Volume Information\_restore{F647C863-1F50-467E-85B8-FF814C0C54AE}\RP0\A0000510.exe/data0005 Infected: Trojan-Downloader.Win32.VB.awj skipped
C:\System Volume Information\_restore{F647C863-1F50-467E-85B8-FF814C0C54AE}\RP0\A0000510.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{F647C863-1F50-467E-85B8-FF814C0C54AE}\RP0\A0000524.exe Infected: Rootkit.Win32.Agent.ey skipped
C:\System Volume Information\_restore{F647C863-1F50-467E-85B8-FF814C0C54AE}\RP0\A0000527.exe Infected: not-virus:Hoax.Win32.Renos.fl skipped
C:\System Volume Information\_restore{F647C863-1F50-467E-85B8-FF814C0C54AE}\RP0\A0000798.exe Infected: Trojan-Downloader.Win32.VB.awj skipped
C:\System Volume Information\_restore{F647C863-1F50-467E-85B8-FF814C0C54AE}\RP0\A0000802.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.r skipped
C:\System Volume Information\_restore{F647C863-1F50-467E-85B8-FF814C0C54AE}\RP0\A0000808.exe Infected: not-a-virus:Downloader.Win32.WinFixer.x skipped
C:\System Volume Information\_restore{F647C863-1F50-467E-85B8-FF814C0C54AE}\RP0\A0001828.exe/file2 Infected: not-a-virus:Downloader.Win32.WinFixer.t skipped
C:\System Volume Information\_restore{F647C863-1F50-467E-85B8-FF814C0C54AE}\RP0\A0001828.exe Inno: infected - 1 skipped
C:\System Volume Information\_restore{F647C863-1F50-467E-85B8-FF814C0C54AE}\RP0\A0001854.exe Infected: not-a-virus:Downloader.Win32.WinFixer.l skipped
C:\System Volume Information\_restore{F647C863-1F50-467E-85B8-FF814C0C54AE}\RP0\A0004907.exe Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
C:\System Volume Information\_restore{F647C863-1F50-467E-85B8-FF814C0C54AE}\RP0\A0004909.exe Infected: not-a-virus:Downloader.Win32.WinFixer.t skipped
C:\System Volume Information\_restore{F647C863-1F50-467E-85B8-FF814C0C54AE}\RP0\A0004914.dll Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{F647C863-1F50-467E-85B8-FF814C0C54AE}\RP2\A0004983.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.r skipped
C:\System Volume Information\_restore{F647C863-1F50-467E-85B8-FF814C0C54AE}\RP2\A0005002.dll Infected: SpamTool.Win32.Agent.am skipped
C:\System Volume Information\_restore{F647C863-1F50-467E-85B8-FF814C0C54AE}\RP2\A0005013.exe Infected: not-a-virus:Downloader.Win32.WinFixer.x skipped
C:\System Volume Information\_restore{F647C863-1F50-467E-85B8-FF814C0C54AE}\RP2\A0005014.exe Infected: not-a-virus:Downloader.Win32.WinFixer.x skipped
C:\System Volume Information\_restore{F647C863-1F50-467E-85B8-FF814C0C54AE}\RP2\A0005015.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.fk skipped
C:\System Volume Information\_restore{F647C863-1F50-467E-85B8-FF814C0C54AE}\RP2\A0005015.exe/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped
C:\System Volume Information\_restore{F647C863-1F50-467E-85B8-FF814C0C54AE}\RP2\A0005015.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{F647C863-1F50-467E-85B8-FF814C0C54AE}\RP2\A0005022.exe Infected: Trojan-Downloader.Win32.VB.awj skipped
C:\System Volume Information\_restore{F647C863-1F50-467E-85B8-FF814C0C54AE}\RP2\A0005040.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\System Volume Information\_restore{F647C863-1F50-467E-85B8-FF814C0C54AE}\RP3\A0005229.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.r skipped
C:\System Volume Information\_restore{F647C863-1F50-467E-85B8-FF814C0C54AE}\RP3\A0005238.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\System Volume Information\_restore{F647C863-1F50-467E-85B8-FF814C0C54AE}\RP3\A0005240.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\System Volume Information\_restore{F647C863-1F50-467E-85B8-FF814C0C54AE}\RP3\change.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWA7P_0001_N91M0809NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\PT3.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{29951E65-FB38-456A-8901-F2BC7530E7E4}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.idx Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\TEMP\ZLT062c4.TMP Object is locked skipped
C:\WINDOWS\TEMP\ZLT062ca.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
tonydat1ger
Active Member
 
Posts: 14
Joined: August 16th, 2007, 4:40 pm

Unread postby Shaba » August 23rd, 2007, 2:11 am

Hi

Delete this:

C:\Documents and Settings\anna\Desktop\Musik\Music2\### magalenha samba ### (New.Album).wma

Empty Recycle Bin

All other viruses are in system restore and inactive.

I give you later instructions how to empty it.

Other than that, any problems left?
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Unread postby tonydat1ger » August 23rd, 2007, 11:37 am

Ok. Well my computer is running faster than before. I have no more pop ups. I really appreciate your help. I have one more questions does myspace give you a lot of viruses , I don’t understand how I got infected with all those things u know. But other than that my computer is good. Thank you so much.


One more thing. can i put all those programs in a separet folder altogether or do i have to delete them? u know just incase this happends again?
tonydat1ger
Active Member
 
Posts: 14
Joined: August 16th, 2007, 4:40 pm

Unread postby Shaba » August 23rd, 2007, 12:33 pm

Hi

"does myspace give you a lot of viruses"

I don't know about "a lot" but I know that there are some bad sites, too.

"One more thing. can i put all those programs in a separet folder altogether or do i have to delete them? "

You can remove all tools we used if you like to :)

Any other issues?
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Unread postby tonydat1ger » August 23rd, 2007, 12:40 pm

no i dont have anymore questions. well thanks alot for all of your help. you have a great day! :)
tonydat1ger
Active Member
 
Posts: 14
Joined: August 16th, 2007, 4:40 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 286 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware