Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

IEXPLORE.exe is at 100%

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

IEXPLORE.exe is at 100%

Unread postby ber88 » September 15th, 2007, 6:09 pm

IEXPLORE.exe is at 100% and it's not open. However when I try to end task, it reopens in task manager again. Below is my hijack startup and scan log: Thanks for any help

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:54:12 PM, on 9/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
D:\Programs\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
D:\Programs\lg_fwupdate\fwupdate.exe
C:\WINDOWS\sysc10trg.exe
C:\WINDOWS\system32\stdex32.exe
C:\WINDOWS\system32\Dennt.exe
C:\WINDOWS\System32\oserv25.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\winfpgpc.exe
C:\WINDOWS\system32\zddbg32.exe
D:\Download\HiJackThis_v2.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O4 - HKLM\..\Run: [RemoteControl] "D:\Programs\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LGODDFU] D:\Programs\lg_fwupdate\fwupdate.exe
O4 - HKLM\..\Run: [cnndiag] C:\WINDOWS\sysc10trg.exe
O4 - HKLM\..\Run: [himem.exe] C:\WINDOWS\system32\stdex32.exe -s
O4 - HKLM\..\Run: [SoundMnEx32] C:\WINDOWS\system32\svchd32.exe
O4 - HKLM\..\Run: [ksddi] C:\WINDOWS\system32\kconf.exe
O4 - HKLM\..\Run: [Sund32] C:\WINDOWS\system32\Dennt.exe
O4 - HKLM\..\Run: [oserv25] C:\WINDOWS\System32\oserv25.exe
O4 - HKLM\..\Run: [hac2] C:\WINDOWS\system32\hac2.exe
O4 - HKLM\..\Run: [reganal32] C:\WINDOWS\system32\reganal32.exe
O4 - HKLM\..\Run: [regstd] C:\WINDOWS\system32\regstd.exe
O4 - HKLM\..\Run: [Hacdbg32] C:\WINDOWS\system32\Hacdbg32.exe
O4 - HKLM\..\Run: [stdex32] C:\WINDOWS\system32\stdex32.exe
O4 - HKLM\..\Run: [zddbg32] C:\WINDOWS\system32\zddbg32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Global Startup: Microsoft Office.lnk = D:\Programs\Microsoft Office 2000\Office\OSA9.EXE
O8 - Extra context menu item: Download all with Free Download Manager - file://D:\Programs\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://D:\Programs\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site with Free Download Manager - file://D:\Programs\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Download with Free Download Manager - file://D:\Programs\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Translate with &Babylon - res://d:\Programs\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Programs\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Programs\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - D:\Programs\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - D:\Programs\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - AppInit_DLLs: webhsbe.dll e1.dll confcnn.dll onfksd.dll ksstat.dll h2ubcjsw.dll oservmz25.dll diagisr.dll
O20 - Winlogon Notify: ksdmgr - C:\WINDOWS\SYSTEM32\ksdmgr32.dll
O20 - Winlogon Notify: oserv25 - C:\WINDOWS\System32\oserv25.dll
O20 - Winlogon Notify: winfpgpc - C:\WINDOWS\system32\winfpgpc.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 6195 bytes
ber88
Active Member
 
Posts: 14
Joined: September 15th, 2007, 6:03 pm
Advertisement
Register to Remove

Unread postby Scotty » September 17th, 2007, 11:16 am

Hi! Welcome to the MWR forums.
My name is Scotty. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research.
Please be patient and I'd be grateful if you would note the following:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.


Please be patient as my posts to you have to be checked before I reply, so they make take longer.

REMOVE TRENDMICRO HIJACKTHIS

Please delete any HijackThis Folders and Files you have now.Use Add/Remove Programs and remove HijackThis. What you have now is a Beta Version and TM's HJT is now out of Beta.

You can get a complete installer that installs HijackThis to C:\Program Files\HijackThis, making an entry in the start menu and also providing a desktop shortcut from
here

Click on the link and select Save, save it to your desktop and double click HJTsetup.exe.

Open HijackThis and select: Do a system scan and save a log file.

When the scan is finished, Click Edit> Select All> Edit> Copy> and paste its contents here please.

Please make a uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here in a reply.
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Unread postby ber88 » September 17th, 2007, 3:05 pm

Thank you for your efforts /
Please find below the requested list:
????
????? ??????? ??? ??????
Adobe Acrobat 5.0
Adobe Flash Player 9 ActiveX
Chavruta
Coup de Pouce Lecture CP-CE1 v1.0
DivX
DoroTree
DVD Solution
FormServer
Free Download Manager 2.0 - Free Downloads Center Edition
Frontbase Image To Icon 2.1
Harry Potter II
Hijackthis 1.99.1
HijackThis 1.99.1
hp deskjet 5550 series (Remove only)
HP PrecisionScan
hp print screen utility
ICQ6
LAN Utility
LG ODD Auto Firmware Update
Microsoft Office 2000 Small Business
Microsoft Office Professional Edition 2003
Microsoft Office Standard Edition 2003
MSN
MSXML 4.0 SP2 (KB927978)
Nero OEM
OLYMPUS Master
PowerDVD
PowerProducer
Presto! PageManager
RealPlayer
RollerCoaster Tycoon 2
SCANPORT ScanModule V2.43
Scooby-Doo (TM), Le Myst?re du Ch?teau hant?(TM)
Scooby-Doo(TM), Panique dans la Ville fant?me(TM)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Skype 2.5
The Gabay
upapp
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
USB PC Camera 301P
VideoLAN VLC media player 0.8.5
VoipBuster
Windows Installer 3.1 (KB893803)
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
WinRAR archiver
WinZip
Xvid 1.1.2 final uninstall
ber88
Active Member
 
Posts: 14
Joined: September 15th, 2007, 6:03 pm

Unread postby Scotty » September 18th, 2007, 6:24 am

Hi

First of all, I have a message from a teacher here. "G'mar Chatima Tova".

Download and Run ComboFix

  • Download this file from below:

    Here
  • Disconnect from the Internet, than disable your anti-virus and any real-time anti-spyware monitors that are running.
  • Then double click combofix.exe & follow the prompts.
  • When finished, it shall produce a log for you. Post that log in your next reply with a new HijackThis log.

Note 1: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Note 2:Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Unread postby ber88 » September 18th, 2007, 3:35 pm

Thanks for the blessing.
May I wish the same to you and your teacher.

Please find the ComboFix log and HijackThis log

ComboFix 07-09-18.4 - "Oved" 2007-09-18 18:50:57.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1255.972.1033.18.113 [GMT 2:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\confcnn.dll
C:\WINDOWS\system32\e1.dll
C:\WINDOWS\system32\msngr.exe
C:\WINDOWS\system32\ss.exe
C:\WINDOWS\system32\updserv32.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\nm


((((((((((((((((((((((((( Files Created from 2007-08-18 to 2007-09-18 )))))))))))))))))))))))))))))))
.

2007-09-18 18:57 53,248 --ah----- C:\WINDOWS\system32\confcnn.dll
2007-09-18 18:48 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-18 15:33 <DIR> d--hs---- C:\FOUND.007
2007-09-18 14:34 62,976 --a------ C:\WINDOWS\system32\zddbg32.exe
2007-09-11 02:48 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-09-09 21:19 <DIR> d--hs---- C:\FOUND.006
2007-09-08 16:42 218 --a------ C:\WINDOWS\system32\cdbg32.exexe.exe
2007-09-08 14:41 124,444 --a------ C:\WINDOWS\system32\stdex32.exe
2007-09-01 22:40 26 --a-s---- C:\WINDOWS\system32\dasrep.dat
2007-08-31 16:31 0 --a------ C:\WINDOWS\jdqlxr8.dll
2007-08-31 16:07 37,195 --a------ C:\WINDOWS\system32\hac2.exe
2007-08-31 15:05 16 --a------ C:\WINDOWS\gfr.dat
2007-08-30 17:37 0 --a------ C:\WINDOWS\c8db5ntkl.dll
2007-08-27 14:02 127,597 --a------ C:\WINDOWS\system32\netdex.exe
2007-08-27 12:22 0 --a------ C:\WINDOWS\lov1co.dat
2007-08-24 15:54 98,304 --a------ C:\WINDOWS\system32\oserv25.dll
2007-08-24 15:54 9,216 --a------ C:\WINDOWS\system32\oservmc25.dll
2007-08-24 15:54 79,667 --a------ C:\WINDOWS\system32\oserv25.exe
2007-08-24 15:54 6,144 --a------ C:\WINDOWS\system32\oservmx25.exe
2007-08-24 15:54 16,384 --a------ C:\WINDOWS\system32\oservmz25.dll
2007-08-23 19:30 84,992 --a------ C:\WINDOWS\system32\Dennt.exe
2007-08-23 19:30 155,648 --a------ C:\WINDOWS\system32\ssleay32.dll
2007-08-23 19:29 741,376 --a------ C:\WINDOWS\system32\libeay32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-08-17 14:32 45056 --ah----- C:\WINDOWS\system32\sperf.exe
2007-08-08 03:48 114176 --a------ C:\WINDOWS\system32\pk32j.exe
2007-08-05 01:02 --------- d-------- C:\DOCUME~1\OVED\APPLIC~1\SPAMfighter
2007-07-26 10:48 31166 --a------ C:\WINDOWS\system32\sk070725.exe
2007-07-24 08:50 61440 --ah----- C:\WINDOWS\system32\h2ubcjsw.dll
2007-07-24 08:50 53248 --ah----- C:\WINDOWS\system32\ewph65as.dll
2007-07-24 08:50 45056 --ah----- C:\WINDOWS\system32\bwxlno9a1p.exe
2007-07-24 08:44 176640 --a------ C:\WINDOWS\system32\gdk.exe
2007-07-12 18:44 65536 --ah----- C:\WINDOWS\system32\onfksd.dll
2007-07-12 18:44 53248 --ah----- C:\WINDOWS\system32\sdprf32.dll
2007-07-12 18:44 462848 --ah----- C:\WINDOWS\system32\ksdmgr32.dll
2007-07-12 18:44 45056 --ah----- C:\WINDOWS\system32\sdperf.exe
2007-07-12 18:44 217088 --ah----- C:\WINDOWS\system32\ksstat.dll
2007-07-12 08:32 31169 --a------ C:\WINDOWS\system32\plugin0707.exe
2007-07-09 08:26 31093 --a------ C:\WINDOWS\system32\skypemsng.exe
2007-07-06 13:50 87921 --a------ C:\WINDOWS\system32\servsq.exe
2007-07-04 14:22 1184400 --a------ C:\WINDOWS\system32\FreeImage.dll
2007-07-03 13:52 80515 --a------ C:\WINDOWS\sysc10trg.exe
2007-07-03 13:52 45056 --ah----- C:\WINDOWS\system32\cnnprf32.dll
2007-07-03 13:52 40960 --ah----- C:\WINDOWS\system32\cnnperf.exe
2007-06-28 18:21 8192 --a------ C:\WINDOWS\system32\dbghd3dx.exe
2007-06-28 18:21 31093 --a------ C:\WINDOWS\mcngsk22.exe
2007-06-28 18:21 24576 --a------ C:\WINDOWS\system32\webhsbe.dll
2007-06-28 18:21 24576 --a------ C:\WINDOWS\system32\msimtxl.dll
2007-06-28 18:21 102400 --a------ C:\WINDOWS\system32\winfpgpc.dll
2004-10-01 15:00 40960 --a------ C:\Program Files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="D:\Programs\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-02 20:24]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"LGODDFU"="D:\Programs\lg_fwupdate\fwupdate.exe" [2006-02-20 11:40]
"cnndiag"="C:\WINDOWS\sysc10trg.exe" [2007-07-03 13:52]
"himem.exe"="C:\WINDOWS\system32\stdex32.exe" [2007-09-08 14:42]
"SoundMnEx32"="C:\WINDOWS\system32\svchd32.exe" []
"ksddi"="C:\WINDOWS\system32\kconf.exe" []
"Sund32"="C:\WINDOWS\system32\Dennt.exe" [2007-08-23 19:30]
"oserv25"="C:\WINDOWS\System32\oserv25.exe" [2007-09-18 18:56]
"hac2"="C:\WINDOWS\system32\hac2.exe" [2007-08-31 16:07]
"reganal32"="C:\WINDOWS\system32\reganal32.exe" []
"regstd"="C:\WINDOWS\system32\regstd.exe" []
"Hacdbg32"="C:\WINDOWS\system32\Hacdbg32.exe" []
"stdex32"="C:\WINDOWS\system32\stdex32.exe" [2007-09-08 14:42]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []
"zddbg32"="C:\WINDOWS\system32\zddbg32.exe" [2007-09-18 14:34]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 13:56]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2006-02-10 21:40]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Microsoft Office.lnk - D:\Programs\Microsoft Office 2000\Office\OSA9.EXE [1999-02-17 22:05:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ksdmgr]
ksdmgr32.dll 2007-07-12 18:44 462848 C:\WINDOWS\system32\ksdmgr32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\oserv25]
C:\WINDOWS\System32\oserv25.dll 2007-08-24 15:54 98304 C:\WINDOWS\system32\oserv25.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winfpgpc]
C:\WINDOWS\system32\winfpgpc.dll 2007-06-28 18:21 102400 C:\WINDOWS\system32\winfpgpc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"= webhsbe.dll e1.dll confcnn.dll onfksd.dll ksstat.dll h2ubcjsw.dll oservmz25.dll diagisr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Oved^Start Menu^Programs^Startup^WinMySQLadmin.lnk]
path=C:\Documents and Settings\Oved\Start Menu\Programs\Startup\WinMySQLadmin.lnk
backup=C:\WINDOWS\pss\WinMySQLadmin.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]
"D:\Programs\ICQLite\ICQLite.exe" -minimize

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM_Monitor]
D:\Programs\OLYMPUS\OLYMPUS Master\FirstStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"D:\Programs\Skype\Phone\Skype.exe" /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoipStunt]
"D:\Programs\VoipStunt.com\VoipStunt\VoipStunt.exe" -nosplash -minimized

R2 LANPkt;Realtek LANPkt Protocol;C:\WINDOWS\system32\DRIVERS\LANPkt.sys
R2 ONSIO;ONSIO;\??\C:\WINDOWS\SYSTEM32\DRIVERS\ONSIO.SYS
R3 admjoy;Aureal Game Port Enumerator;C:\WINDOWS\system32\DRIVERS\admjoy.sys
R3 METROP;Hewlett Packard ScanJet 5300C;C:\WINDOWS\system32\DRIVERS\hp53pw2k.sys
R3 mf;mf;C:\WINDOWS\system32\DRIVERS\mf.sys
R3 PPPoEWin;PPPoEWin Miniport;C:\WINDOWS\system32\DRIVERS\PPPoEWin.SYS
R3 wdm_au8830;Aureal Vortex 8830 Audio Driver (WDM);C:\WINDOWS\system32\drivers\adm8830.sys
S0 SMPLSCSI;SMPLSCSI;C:\WINDOWS\system32\drivers\SMPLSCSI.SYS

.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-18 18:57:58
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-18 19:00:29 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-18 19:00
.
--- E O F ---


????
????? ??????? ??? ??????
Adobe Acrobat 5.0
Adobe Flash Player 9 ActiveX
Chavruta
Coup de Pouce Lecture CP-CE1 v1.0
DivX
DoroTree
DVD Solution
FormServer
Free Download Manager 2.0 - Free Downloads Center Edition
Frontbase Image To Icon 2.1
Harry Potter II
Hijackthis 1.99.1
HijackThis 1.99.1
hp deskjet 5550 series (Remove only)
HP PrecisionScan
hp print screen utility
ICQ6
LAN Utility
LG ODD Auto Firmware Update
Microsoft Office 2000 Small Business
Microsoft Office Professional Edition 2003
Microsoft Office Standard Edition 2003
MSN
MSXML 4.0 SP2 (KB927978)
Nero OEM
OLYMPUS Master
PowerDVD
PowerProducer
Presto! PageManager
RealPlayer
RollerCoaster Tycoon 2
SCANPORT ScanModule V2.43
Scooby-Doo (TM), Le Myst?re du Ch?teau hant?(TM)
Scooby-Doo(TM), Panique dans la Ville fant?me(TM)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Skype 2.5
The Gabay
upapp
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
USB PC Camera 301P
VideoLAN VLC media player 0.8.5
VoipBuster
Windows Installer 3.1 (KB893803)
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
WinRAR archiver
WinZip
Xvid 1.1.2 final uninstall
ber88
Active Member
 
Posts: 14
Joined: September 15th, 2007, 6:03 pm

Unread postby Scotty » September 19th, 2007, 11:22 am

Hi

Please follow the steps in this order. And follow the second part of the AVG instruction carefully, to ensure a report is generated.

Download AVG Anti-Spyware.
  • Install AVG Anti-Spyware.
  • Launch AVG by double-clicking on the icon.
  • The program will now open to the main screen.
  • You will need to update AVG to the latest definition files.
    • At the top of the main screen click Update.
      • Then in the Manual Update section, click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
  • When updates are completed, close AVG.
If you are having problems with the updater, you can use this link to manually update AVG.
AVG manual updates

  • How to act
    • Click on Recommended actions, and set to Quarantine.
  • How to scan
    • Check all options.
  • Possibly unwanted software.
    • Check all options.
  • Reports
    • Check Do not automatically generate reports after every scan.
  • What to scan
    • Check Scan every file.
[*]Click on the Scan tab.
  • Click on Complete System Scan and the scan will begin.
  • When the scan has finished
    • Make sure that Set all elements to: shows Quarantine, if not click on the link and choose Quarantine from the popup menu.
    • At the bottom of the window click on the Apply all Actions button.
[/list]
[/list]
Note: Don't save the report before you hit the Apply action button.

Close AVG Anti-Spyware.

AVG will save a report in the following location C:\Program Files\Grisoft\AVG anti-spyware 7.5\Reports

  • Disconnect from the Internet, than disable your anti-virus and any real-time anti-spyware monitors that are running.
  • Then double click combofix.exe & follow the prompts.
  • When finished, it shall produce a log for you. Post that log in your next reply with a new HijackThis log.

Note 1: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Note 2:Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

Post back with
  • The AVG Report
  • the new Combofix log
  • a new HijackThis log


and tell me how your Internet Explorer is behaving now.
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Unread postby ber88 » September 19th, 2007, 7:34 pm

Hi

Please find below :


The AVG Report

the new Combofix log

a new HijackThis log


My feelings about Internet Explorer behavior will come later.


---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:04:56 AM 9/20/2007

+ Scan result:



D:\CIMAGE\PROGRA~1\BARGAI~1\BBCHK.EXE -> Adware.BargainBuddy : Cleaned with backup (quarantined).
D:\CIMAGE\PROGRA~1\BARGAI~1\BIN\BARGAINS.EXE -> Adware.BargainBuddy : Cleaned with backup (quarantined).
D:\Download\mailmoa3.exe/cd_clint.dll -> Adware.Cydoor : Cleaned with backup (quarantined).
D:\Download\mailmoa3.exe/cd_load.exe -> Adware.Cydoor : Cleaned with backup (quarantined).
D:\Download\mailmoa3.exe/cd_swf.dll -> Adware.Cydoor : Cleaned with backup (quarantined).
D:\CIMAGE\PROGRA~1\EXACT\EXACTT~2.DLL -> Adware.Exact : Cleaned with backup (quarantined).
D:\CIMAGE\PROGRA~1\EBATES~1\SYSTEM\CODE\BF~2.CLA -> Adware.MoeMoney : Cleaned with backup (quarantined).
D:\CIMAGE\PROGRA~1\EBATES~1\SYSTEM\CODE\BS~2.CLA -> Adware.MoeMoney : Cleaned with backup (quarantined).
D:\CIMAGE\WINDOWS\NEWDOT~1.DLL -> Adware.NewDotNet : Cleaned with backup (quarantined).
D:\Download\MsgPlus-301.exe/Sponsor.exe -> Downloader.Swizzor.bt : Cleaned with backup (quarantined).
D:\CIMAGE\PROGRA~1\ENCOMP~1\ENCDIAL.EXE -> Heuristic.Win32.Dialer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP706\A0108751.DLL -> Logger.Agent.rt : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.Downloader.Win32.PopCap.a : Cleaned with backup (quarantined).
D:\CIMAGE\WINDOWS\COOKIES\DEFA~499.TXT -> TrackingCookie.2o7 : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~950.TXT -> TrackingCookie.2o7 : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEF~1111.TXT -> TrackingCookie.2o7 : Cleaned.
D:\Documents\Noa\Old Noa\Cookies\noa@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~874.TXT -> TrackingCookie.7search : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~648.TXT -> TrackingCookie.Ad-flow : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEF~1071.TXT -> TrackingCookie.Ad-flow : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~807.TXT -> TrackingCookie.Ad-logics : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~481.TXT -> TrackingCookie.Addynamix : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~575.TXT -> TrackingCookie.Adorigin : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~243.TXT -> TrackingCookie.Adserver : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~578.TXT -> TrackingCookie.Adserver : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~774.TXT -> TrackingCookie.Adserver : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~732.TXT -> TrackingCookie.Adtech : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~251.TXT -> TrackingCookie.Advertising : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~308.TXT -> TrackingCookie.Advertising : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~415.TXT -> TrackingCookie.Advertising : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~688.TXT -> TrackingCookie.Advertising : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~944.TXT -> TrackingCookie.Advertising : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEF~1146.TXT -> TrackingCookie.Advertising : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\ANYUS~31.TXT -> TrackingCookie.Atdmt : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFAU~75.TXT -> TrackingCookie.Atdmt : Cleaned.
D:\Documents\Noa\Old Noa\Cookies\noa@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFAU~56.TXT -> TrackingCookie.Bfast : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~806.TXT -> TrackingCookie.Bfast : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~120.TXT -> TrackingCookie.Bluemountain : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~198.TXT -> TrackingCookie.Bluemountain : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\ANYUS~27.TXT -> TrackingCookie.Bluestreak : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~108.TXT -> TrackingCookie.Bluestreak : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~266.TXT -> TrackingCookie.Bluestreak : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~288.TXT -> TrackingCookie.Bluestreak : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~376.TXT -> TrackingCookie.Bluestreak : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFAU~50.TXT -> TrackingCookie.Bpath : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~460.TXT -> TrackingCookie.Bpath : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEF~1162.TXT -> TrackingCookie.Bpath : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~426.TXT -> TrackingCookie.Bridgetrack : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~649.TXT -> TrackingCookie.Bridgetrack : Cleaned.
:mozilla.289:C:\Documents and Settings\Oved\Application Data\Mozilla\Firefox\Profiles\4nlo95o6.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~430.TXT -> TrackingCookie.Centrport : Cleaned.
D:\Documents\Noa\Old Noa\Cookies\noa@centrport[1].txt -> TrackingCookie.Centrport : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~614.TXT -> TrackingCookie.Clickagents : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~163.TXT -> TrackingCookie.Clickzs : Cleaned.
:mozilla.394:C:\Documents and Settings\Oved\Application Data\Mozilla\Firefox\Profiles\4nlo95o6.default\cookies.txt -> TrackingCookie.Cnn : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~687.TXT -> TrackingCookie.Co : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~134.TXT -> TrackingCookie.Com : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\ANYUS~19.TXT -> TrackingCookie.Comclick : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~301.TXT -> TrackingCookie.Comclick : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~344.TXT -> TrackingCookie.Commission-junction : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~638.TXT -> TrackingCookie.Commission-junction : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~892.TXT -> TrackingCookie.Commission-junction : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEF~1001.TXT -> TrackingCookie.Commission-junction : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~295.TXT -> TrackingCookie.Coremetrics : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFAU~54.TXT -> TrackingCookie.Counted : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~741.TXT -> TrackingCookie.Counted : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~505.TXT -> TrackingCookie.Dbbsrv : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~843.TXT -> TrackingCookie.Dealtime : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~988.TXT -> TrackingCookie.Dealtime : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~273.TXT -> TrackingCookie.Doubleclick : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~821.TXT -> TrackingCookie.Enliven : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~234.TXT -> TrackingCookie.Estat : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFAUL~9.TXT -> TrackingCookie.Euniverseads : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEF~1059.TXT -> TrackingCookie.Falkag : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEF~1196.TXT -> TrackingCookie.Falkag : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFAU~33.TXT -> TrackingCookie.Fastclick : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~228.TXT -> TrackingCookie.Fastclick : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~297.TXT -> TrackingCookie.Fastclick : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~617.TXT -> TrackingCookie.Fastclick : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~713.TXT -> TrackingCookie.Fastclick : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~812.TXT -> TrackingCookie.Fastclick : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~872.TXT -> TrackingCookie.Fastclick : Cleaned.
D:\Documents\Noa\Old Noa\Cookies\noa@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~832.TXT -> TrackingCookie.Findwhat : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\ANYUSE~6.TXT -> TrackingCookie.Fortunecity : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFAU~49.TXT -> TrackingCookie.Fortunecity : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~289.TXT -> TrackingCookie.Fortunecity : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~698.TXT -> TrackingCookie.Fortunecity : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~935.TXT -> TrackingCookie.Fortunecity : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~961.TXT -> TrackingCookie.Gamershell : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\ANYUS~18.TXT -> TrackingCookie.Gator : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~309.TXT -> TrackingCookie.Gator : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~385.TXT -> TrackingCookie.Gator : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~500.TXT -> TrackingCookie.Gator : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~740.TXT -> TrackingCookie.Gator : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~298.TXT -> TrackingCookie.Goclick : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFAU~98.TXT -> TrackingCookie.Hitbox : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFAU~99.TXT -> TrackingCookie.Hitbox : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~220.TXT -> TrackingCookie.Hitbox : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~285.TXT -> TrackingCookie.Hitbox : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~347.TXT -> TrackingCookie.Hitbox : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~378.TXT -> TrackingCookie.Hitbox : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~380.TXT -> TrackingCookie.Hitbox : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~454.TXT -> TrackingCookie.Hitbox : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~471.TXT -> TrackingCookie.Hitbox : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~618.TXT -> TrackingCookie.Hitbox : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~651.TXT -> TrackingCookie.Hitbox : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~654.TXT -> TrackingCookie.Hitbox : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~693.TXT -> TrackingCookie.Hitbox : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~751.TXT -> TrackingCookie.Hitbox : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~794.TXT -> TrackingCookie.Hitbox : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~845.TXT -> TrackingCookie.Hitbox : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~891.TXT -> TrackingCookie.Hitbox : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEF~1123.TXT -> TrackingCookie.Hitbox : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEF~1148.TXT -> TrackingCookie.Hitbox : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEF~1165.TXT -> TrackingCookie.Hitbox : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEF~1197.TXT -> TrackingCookie.Hitbox : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~488.TXT -> TrackingCookie.Hitslink : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~898.TXT -> TrackingCookie.Hitslink : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~237.TXT -> TrackingCookie.Hotlog : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~495.TXT -> TrackingCookie.Hotlog : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEF~1113.TXT -> TrackingCookie.Hotlog : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~312.TXT -> TrackingCookie.Hyperbanner : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~492.TXT -> TrackingCookie.Hyperbanner : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~645.TXT -> TrackingCookie.Hyperbanner : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEF~1163.TXT -> TrackingCookie.Hyperbanner : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEF~1046.TXT -> TrackingCookie.Hypertracker : Cleaned.
:mozilla.490:C:\Documents and Settings\Oved\Application Data\Mozilla\Firefox\Profiles\4nlo95o6.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.491:C:\Documents and Settings\Oved\Application Data\Mozilla\Firefox\Profiles\4nlo95o6.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.392:C:\Documents and Settings\Oved\Application Data\Mozilla\Firefox\Profiles\4nlo95o6.default\cookies.txt -> TrackingCookie.Info : Cleaned.
:mozilla.410:C:\Documents and Settings\Oved\Application Data\Mozilla\Firefox\Profiles\4nlo95o6.default\cookies.txt -> TrackingCookie.Info : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~846.TXT -> TrackingCookie.Internetfuel : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~659.TXT -> TrackingCookie.Liveperson : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEF~1198.TXT -> TrackingCookie.Liveperson : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~113.TXT -> TrackingCookie.Mediaplex : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~192.TXT -> TrackingCookie.Mediaplex : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~719.TXT -> TrackingCookie.Mediaplex : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEF~1160.TXT -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.210:C:\Documents and Settings\Oved\Application Data\Mozilla\Firefox\Profiles\4nlo95o6.default\cookies.txt -> TrackingCookie.Msn : Cleaned.
:mozilla.224:C:\Documents and Settings\Oved\Application Data\Mozilla\Firefox\Profiles\4nlo95o6.default\cookies.txt -> TrackingCookie.Msn : Cleaned.
:mozilla.237:C:\Documents and Settings\Oved\Application Data\Mozilla\Firefox\Profiles\4nlo95o6.default\cookies.txt -> TrackingCookie.Msn : Cleaned.
:mozilla.239:C:\Documents and Settings\Oved\Application Data\Mozilla\Firefox\Profiles\4nlo95o6.default\cookies.txt -> TrackingCookie.Msn : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~722.TXT -> TrackingCookie.Msn : Cleaned.
D:\Documents\Noa\Old Noa\Cookies\noa@search.msn[1].txt -> TrackingCookie.Msn : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~587.TXT -> TrackingCookie.Myaffiliateprogram : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~890.TXT -> TrackingCookie.Myaffiliateprogram : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~483.TXT -> TrackingCookie.Navrcholu : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~825.TXT -> TrackingCookie.Overture : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~287.TXT -> TrackingCookie.Paypal : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEF~1038.TXT -> TrackingCookie.Paypopup : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEF~1040.TXT -> TrackingCookie.Paypopup : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEF~1041.TXT -> TrackingCookie.Paypopup : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEF~1044.TXT -> TrackingCookie.Paypopup : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~852.TXT -> TrackingCookie.Pointroll : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~442.TXT -> TrackingCookie.Popupsponsor : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~581.TXT -> TrackingCookie.Popupsponsor : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~798.TXT -> TrackingCookie.Popupsponsor : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEF~1015.TXT -> TrackingCookie.Popupsponsor : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~300.TXT -> TrackingCookie.Popuptraffic : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~571.TXT -> TrackingCookie.Popuptraffic : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEF~1164.TXT -> TrackingCookie.Popuptraffic : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\ANYUS~16.TXT -> TrackingCookie.Pro-market : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~121.TXT -> TrackingCookie.Pro-market : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~339.TXT -> TrackingCookie.Pro-market : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~675.TXT -> TrackingCookie.Pro-market : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEF~1203.TXT -> TrackingCookie.Pro-market : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFAU~57.TXT -> TrackingCookie.Qksrv : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~275.TXT -> TrackingCookie.Qksrv : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~696.TXT -> TrackingCookie.Qksrv : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEF~1108.TXT -> TrackingCookie.Qksrv : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEF~1110.TXT -> TrackingCookie.Qksrv : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~131.TXT -> TrackingCookie.Questionmarket : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~425.TXT -> TrackingCookie.Questionmarket : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~841.TXT -> TrackingCookie.Questionmarket : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~147.TXT -> TrackingCookie.Real : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~244.TXT -> TrackingCookie.Real : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~245.TXT -> TrackingCookie.Real : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~314.TXT -> TrackingCookie.Real : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~565.TXT -> TrackingCookie.Real : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~921.TXT -> TrackingCookie.Real : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~922.TXT -> TrackingCookie.Real : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\ANYUSE~3.TXT -> TrackingCookie.Realmedia : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFAU~93.TXT -> TrackingCookie.Realmedia : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~155.TXT -> TrackingCookie.Realmedia : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~956.TXT -> TrackingCookie.Realmedia : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~217.TXT -> TrackingCookie.Realtracker : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~776.TXT -> TrackingCookie.Realtracker : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~905.TXT -> TrackingCookie.Realtracker : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~936.TXT -> TrackingCookie.Realtracker : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEF~1016.TXT -> TrackingCookie.Revenue : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~530.TXT -> TrackingCookie.Ru4 : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~795.TXT -> TrackingCookie.Ru4 : Cleaned.
:mozilla.87:C:\Documents and Settings\Oved\Application Data\Mozilla\Firefox\Profiles\4nlo95o6.default\cookies.txt -> TrackingCookie.Skype : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~359.TXT -> TrackingCookie.Specificpop : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~101.TXT -> TrackingCookie.Spylog : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~269.TXT -> TrackingCookie.Spylog : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~639.TXT -> TrackingCookie.Spylog : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~739.TXT -> TrackingCookie.Spylog : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~221.TXT -> TrackingCookie.Targetnet : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~590.TXT -> TrackingCookie.Targetnet : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~823.TXT -> TrackingCookie.Targetnet : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~981.TXT -> TrackingCookie.Tradedoubler : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFAU~23.TXT -> TrackingCookie.Trafficmp : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~319.TXT -> TrackingCookie.Trafficmp : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~529.TXT -> TrackingCookie.Trafficmp : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~745.TXT -> TrackingCookie.Trafficmp : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~910.TXT -> TrackingCookie.Trafic : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFAU~66.TXT -> TrackingCookie.Tribalfusion : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~274.TXT -> TrackingCookie.Tribalfusion : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~281.TXT -> TrackingCookie.Tribalfusion : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~540.TXT -> TrackingCookie.Tribalfusion : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~404.TXT -> TrackingCookie.Valuead : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~573.TXT -> TrackingCookie.Valuead : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFAU~47.TXT -> TrackingCookie.Valueclick : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~151.TXT -> TrackingCookie.Valueclick : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~568.TXT -> TrackingCookie.Valueclick : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEF~1151.TXT -> TrackingCookie.Valueclick : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~640.TXT -> TrackingCookie.Web-stat : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\ANYUS~30.TXT -> TrackingCookie.Weborama : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEF~1185.TXT -> TrackingCookie.Weborama : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~200.TXT -> TrackingCookie.Webtrendslive : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFAU~18.TXT -> TrackingCookie.X10 : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~218.TXT -> TrackingCookie.X10 : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~691.TXT -> TrackingCookie.X10 : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~767.TXT -> TrackingCookie.X10 : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~964.TXT -> TrackingCookie.Yadro : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEFA~704.TXT -> TrackingCookie.Zedo : Cleaned.
D:\CIMAGE\WINDOWS\COOKIES\DEF~1133.TXT -> TrackingCookie.Zedo : Cleaned.
D:\CIMAGE\WINDOWS\TEMPOR~1\CONTENT.IE5\P97N1D8Q\PUP_1_~1.HTM -> Trojan.NoClose.c : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP719\A0119442.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\sysc10trg.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\gdk.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\plugin0707.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\skypemsng.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\qoobox\Quarantine\C\WINDOWS\system32\updserv32.exe.vir -> Trojan.Small : Cleaned with backup (quarantined).
D:\Moved\Win98tmp\win98\Ena\WIN98_37.CAB/notepad.exe -> Worm.Volag.c : Cleaned with backup (quarantined).
D:\Moved\Win98tmp\win98\Loc\WIN98_37.CAB/notepad.exe -> Worm.Volag.c : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dbghd3dx.exe -> Worm.Warezov : Cleaned with backup (quarantined).
C:\WINDOWS\system32\cnnperf.exe -> Worm.Warezov.mg : Cleaned with backup (quarantined).
C:\WINDOWS\system32\cnnprf32.dll -> Worm.Warezov.mg : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dcon321.dll -> Worm.Warezov.mg : Cleaned with backup (quarantined).
C:\WINDOWS\system32\diagisr.dll -> Worm.Warezov.mo : Cleaned with backup (quarantined).
C:\WINDOWS\system32\isrprf32.dll -> Worm.Warezov.mo : Cleaned with backup (quarantined).
C:\WINDOWS\system32\isrprov.exe -> Worm.Warezov.mo : Cleaned with backup (quarantined).
[1260] C:\WINDOWS\system32\diagisr.dll -> Worm.Warezov.mo : Cleaned with backup (quarantined).
[3668] C:\WINDOWS\system32\diagisr.dll -> Worm.Warezov.mo : Cleaned with backup (quarantined).
C:\WINDOWS\system32\con321.dll -> Worm.Warezov.nm : Cleaned with backup (quarantined).
C:\WINDOWS\system32\con321.exe -> Worm.Warezov.nm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP719\A0119444.exe -> Worm.Warezov.og : Cleaned with backup (quarantined).
C:\qoobox\Quarantine\C\WINDOWS\system32\msngr.exe.vir -> Worm.Warezov.og : Cleaned with backup (quarantined).
C:\WINDOWS\mcngsk22.exe -> Worm.Warezov.ou : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP698\A0106509.exe -> Worm.Warezov.pi : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP701\A0106589.exe -> Worm.Warezov.pi : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP701\A0106604.exe -> Worm.Warezov.pi : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP702\A0107607.exe -> Worm.Warezov.pi : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP702\A0107624.exe -> Worm.Warezov.pi : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP702\A0107634.exe -> Worm.Warezov.pi : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP703\A0107647.exe -> Worm.Warezov.pi : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP703\A0107665.exe -> Worm.Warezov.pi : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP703\A0107689.exe -> Worm.Warezov.pi : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP704\A0107698.exe -> Worm.Warezov.pi : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP704\A0107720.exe -> Worm.Warezov.pi : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP705\A0108721.exe -> Worm.Warezov.pi : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP706\A0108740.exe -> Worm.Warezov.pi : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP706\A0108754.exe -> Worm.Warezov.pi : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP706\A0109751.exe -> Worm.Warezov.pi : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP706\A0109761.exe -> Worm.Warezov.pi : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP710\A0109928.exe -> Worm.Warezov.pi : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP710\A0110929.exe -> Worm.Warezov.pi : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP711\A0111928.exe -> Worm.Warezov.pi : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP711\A0111939.exe -> Worm.Warezov.pi : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP711\A0112939.exe -> Worm.Warezov.pi : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP714\A0113235.exe -> Worm.Warezov.pi : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP714\A0113243.exe -> Worm.Warezov.pi : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP714\A0114243.exe -> Worm.Warezov.pi : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP714\A0114253.exe -> Worm.Warezov.pi : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP714\A0114260.exe -> Worm.Warezov.pi : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP714\A0114276.exe -> Worm.Warezov.pi : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP714\A0114286.exe -> Worm.Warezov.pi : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP714\A0114315.exe -> Worm.Warezov.pi : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP714\A0114328.exe -> Worm.Warezov.pi : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP714\A0114348.exe -> Worm.Warezov.pi : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP715\A0115364.exe -> Worm.Warezov.pi : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP715\A0116364.exe -> Worm.Warezov.pi : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP715\A0116378.exe -> Worm.Warezov.pi : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP716\A0116411.exe -> Worm.Warezov.pi : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP718\A0117413.exe -> Worm.Warezov.pi : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP718\A0118418.exe -> Worm.Warezov.pi : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP718\A0119417.exe -> Worm.Warezov.pi : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP719\A0119443.DLL -> Worm.Warezov.pi : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP719\A0119455.exe -> Worm.Warezov.pi : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP719\A0119545.exe -> Worm.Warezov.pi : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP719\A0120555.exe -> Worm.Warezov.pi : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP719\A0120565.exe -> Worm.Warezov.pi : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP719\A0121564.exe -> Worm.Warezov.pi : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP719\A0122565.exe -> Worm.Warezov.pi : Cleaned with backup (quarantined).
C:\WINDOWS\system32\msimtxl.dll -> Worm.Warezov.pi : Cleaned with backup (quarantined).
C:\WINDOWS\system32\webhsbe.dll -> Worm.Warezov.pi : Cleaned with backup (quarantined).
C:\WINDOWS\system32\winfpgpc.dll -> Worm.Warezov.pi : Cleaned with backup (quarantined).
C:\WINDOWS\system32\winfpgpc.exe -> Worm.Warezov.pi : Cleaned with backup (quarantined).
C:\qoobox\Quarantine\C\WINDOWS\system32\e1.dll.vir -> Worm.Warezov.pi : Cleaned with backup (quarantined).
[1028] C:\WINDOWS\System32\webhsbe.dll -> Worm.Warezov.pi : Cleaned with backup (quarantined).
[1160] C:\WINDOWS\system32\webhsbe.dll -> Worm.Warezov.pi : Cleaned with backup (quarantined).
[1280] C:\WINDOWS\system32\webhsbe.dll -> Worm.Warezov.pi : Cleaned with backup (quarantined).
[1356] C:\WINDOWS\System32\winfpgpc.exe -> Worm.Warezov.pi : Cleaned with backup (quarantined).
[1384] C:\WINDOWS\System32\webhsbe.dll -> Worm.Warezov.pi : Cleaned with backup (quarantined).
[1524] C:\WINDOWS\system32\webhsbe.dll -> Worm.Warezov.pi : Cleaned with backup (quarantined).
[1660] C:\WINDOWS\system32\webhsbe.dll -> Worm.Warezov.pi : Cleaned with backup (quarantined).
[1700] C:\WINDOWS\system32\webhsbe.dll -> Worm.Warezov.pi : Cleaned with backup (quarantined).
[1724] C:\WINDOWS\system32\webhsbe.dll -> Worm.Warezov.pi : Cleaned with backup (quarantined).
[1740] C:\WINDOWS\system32\webhsbe.dll -> Worm.Warezov.pi : Cleaned with backup (quarantined).
[1864] C:\WINDOWS\System32\msimtxl.dll -> Worm.Warezov.pi : Cleaned with backup (quarantined).
[1944] C:\WINDOWS\system32\webhsbe.dll -> Worm.Warezov.pi : Cleaned with backup (quarantined).
[228] C:\WINDOWS\System32\webhsbe.dll -> Worm.Warezov.pi : Cleaned with backup (quarantined).
[2980] C:\WINDOWS\system32\webhsbe.dll -> Worm.Warezov.pi : Cleaned with backup (quarantined).
[464] C:\WINDOWS\System32\webhsbe.dll -> Worm.Warezov.pi : Cleaned with backup (quarantined).
[544] C:\WINDOWS\system32\webhsbe.dll -> Worm.Warezov.pi : Cleaned with backup (quarantined).
[556] C:\WINDOWS\system32\webhsbe.dll -> Worm.Warezov.pi : Cleaned with backup (quarantined).
[580] C:\WINDOWS\system32\webhsbe.dll -> Worm.Warezov.pi : Cleaned with backup (quarantined).
[588] C:\WINDOWS\System32\msimtxl.dll -> Worm.Warezov.pi : Cleaned with backup (quarantined).
[608] C:\WINDOWS\system32\winfpgpc.dll -> Worm.Warezov.pi : Cleaned with backup (quarantined).
[656] C:\WINDOWS\system32\webhsbe.dll -> Worm.Warezov.pi : Cleaned with backup (quarantined).
[668] C:\WINDOWS\system32\webhsbe.dll -> Worm.Warezov.pi : Cleaned with backup (quarantined).
[684] C:\WINDOWS\system32\webhsbe.dll -> Worm.Warezov.pi : Cleaned with backup (quarantined).
[760] C:\WINDOWS\system32\webhsbe.dll -> Worm.Warezov.pi : Cleaned with backup (quarantined).
[828] C:\WINDOWS\system32\webhsbe.dll -> Worm.Warezov.pi : Cleaned with backup (quarantined).
[892] C:\WINDOWS\system32\webhsbe.dll -> Worm.Warezov.pi : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP702\A0107618.exe -> Worm.Warezov.pk : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP702\A0107620.exe -> Worm.Warezov.pk : Cleaned with backup (quarantined).
C:\WINDOWS\system32\sk070725.exe -> Worm.Warezov.ps : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP698\A0106504.exe -> Worm.Warezov.ra : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP719\A0119440.exe -> Worm.Warezov.re : Cleaned with backup (quarantined).
C:\qoobox\Quarantine\C\WINDOWS\system32\ss.exe.vir -> Worm.Warezov.re : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP702\A0107601.exe -> Worm.Warezov.rf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP702\A0107619.exe -> Worm.Warezov.rh : Cleaned with backup (quarantined).


::Report end

ComboFix 07-09-18.4 - "Oved" 2007-09-20 0:17:32.2 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1255.972.1033.18.148 [GMT 2:00]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\confcnn.dll

.
((((((((((((((((((((((((( Files Created from 2007-08-19 to 2007-09-19 )))))))))))))))))))))))))))))))
.

2007-09-20 00:08 8,192 --a------ C:\WINDOWS\system32\dbghd3dx.exe
2007-09-19 20:56 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-09-19 17:38 <DIR> d--hs---- C:\FOUND.008
2007-09-18 18:48 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-18 15:33 <DIR> d--hs---- C:\FOUND.007
2007-09-18 14:34 62,976 --a------ C:\WINDOWS\system32\zddbg32.exe
2007-09-11 02:48 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-09-09 21:19 <DIR> d--hs---- C:\FOUND.006
2007-09-08 16:42 218 --a------ C:\WINDOWS\system32\cdbg32.exexe.exe
2007-09-08 14:41 124,444 --a------ C:\WINDOWS\system32\stdex32.exe
2007-09-01 22:40 26 --a-s---- C:\WINDOWS\system32\dasrep.dat
2007-08-31 16:31 0 --a------ C:\WINDOWS\jdqlxr8.dll
2007-08-31 16:07 37,195 --a------ C:\WINDOWS\system32\hac2.exe
2007-08-31 15:05 16 --a------ C:\WINDOWS\gfr.dat
2007-08-30 17:37 0 --a------ C:\WINDOWS\c8db5ntkl.dll
2007-08-27 14:02 127,597 --a------ C:\WINDOWS\system32\netdex.exe
2007-08-27 12:22 0 --a------ C:\WINDOWS\lov1co.dat
2007-08-24 15:54 98,304 --a------ C:\WINDOWS\system32\oserv25.dll
2007-08-24 15:54 9,216 --a------ C:\WINDOWS\system32\oservmc25.dll
2007-08-24 15:54 79,667 --a------ C:\WINDOWS\system32\oserv25.exe
2007-08-24 15:54 6,144 --a------ C:\WINDOWS\system32\oservmx25.exe
2007-08-24 15:54 16,384 --a------ C:\WINDOWS\system32\oservmz25.dll
2007-08-23 19:30 84,992 --a------ C:\WINDOWS\system32\Dennt.exe
2007-08-23 19:30 155,648 --a------ C:\WINDOWS\system32\ssleay32.dll
2007-08-23 19:29 741,376 --a------ C:\WINDOWS\system32\libeay32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-08-17 14:32 45056 --ah----- C:\WINDOWS\system32\sperf.exe
2007-08-08 03:48 114176 --a------ C:\WINDOWS\system32\pk32j.exe
2007-08-05 01:02 --------- d-------- C:\DOCUME~1\OVED\APPLIC~1\SPAMfighter
2007-07-24 08:50 61440 --ah----- C:\WINDOWS\system32\h2ubcjsw.dll
2007-07-24 08:50 53248 --ah----- C:\WINDOWS\system32\ewph65as.dll
2007-07-24 08:50 45056 --ah----- C:\WINDOWS\system32\bwxlno9a1p.exe
2007-07-12 18:44 65536 --ah----- C:\WINDOWS\system32\onfksd.dll
2007-07-12 18:44 53248 --ah----- C:\WINDOWS\system32\sdprf32.dll
2007-07-12 18:44 462848 --ah----- C:\WINDOWS\system32\ksdmgr32.dll
2007-07-12 18:44 45056 --ah----- C:\WINDOWS\system32\sdperf.exe
2007-07-12 18:44 217088 --ah----- C:\WINDOWS\system32\ksstat.dll
2007-07-06 13:50 87921 --a------ C:\WINDOWS\system32\servsq.exe
2007-07-04 14:22 1184400 --a------ C:\WINDOWS\system32\FreeImage.dll
2004-10-01 15:00 40960 --a------ C:\Program Files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((( snapshot_2007-09-18_185929.86 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 163,328 2007-03-13 08:57:12 C:\WINDOWS\erdnt\subs\F3M\ERDNT.EXE
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="D:\Programs\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-02 20:24]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"LGODDFU"="D:\Programs\lg_fwupdate\fwupdate.exe" [2006-02-20 11:40]
"himem.exe"="C:\WINDOWS\system32\stdex32.exe" [2007-09-08 14:42]
"SoundMnEx32"="C:\WINDOWS\system32\svvhost.exe" []
"ksddi"="C:\WINDOWS\system32\kconf.exe" []
"Sund32"="C:\WINDOWS\system32\Dennt.exe" [2007-08-23 19:30]
"oserv25"="C:\WINDOWS\System32\oserv25.exe" [2007-09-20 00:24]
"hac2"="C:\WINDOWS\system32\hac2.exe" [2007-08-31 16:07]
"reganal32"="C:\WINDOWS\system32\reganal32.exe" []
"regstd"="C:\WINDOWS\system32\regstd.exe" []
"Hacdbg32"="C:\WINDOWS\system32\Hacdbg32.exe" []
"stdex32"="C:\WINDOWS\system32\stdex32.exe" [2007-09-08 14:42]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []
"zddbg32"="C:\WINDOWS\system32\zddbg32.exe" [2007-09-18 14:34]
"!AVG Anti-Spyware"="D:\Programs\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 11:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 13:56]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2006-02-10 21:40]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Microsoft Office.lnk - D:\Programs\Microsoft Office 2000\Office\OSA9.EXE [1999-02-17 22:05:56]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ksdmgr]
ksdmgr32.dll 2007-07-12 18:44 462848 C:\WINDOWS\system32\ksdmgr32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\oserv25]
C:\WINDOWS\System32\oserv25.dll 2007-08-24 15:54 98304 C:\WINDOWS\system32\oserv25.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winfpgpc]
C:\WINDOWS\system32\winfpgpc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"= webhsbe.dll e1.dll confcnn.dll onfksd.dll ksstat.dll h2ubcjsw.dll oservmz25.dll diagisr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Oved^Start Menu^Programs^Startup^WinMySQLadmin.lnk]
path=C:\Documents and Settings\Oved\Start Menu\Programs\Startup\WinMySQLadmin.lnk
backup=C:\WINDOWS\pss\WinMySQLadmin.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]
"D:\Programs\ICQLite\ICQLite.exe" -minimize

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM_Monitor]
D:\Programs\OLYMPUS\OLYMPUS Master\FirstStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"D:\Programs\Skype\Phone\Skype.exe" /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoipStunt]
"D:\Programs\VoipStunt.com\VoipStunt\VoipStunt.exe" -nosplash -minimized

R2 LANPkt;Realtek LANPkt Protocol;C:\WINDOWS\system32\DRIVERS\LANPkt.sys
R2 ONSIO;ONSIO;\??\C:\WINDOWS\SYSTEM32\DRIVERS\ONSIO.SYS
R3 admjoy;Aureal Game Port Enumerator;C:\WINDOWS\system32\DRIVERS\admjoy.sys
R3 METROP;Hewlett Packard ScanJet 5300C;C:\WINDOWS\system32\DRIVERS\hp53pw2k.sys
R3 mf;mf;C:\WINDOWS\system32\DRIVERS\mf.sys
R3 PPPoEWin;PPPoEWin Miniport;C:\WINDOWS\system32\DRIVERS\PPPoEWin.SYS
R3 wdm_au8830;Aureal Vortex 8830 Audio Driver (WDM);C:\WINDOWS\system32\drivers\adm8830.sys
S0 SMPLSCSI;SMPLSCSI;C:\WINDOWS\system32\drivers\SMPLSCSI.SYS

.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-20 00:26:07
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-20 0:30:55 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-20 00:30
C:\ComboFix2.txt ... 2007-09-18 19:00
.
--- E O F ---

????
????? ??????? ??? ??????
Adobe Acrobat 5.0
Adobe Flash Player 9 ActiveX
AVG Anti-Spyware 7.5
Chavruta
Coup de Pouce Lecture CP-CE1 v1.0
DivX
DoroTree
DVD Solution
FormServer
Free Download Manager 2.0 - Free Downloads Center Edition
Frontbase Image To Icon 2.1
Harry Potter II
Hijackthis 1.99.1
HijackThis 1.99.1
hp deskjet 5550 series (Remove only)
HP PrecisionScan
hp print screen utility
ICQ6
LAN Utility
LG ODD Auto Firmware Update
Microsoft Office 2000 Small Business
Microsoft Office Professional Edition 2003
Microsoft Office Standard Edition 2003
MSN
MSXML 4.0 SP2 (KB927978)
Nero OEM
OLYMPUS Master
PowerDVD
PowerProducer
Presto! PageManager
RealPlayer
RollerCoaster Tycoon 2
SCANPORT ScanModule V2.43
Scooby-Doo (TM), Le Myst?re du Ch?teau hant?(TM)
Scooby-Doo(TM), Panique dans la Ville fant?me(TM)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Skype 2.5
The Gabay
upapp
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
USB PC Camera 301P
VideoLAN VLC media player 0.8.5
VoipBuster
Windows Installer 3.1 (KB893803)
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
WinRAR archiver
WinZip
Xvid 1.1.2 final uninstall
ber88
Active Member
 
Posts: 14
Joined: September 15th, 2007, 6:03 pm

Unread postby ber88 » September 22nd, 2007, 3:48 pm

Unfotunately the phenomenon continues.
ber88
Active Member
 
Posts: 14
Joined: September 15th, 2007, 6:03 pm

Unread postby Scotty » September 23rd, 2007, 9:09 am

Hi
My apologies for the delay, but my teacher, who checks my fixes before I post to you was absent for Yom Kippur.
Hopefully the next set of instructions will reduce the problems greatly.

Step 1:
Go to http://virusscan.jotti.org
Copy the following line into the white textbox:
C:\WINDOWS\system32\netdex.exe
Click Submit.
Please post the results of this scan to this thread.

Do the same for these files.

C:\WINDOWS\system32\cdbg32.exexe.exe
C:\WINDOWS\system32\pk32j.exe
C:\WINDOWS\system32\reganal32.exe



Step 2:
Open Notepad and Copy/Paste the text in the codebox below into it:

Code: Select all
File:: 
C:\WINDOWS\system32\zddbg32.exe 
C:\WINDOWS\system32\stdex32.exe 
C:\WINDOWS\system32\dasrep.dat 
C:\WINDOWS\jdqlxr8.dll 
C:\WINDOWS\system32\hac2.exe 
C:\WINDOWS\c8db5ntkl.dll 
C:\WINDOWS\lov1co.dat 
C:\WINDOWS\system32\oserv25.dll 
C:\WINDOWS\system32\oservmc25.dll 
C:\WINDOWS\system32\oserv25.exe 
C:\WINDOWS\system32\oservmx25.exe 
C:\WINDOWS\system32\oservmz25.dll 
C:\WINDOWS\system32\Dennt.exe 
C:\WINDOWS\system32\sperf.exe  
C:\WINDOWS\system32\h2ubcjsw.dll 
C:\WINDOWS\system32\ewph65as.dll 
C:\WINDOWS\system32\bwxlno9a1p.exe 
C:\WINDOWS\system32\onfksd.dll 
C:\WINDOWS\system32\sdprf32.dll 
C:\WINDOWS\system32\ksdmgr32.dll 
C:\WINDOWS\system32\sdperf.exe 
C:\WINDOWS\system32\ksstat.dll  
C:\WINDOWS\system32\servsq.exe 
C:\WINDOWS\system32\svvhost.exe 
C:\WINDOWS\system32\regstd.exe 
C:\WINDOWS\system32\Hacdbg32.exe 
C:\WINDOWS\system32\zddbg32.exe 

Registry:: 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 
"himem.exe"=- 
"SoundMnEx32"=- 
"ksddi"=- 
"Sund32"=- 
"oserv25"=- 
"hac2"=- 
"regstd"=- 
 "Hacdbg32"=- 
"stdex32"=- 
"zddbg32"=- 
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ksdmgr] 
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\oserv25] 
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winfpgpc] 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] 
"appinit_dlls"="" 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 
"UserFaultCheck"=- 
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] 
"DisableRegistryTools"=- 

DirLook:: 
C:\FOUND.008 
C:\FOUND.007 
C:\WINDOWS\SxsCaPendDel 
C:\FOUND.006
 


Save this as "CFScript"

Image


Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

Step 3

  • Copy the contents of the Code Box below to Notepad.
  • Name the file export.bat
  • Change the "Save as Type" to All Files
  • and Save it on the desktop
Code: Select all
regedit /a /e look.txt "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List" 

Notepad look.txt
Double-click the export.bat file.

A Notepad window will open. Copy/paste the contents of that file in your next reply, then close the window and the Command-Line window that will have opened too.

Step 4:
When asked to post a new HijackThis log please
Close all windows and browsers.
Find HijackThis and click it. Click Do a system scan and save a logfile.
When the scan is finished, Notepad will open with the log in it.
When the scan is finished click "Ctrl-A" (the "Ctrl" key and the "A" key at the same time) to highlite the whole log. Now click "Ctrl-C" to copy the text. Open this topic and paste the log into the window that opens up by clicking "Ctrl-V".

Step 5:
Now please post the following:

  • the latest Combofix log
  • the content from look.txt that you found in Notepad
  • a new HijackThis scan
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Unread postby ber88 » September 23rd, 2007, 8:45 pm

Here are the results of this step :

Comment : The last file C:\\windows\system32\reganal32.exe wasn't found !



File: netdex.exe
Status: INFECTED/MALWARE
MD5: 84a037b901ac28ae2dbbee1ebbf65420
Packers detected: PE_PATCH, UPACK
Bit9 reports:


Scanner results
Scan taken on 23 Sep 2007 23:27:14 (GMT)
A-Squared Found nothing
AntiVir Found DR/Spammer.Agent.A.1
ArcaVir Found Heur.Win32
Avast Found nothing
AVG Antivirus Found BackDoor.Generic8.MYV
BitDefender Found Dropped:Trojan.Spammer.Agent.A
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found DLOADER.Trojan (probable variant)
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found W32/IRCBot.B!tr
Kaspersky Anti-Virus Found nothing
NOD32 Found probably unknown NewHeur_PE (probable variant)
Norman Virus Control Found W32/Suspicious_U.gen
Panda Antivirus Found W32/Spamta.ABU.worm
Rising Antivirus Found nothing
Sophos Antivirus Found Mal/IRCBot-B
VirusBuster Found nothing
VBA32 Found MalwareScope.Worm.Warezov.1

File: cdbg32.exexe.exe
Status: OK
MD5: 54fbd8b13fda22a3a960fffdc6b761ae
Packers detected: -
Bit9 reports:

Scanner results
Scan taken on 23 Sep 2007 23:34:16 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing


File: pk32j.exe
Status: INFECTED/MALWARE
MD5: 25796fe678e69d3accd09c6b6ed3fe4b
Packers detected: PEBUNDLE, UPX
Bit9 reports:

Scanner results
Scan taken on 23 Sep 2007 23:39:36 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found Win32:SdBot-3077
AVG Antivirus Found Generic6.UAX
BitDefender Found Dropped:Win32.Worm.Stration.QQS
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found BackDoor.IRC.Sdbot.1404
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Backdoor.Win32.SdBot.byt
Fortinet Found W32/Sdbot!worm
Kaspersky Anti-Virus Found Backdoor.Win32.SdBot.byt
NOD32 Found probably unknown NewHeur_PE (probable variant)
Norman Virus Control Found Sandbox: W32/Malware; [ General information ]

* File length: 114176 bytes.

[ Changes to filesystem ]
* Creates directory C:\WINDOWS\SYSTEM32.
* Creates file C:\WINDOWS\SYSTEM32\dcon321.dll.
* Creates file C:\WINDOWS\SYSTEM32\con321.exe.
* Creates file C:\WINDOWS\SYSTEM32\con321.dll.

[ Changes to registry ]
* Creates value "msproject"="c:\sample.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Modifies value "AppInit_DLLs"=" con321.dll" in key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows".
* Creates key "HKCU\Software\Microsoft\Windows\CurrentVersion\msproject".
* Sets value "msproject time"="Cs7?" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\msproject".

[ Network services ]
* Connects to "www.cesaruikintanfsderika.com" on port 6603 (IP).
* Connects to IRC Server.

[ Process/window information ]
* Creates a mutex imrtcx.
* Will automatically restart after boot (I'll be back...).
* Creates an event called {DF396C1F-42D7-4b58-B720-6792267E91E8}.
* Creates an event called {E0FC650B-B049-4ba9-97C1-6B8B0402ABA6}.
* Creates an event called {4C4534EC-1018-48c4-AAF1-A3B258D43AF6}.
* Creates an event called {11EB2AA8-E442-45c9-A45E-F10FFF9F35FF}.
* Creates an event called {C0704821-BE7A-4077-8C30-D3ED805135B0}.
* Creates an event called {AABAE118-E2F0-4d49-9872-CDD474E5751A}.
* Attempts to access service "vsmon".
* Creates an event called {F1D03146-6451-4cde-80E1-2D9905185252}.
* Attempts to access service "SmcService".
* Creates an event called {BE86AAFD-A234-475b-A1F6-28CFF4AC89B1}.
* Attempts to access service "wscsvc".
* Attempts to access service "Symantec Core LC".
* Creates an event called {F760EDF3-E058-44d7-8172-E6452983C9AE}.
* Attempts to access service "OutpostFirewall".
* Creates an event called {CEF307C9-EA23-4bdd-A86D-EA134ACE270D}.
Panda Antivirus Found W32/Spamta.XB.worm
Rising Antivirus Found nothing
Sophos Antivirus Found Mal/IRCBot-C
VirusBuster Found nothing
VBA32 Found MalwareScope.Worm.Warezov.1


ComboFix 07-09-18.4 - "Oved" 2007-09-24 2:05:28.3 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1255.972.1033.18.62 [GMT 2:00]
* Created a new restore point

FILE::
C:\WINDOWS\system32\zddbg32.exe
C:\WINDOWS\system32\stdex32.exe
C:\WINDOWS\system32\dasrep.dat
C:\WINDOWS\jdqlxr8.dll
C:\WINDOWS\system32\hac2.exe
C:\WINDOWS\c8db5ntkl.dll
C:\WINDOWS\lov1co.dat
C:\WINDOWS\system32\oserv25.dll
C:\WINDOWS\system32\oservmc25.dll
C:\WINDOWS\system32\oserv25.exe
C:\WINDOWS\system32\oservmx25.exe
C:\WINDOWS\system32\oservmz25.dll
C:\WINDOWS\system32\Dennt.exe
C:\WINDOWS\system32\sperf.exe
C:\WINDOWS\system32\h2ubcjsw.dll
C:\WINDOWS\system32\ewph65as.dll
C:\WINDOWS\system32\bwxlno9a1p.exe
C:\WINDOWS\system32\onfksd.dll
C:\WINDOWS\system32\sdprf32.dll
C:\WINDOWS\system32\ksdmgr32.dll
C:\WINDOWS\system32\sdperf.exe
C:\WINDOWS\system32\ksstat.dll
C:\WINDOWS\system32\servsq.exe
C:\WINDOWS\system32\svvhost.exe
C:\WINDOWS\system32\regstd.exe
C:\WINDOWS\system32\Hacdbg32.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\c8db5ntkl.dll
C:\WINDOWS\jdqlxr8.dll
C:\WINDOWS\lov1co.dat
C:\WINDOWS\system32\bwxlno9a1p.exe
C:\WINDOWS\system32\dasrep.dat
C:\WINDOWS\system32\Dennt.exe
C:\WINDOWS\system32\ewph65as.dll
C:\WINDOWS\system32\h2ubcjsw.dll
C:\WINDOWS\system32\hac2.exe
C:\WINDOWS\system32\ksdmgr32.dll
C:\WINDOWS\system32\ksstat.dll
C:\WINDOWS\system32\onfksd.dll
C:\WINDOWS\system32\oserv25.dll
C:\WINDOWS\system32\oserv25.exe
C:\WINDOWS\system32\oservmc25.dll
C:\WINDOWS\system32\oservmx25.exe
C:\WINDOWS\system32\oservmz25.dll
C:\WINDOWS\system32\sdperf.exe
C:\WINDOWS\system32\sdprf32.dll
C:\WINDOWS\system32\servsq.exe
C:\WINDOWS\system32\sperf.exe
C:\WINDOWS\system32\stdex32.exe
C:\WINDOWS\system32\zddbg32.exe

.
((((((((((((((((((((((((( Files Created from 2007-08-23 to 2007-09-23 )))))))))))))))))))))))))))))))
.

2007-09-24 02:11 65,536 --ah----- C:\WINDOWS\system32\onfksd.dll
2007-09-24 02:11 65,536 --ah----- C:\WINDOWS\system32\kconf.exe
2007-09-24 02:11 53,248 --ah----- C:\WINDOWS\system32\sdprf32.dll
2007-09-24 02:11 217,088 --ah----- C:\WINDOWS\system32\ksstat.dll
2007-09-20 15:42 <DIR> d--hs---- C:\FOUND.009
2007-09-20 00:08 8,192 --a------ C:\WINDOWS\system32\dbghd3dx.exe
2007-09-19 20:56 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-09-19 17:38 <DIR> d--hs---- C:\FOUND.008
2007-09-18 18:48 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-18 15:33 <DIR> d--hs---- C:\FOUND.007
2007-09-11 02:48 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-09-09 21:19 <DIR> d--hs---- C:\FOUND.006
2007-09-08 16:42 218 --a------ C:\WINDOWS\system32\cdbg32.exexe.exe
2007-08-31 15:05 16 --a------ C:\WINDOWS\gfr.dat
2007-08-27 14:02 127,597 --a------ C:\WINDOWS\system32\netdex.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-08-23 19:30 741376 --a------ C:\WINDOWS\system32\libeay32.dll
2007-08-23 19:30 155648 --a------ C:\WINDOWS\system32\ssleay32.dll
2007-08-08 03:48 114176 --a------ C:\WINDOWS\system32\pk32j.exe
2007-08-05 01:02 --------- d-------- C:\DOCUME~1\OVED\APPLIC~1\SPAMfighter
2007-07-04 14:22 1184400 --a------ C:\WINDOWS\system32\FreeImage.dll
2004-10-01 15:00 40960 --a------ C:\Program Files\Uninstall_CDS.exe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))


---- Directory of C:\FOUND.008 ----

2007-09-19 17:38 8192 --------- C:\FOUND.008\FILE0010.CHK
2007-09-19 17:38 8192 --------- C:\FOUND.008\FILE0008.CHK
2007-09-19 17:38 8192 --------- C:\FOUND.008\FILE0006.CHK
2007-09-19 17:38 8192 --------- C:\FOUND.008\FILE0005.CHK
2007-09-19 17:38 8192 --------- C:\FOUND.008\FILE0004.CHK
2007-09-19 17:38 8192 --------- C:\FOUND.008\FILE0001.CHK
2007-09-19 17:38 8192 --------- C:\FOUND.008\FILE0000.CHK
2007-09-19 17:38 40960 --------- C:\FOUND.008\FILE0009.CHK
2007-09-19 17:38 40960 --------- C:\FOUND.008\FILE0007.CHK
2007-09-19 17:38 40960 --------- C:\FOUND.008\FILE0003.CHK
2007-09-19 17:38 16384 --------- C:\FOUND.008\FILE0002.CHK

---- Directory of C:\FOUND.007 ----

2007-09-18 15:33 8192 --------- C:\FOUND.007\FILE0001.CHK
2007-09-18 15:33 8192 --------- C:\FOUND.007\FILE0000.CHK

---- Directory of C:\WINDOWS\SxsCaPendDel ----


---- Directory of C:\FOUND.006 ----

2007-09-09 21:19 8192 --------- C:\FOUND.006\FILE0001.CHK
2007-09-09 21:19 8192 --------- C:\FOUND.006\FILE0000.CHK


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="D:\Programs\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-02 20:24]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"LGODDFU"="D:\Programs\lg_fwupdate\fwupdate.exe" [2006-02-20 11:40]
"reganal32"="C:\WINDOWS\system32\reganal32.exe" []
"!AVG Anti-Spyware"="D:\Programs\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 11:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 13:56]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2006-02-10 21:40]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Microsoft Office.lnk - D:\Programs\Microsoft Office 2000\Office\OSA9.EXE [1999-02-17 22:05:56]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Oved^Start Menu^Programs^Startup^WinMySQLadmin.lnk]
path=C:\Documents and Settings\Oved\Start Menu\Programs\Startup\WinMySQLadmin.lnk
backup=C:\WINDOWS\pss\WinMySQLadmin.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]
"D:\Programs\ICQLite\ICQLite.exe" -minimize

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM_Monitor]
D:\Programs\OLYMPUS\OLYMPUS Master\FirstStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"D:\Programs\Skype\Phone\Skype.exe" /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoipStunt]
"D:\Programs\VoipStunt.com\VoipStunt\VoipStunt.exe" -nosplash -minimized

R2 LANPkt;Realtek LANPkt Protocol;C:\WINDOWS\system32\DRIVERS\LANPkt.sys
R2 ONSIO;ONSIO;\??\C:\WINDOWS\SYSTEM32\DRIVERS\ONSIO.SYS
R3 admjoy;Aureal Game Port Enumerator;C:\WINDOWS\system32\DRIVERS\admjoy.sys
R3 METROP;Hewlett Packard ScanJet 5300C;C:\WINDOWS\system32\DRIVERS\hp53pw2k.sys
R3 mf;mf;C:\WINDOWS\system32\DRIVERS\mf.sys
R3 PPPoEWin;PPPoEWin Miniport;C:\WINDOWS\system32\DRIVERS\PPPoEWin.SYS
R3 wdm_au8830;Aureal Vortex 8830 Audio Driver (WDM);C:\WINDOWS\system32\drivers\adm8830.sys
S0 SMPLSCSI;SMPLSCSI;C:\WINDOWS\system32\drivers\SMPLSCSI.SYS

.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-24 02:14:40
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-24 2:17:51 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-24 02:17
C:\ComboFix3.txt ... 2007-09-18 19:00
C:\ComboFix2.txt ... 2007-09-20 00:30
.
--- E O F ---


Content of look.txt

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


Logfile of HijackThis v1.99.1
Scan saved at 2:31:38 AM, on 9/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Programs\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
D:\Programs\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
D:\Programs\lg_fwupdate\fwupdate.exe
D:\Programs\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
D:\Programs\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
O4 - HKLM\..\Run: [RemoteControl] "D:\Programs\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LGODDFU] D:\Programs\lg_fwupdate\fwupdate.exe
O4 - HKLM\..\Run: [reganal32] C:\WINDOWS\system32\reganal32.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Programs\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Global Startup: Microsoft Office.lnk = D:\Programs\Microsoft Office 2000\Office\OSA9.EXE
O8 - Extra context menu item: Download all with Free Download Manager - file://D:\Programs\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://D:\Programs\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site with Free Download Manager - file://D:\Programs\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Download with Free Download Manager - file://D:\Programs\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Translate with &Babylon - res://d:\Programs\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Programs\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Programs\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - D:\Programs\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - D:\Programs\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Programs\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
ber88
Active Member
 
Posts: 14
Joined: September 15th, 2007, 6:03 pm

Unread postby Scotty » September 24th, 2007, 11:58 am

Hi

Step 1:
This file may not have been found because of the C:\\ instead of C:\, so we will have another go.

Go to http://www.virustotal.com/en/indexf.html
Copy the following line into the white textbox:
C:\windows\system32\reganal32.exe
Click Send.
Please post the results of this scan to this thread.

This time highlight the contents of the box and use ctrl+c to copy, then click in the text box that has opened at Virustotal and press ctrl+v to paste.

Step 2:
Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt in your next reply.


Step 3:
Open Notepad and Copy/Paste the text in the codebox below into it:

Code: Select all
File:: 
C:\WINDOWS\system32\netdex.exe 
C:\WINDOWS\system32\pk32j.exe 
C:\WINDOWS\system32\onfksd.dll 
C:\WINDOWS\system32\kconf.exe 
C:\WINDOWS\system32\sdprf32.dll 
C:\WINDOWS\system32\ksstat.dll 

Folder:: 
C:\FOUND.009 
C:\FOUND.008 
C:\FOUND.007 
C:\FOUND.006

Collect::
C:\WINDOWS\system32\cdbg32.exexe.exe
 


Save this as "CFScript"

Image


Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log with a new HijackThis log.
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Unread postby ber88 » September 24th, 2007, 3:55 pm

Hi,

1. Please be informed that I loaded the requested file.

2. Is it recommended to download "Registery Scan" from http://www.uniblue.com ?



SDFix: Version 1.107

Run by Oved on Mon 09/24/2007 at 09:03 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\1C.TMP - Deleted
C:\66.TMP - Deleted
C:\12.TMP - Deleted
C:\20.TMP - Deleted
C:\27.TMP - Deleted
C:\47.TMP - Deleted
C:\4E.TMP - Deleted
C:\54.TMP - Deleted
C:\92.TMP - Deleted
C:\98.TMP - Deleted
C:\D0.TMP - Deleted
C:\D8.TMP - Deleted
C:\DC.TMP - Deleted
C:\E0.TMP - Deleted
C:\E6.TMP - Deleted
C:\EB.TMP - Deleted
C:\130.TMP - Deleted
C:\135.TMP - Deleted
C:\4.TMP - Deleted
C:\A.TMP - Deleted
C:\F.TMP - Deleted
C:\15.TMP - Deleted
C:\D.TMP - Deleted
C:\13.TMP - Deleted
C:\5.TMP - Deleted
C:\6.TMP - Deleted
C:\A6.TMP - Deleted
C:\AC.TMP - Deleted
C:\B2.TMP - Deleted
C:\BC.TMP - Deleted
C:\7.TMP - Deleted
C:\A4.TMP - Deleted
C:\14.TMP - Deleted
C:\30.TMP - Deleted
C:\48.TMP - Deleted
C:\83.TMP - Deleted
C:\8.TMP - Deleted
C:\C5.TMP - Deleted
C:\9.TMP - Deleted
C:\10.TMP - Deleted
C:\16.TMP - Deleted
C:\1B.TMP - Deleted
C:\21.TMP - Deleted
C:\17.TMP - Deleted
C:\B.TMP - Deleted
C:\1E.TMP - Deleted
C:\26.TMP - Deleted
C:\2F.TMP - Deleted
C:\6E.TMP - Deleted
C:\C.TMP - Deleted
C:\18.TMP - Deleted
C:\19.TMP - Deleted
C:\2C.TMP - Deleted
C:\E.TMP - Deleted
C:\1A.TMP - Deleted
C:\22.TMP - Deleted
C:\4B.TMP - Deleted
C:\11.TMP - Deleted
C:\1D.TMP - Deleted
C:\29.TMP - Deleted
C:\1F.TMP - Deleted
C:\23.TMP - Deleted
C:\24.TMP - Deleted
C:\25.TMP - Deleted
C:\28.TMP - Deleted
C:\31.TMP - Deleted
C:\2A.TMP - Deleted
C:\32.TMP - Deleted
C:\2B.TMP - Deleted
C:\2D.TMP - Deleted
C:\2E.TMP - Deleted
C:\6A.TMP - Deleted
C:\33.TMP - Deleted
C:\99.TMP - Deleted
C:\34.TMP - Deleted
C:\3A.TMP - Deleted
C:\40.TMP - Deleted
C:\5E.TMP - Deleted
C:\35.TMP - Deleted
C:\B5.TMP - Deleted
C:\36.TMP - Deleted
C:\37.TMP - Deleted
C:\38.TMP - Deleted
C:\39.TMP - Deleted
C:\3EF.TMP - Deleted
C:\3B.TMP - Deleted
C:\1D0.TMP - Deleted
C:\3C.TMP - Deleted
C:\42.TMP - Deleted
C:\49.TMP - Deleted
C:\50.TMP - Deleted
C:\BE.TMP - Deleted
C:\3D.TMP - Deleted
C:\12B.TMP - Deleted
C:\3E.TMP - Deleted
C:\44.TMP - Deleted
C:\4C.TMP - Deleted
C:\52.TMP - Deleted
C:\28D.TMP - Deleted
C:\3F.TMP - Deleted
C:\88.TMP - Deleted
C:\41.TMP - Deleted
C:\45.TMP - Deleted
C:\46.TMP - Deleted
C:\43.TMP - Deleted
C:\4A.TMP - Deleted
C:\51.TMP - Deleted
C:\4D.TMP - Deleted
C:\58.TMP - Deleted
C:\4F.TMP - Deleted
C:\53.TMP - Deleted
C:\55.TMP - Deleted
C:\56.TMP - Deleted
C:\5C.TMP - Deleted
C:\63.TMP - Deleted
C:\6B.TMP - Deleted
C:\77.TMP - Deleted
C:\E7.TMP - Deleted
C:\603.TMP - Deleted
C:\57.TMP - Deleted
C:\5D.TMP - Deleted
C:\59.TMP - Deleted
C:\5A.TMP - Deleted
C:\62.TMP - Deleted
C:\141.TMP - Deleted
C:\5B.TMP - Deleted
C:\5B3.TMP - Deleted
C:\5B9.TMP - Deleted
C:\668.TMP - Deleted
C:\5F.TMP - Deleted
C:\69.TMP - Deleted
C:\60.TMP - Deleted
C:\61.TMP - Deleted
C:\64.TMP - Deleted
C:\65.TMP - Deleted
C:\6C.TMP - Deleted
C:\155.TMP - Deleted
C:\7A7.TMP - Deleted
C:\262.TMP - Deleted
C:\67.TMP - Deleted
C:\68.TMP - Deleted
C:\D3.TMP - Deleted
C:\D9.TMP - Deleted
C:\6D.TMP - Deleted
C:\12D.TMP - Deleted
C:\6F.TMP - Deleted
C:\70.TMP - Deleted
C:\B7.TMP - Deleted
C:\71.TMP - Deleted
C:\78.TMP - Deleted
C:\87.TMP - Deleted
C:\FC.TMP - Deleted
C:\72.TMP - Deleted
C:\7E.TMP - Deleted
C:\84.TMP - Deleted
C:\73.TMP - Deleted
C:\A.tmp - Deleted



Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Mon 24 Sep 2007 65,536 A..H. --- "C:\WINDOWS\system32\onfksd.dll"
Mon 24 Sep 2007 65,536 A..H. --- "C:\WINDOWS\system32\kconf.exe"
Mon 24 Sep 2007 53,248 A..H. --- "C:\WINDOWS\system32\sdprf32.dll"
Mon 24 Sep 2007 217,088 A..H. --- "C:\WINDOWS\system32\ksstat.dll"
Tue 13 Feb 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Thu 30 Aug 2007 57,344 A..H. --- "C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP702\A0107602.dll"
Sun 12 Nov 2006 1,013,782 A.SH. --- "C:\Documents and Settings\All Users\Documents\My Pictures\SIV3D7.tmp"

Finished!



ComboFix 07-09-18.4 - "Oved" 2007-09-24 21:24:45.4 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1255.972.1033.18.148 [GMT 2:00]
* Created a new restore point

FILE::
C:\WINDOWS\system32\netdex.exe
C:\WINDOWS\system32\pk32j.exe
C:\WINDOWS\system32\onfksd.dll
C:\WINDOWS\system32\kconf.exe
C:\WINDOWS\system32\sdprf32.dll
C:\WINDOWS\system32\ksstat.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\FOUND.006
C:\FOUND.006\FILE0000.CHK
C:\FOUND.006\FILE0001.CHK
C:\FOUND.007
C:\FOUND.007\FILE0000.CHK
C:\FOUND.007\FILE0001.CHK
C:\FOUND.008
C:\FOUND.008\FILE0000.CHK
C:\FOUND.008\FILE0001.CHK
C:\FOUND.008\FILE0002.CHK
C:\FOUND.008\FILE0003.CHK
C:\FOUND.008\FILE0004.CHK
C:\FOUND.008\FILE0005.CHK
C:\FOUND.008\FILE0006.CHK
C:\FOUND.008\FILE0007.CHK
C:\FOUND.008\FILE0008.CHK
C:\FOUND.008\FILE0009.CHK
C:\FOUND.008\FILE0010.CHK
C:\FOUND.009
C:\FOUND.009\FILE0000.CHK
C:\WINDOWS\system32\cdbg32.exexe.exe
C:\WINDOWS\system32\kconf.exe
C:\WINDOWS\system32\ksstat.dll
C:\WINDOWS\system32\netdex.exe
C:\WINDOWS\system32\onfksd.dll
C:\WINDOWS\system32\pk32j.exe
C:\WINDOWS\system32\sdprf32.dll

.
((((((((((((((((((((((((( Files Created from 2007-08-24 to 2007-09-24 )))))))))))))))))))))))))))))))
.

2007-09-24 21:00 <DIR> d-------- C:\WINDOWS\ERUNT
2007-09-20 00:08 8,192 --a------ C:\WINDOWS\system32\dbghd3dx.exe
2007-09-19 20:56 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-09-18 18:48 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-11 02:48 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-08-31 15:05 16 --a------ C:\WINDOWS\gfr.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-08-23 19:30 741376 --a------ C:\WINDOWS\system32\libeay32.dll
2007-08-23 19:30 155648 --a------ C:\WINDOWS\system32\ssleay32.dll
2007-08-05 01:02 --------- d-------- C:\DOCUME~1\OVED\APPLIC~1\SPAMfighter
2007-07-04 14:22 1184400 --a------ C:\WINDOWS\system32\FreeImage.dll
2004-10-01 15:00 40960 --a------ C:\Program Files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((( snapshot_2007-09-18_185929.86 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 163,328 2007-09-23 06:52:20 C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
----a-w 6,025,216 2007-09-24 19:00:52 C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat
----a-w 81,920 2007-09-24 19:00:52 C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
----a-w 163,328 2007-09-23 06:52:20 C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
----a-w 6,025,216 2007-09-24 19:01:02 C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
----a-w 81,920 2007-09-24 19:01:02 C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="D:\Programs\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-02 20:24]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"LGODDFU"="D:\Programs\lg_fwupdate\fwupdate.exe" [2006-02-20 11:40]
"reganal32"="C:\WINDOWS\system32\reganal32.exe" []
"!AVG Anti-Spyware"="D:\Programs\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 11:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 13:56]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2006-02-10 21:40]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Microsoft Office.lnk - D:\Programs\Microsoft Office 2000\Office\OSA9.EXE [1999-02-17 22:05:56]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Oved^Start Menu^Programs^Startup^WinMySQLadmin.lnk]
path=C:\Documents and Settings\Oved\Start Menu\Programs\Startup\WinMySQLadmin.lnk
backup=C:\WINDOWS\pss\WinMySQLadmin.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]
"D:\Programs\ICQLite\ICQLite.exe" -minimize

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM_Monitor]
D:\Programs\OLYMPUS\OLYMPUS Master\FirstStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"D:\Programs\Skype\Phone\Skype.exe" /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoipStunt]
"D:\Programs\VoipStunt.com\VoipStunt\VoipStunt.exe" -nosplash -minimized

R2 LANPkt;Realtek LANPkt Protocol;C:\WINDOWS\system32\DRIVERS\LANPkt.sys
R2 ONSIO;ONSIO;\??\C:\WINDOWS\SYSTEM32\DRIVERS\ONSIO.SYS
R3 admjoy;Aureal Game Port Enumerator;C:\WINDOWS\system32\DRIVERS\admjoy.sys
R3 METROP;Hewlett Packard ScanJet 5300C;C:\WINDOWS\system32\DRIVERS\hp53pw2k.sys
R3 mf;mf;C:\WINDOWS\system32\DRIVERS\mf.sys
R3 PPPoEWin;PPPoEWin Miniport;C:\WINDOWS\system32\DRIVERS\PPPoEWin.SYS
R3 wdm_au8830;Aureal Vortex 8830 Audio Driver (WDM);C:\WINDOWS\system32\drivers\adm8830.sys
S0 SMPLSCSI;SMPLSCSI;C:\WINDOWS\system32\drivers\SMPLSCSI.SYS

.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-24 21:33:45
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-24 21:37:12 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-24 21:37
C:\ComboFix3.txt ... 2007-09-20 00:30
C:\ComboFix2.txt ... 2007-09-24 02:17
.
--- E O F ---




Logfile of HijackThis v1.99.1
Scan saved at 9:46:56 PM, on 9/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Programs\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
D:\Programs\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
D:\Programs\lg_fwupdate\fwupdate.exe
D:\Programs\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\mspaint.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\msiexec.exe
D:\Programs\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
O4 - HKLM\..\Run: [RemoteControl] "D:\Programs\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LGODDFU] D:\Programs\lg_fwupdate\fwupdate.exe
O4 - HKLM\..\Run: [reganal32] C:\WINDOWS\system32\reganal32.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Programs\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Global Startup: Microsoft Office.lnk = D:\Programs\Microsoft Office 2000\Office\OSA9.EXE
O8 - Extra context menu item: Download all with Free Download Manager - file://D:\Programs\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://D:\Programs\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site with Free Download Manager - file://D:\Programs\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Download with Free Download Manager - file://D:\Programs\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Translate with &Babylon - res://d:\Programs\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Programs\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Programs\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - D:\Programs\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - D:\Programs\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Programs\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
ber88
Active Member
 
Posts: 14
Joined: September 15th, 2007, 6:03 pm

Unread postby Scotty » September 24th, 2007, 4:20 pm

No dont download anything. Could you post the results of the upload, if any. And I forgot to add this one for uploading.

C:\WINDOWS\system32\dbghd3dx.exe
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Unread postby ber88 » September 25th, 2007, 3:29 pm

Hi,
C:\windows\system32\reganal32.exe - File not found

Jotti's malware scan 2.99-TRANSITION_TO_3.00-R1

File to upload & scan:
Service
Service load: 0% 100%

File: dbghd3dx.exe
Status: INFECTED/MALWARE
MD5: 2f9c488d72ec7a132e5703275b64e265
Packers detected: -
Bit9 reports: Not analyzed yet (more info)

Scanner results
Scan taken on 25 Sep 2007 19:19:34 (GMT)
A-Squared Found nothing
AntiVir Found WORM/Stration.Gen
ArcaVir Found nothing
Avast Found Win32:Warezov-CKV
AVG Antivirus Found I-Worm/Stration.DQB
BitDefender Found Win32.Warezov.ZJ@mm
ClamAV Found Worm.Stration.AOY-6
CPsecure Found nothing
Dr.Web Found Win32.HLLM.Limar
F-Prot Antivirus Found W32/EmailWorm.NSY
F-Secure Anti-Virus Found Email-Worm.Win32.Warezov.gen
Fortinet Found W32/Stration.6@mm
Kaspersky Anti-Virus Found Email-Worm.Win32.Warezov.gen
NOD32 Found probably a variant of Win32/Stration (probable variant)
Norman Virus Control Found W32/Stration.FPT
Panda Antivirus Found W32/Spamta.AAF.worm
Rising Antivirus Found Worm.Mail.Warezov.cj
Sophos Antivirus Found W32/Strati-Gen
VirusBuster Found nothing
VBA32 Found MalwareScope.Worm.Warezov.1

Powered by

Disclaimer
This service is by no means 100% safe. If this scanner says 'OK', it does not necessarily mean the file is clean. There could be a whole new virus on the loose. NEVER EVER rely on one single product only, not even this service, even though it utilizes several products. Therefore, We cannot and will not be held responsible for any damage caused by results presented by this non-profit online service.

Also, we are aware of the implications of a setup like this. We are sure this whole thing is by no means scientifically correct, since this is a fully automated service (although manual correction is possible). We are aware, in spite of efforts to proactively counter these, false positives might occur, for example. We do not consider this a very big issue, so please do not e-mail us about it. This is a simple online scan service, not the university of Wichita.

Scanning can take a while, since several scanners are being used, plus the fact some scanners use very high levels of (time consuming) heuristics. Scanners used are Linux versions, differences with Windows scanners may or may not occur. Another note: some scanners will only report one virus when scanning archives with multiple pieces of malware.

Virus definitions are updated every hour. There is a 10Mb limit per file. Please refrain from uploading tons of hex-edited or repacked variants of the same sample.

Please do not ask for viruses uploaded here, unless you work for an anti-virus vendor. They are not for trade. This is a legitimate service, not a VX site. Viruses uploaded here will be distributed to antivirus vendors without exception. Read more about this in our privacy policy. If you do not want your files to be distributed, please do not send them at all.

Sponsored by donations (in random order) from: Stormbyte Technologies LLC, The ClamAV project, Steve S., Eric Johansen, Eric Schechter, Paul Bokel, Wilders Security, Wilfried Lilie, Prevx, SonicWALL, Lance Mueller, Ewido networks, HotelScraper.com, people who donated in the past, and some people who prefer to remain anonymous... many thanks to all!
--------------------------------------------------------------------------------


Statistics
Last file scanned at least one scanner reported something about: _Fichiers.exe (MD5: ac3b4133fbadba6c21c78fd7c2e2c4f9, size: 377856 bytes), detected by:

Scanner Malware name
A-Squared X
AntiVir X
ArcaVir X
Avast Win32:Segirel-B
AVG Antivirus X
BitDefender Win32.Worm.Chiko.E
ClamAV Trojan.Agent-3959
CPsecure Troj.W32.StartPage.ajh
Dr.Web X
F-Prot Antivirus X
F-Secure Anti-Virus Trojan.Win32.StartPage.ajh
Fortinet X
Kaspersky Anti-Virus Trojan.Win32.StartPage.ajh
NOD32 X
Norman Virus Control X
Panda Antivirus X
Rising Antivirus X
Sophos Antivirus W32/Ickie-A
VirusBuster Trojan.StartPage.AKM
VBA32 Trojan.Win32.StartPage.ajh


You're free to (mis)interpret these automated, flawed statistics at your own discretion. For antivirus comparisons, visit AV comparatives
We are not affiliated with any third parties that conduct tests using this service.





Frequently asked questions - Feedback - Privacy policy



Page generated by JTPL

Copyright © 2004-2007 Jordi Bosveld <jotti@jotti.org>
ber88
Active Member
 
Posts: 14
Joined: September 15th, 2007, 6:03 pm

Unread postby Scotty » September 26th, 2007, 5:35 am

Hi

Open Notepad and Copy/Paste the text in the codebox below into it:

Code: Select all
File::
C:\WINDOWS\system32\dbghd3dx.exe
 


Save this as "CFScript"

Image


Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

Please download Icesword v.1.20 from http://www.majorgeeks.com/Icesword_d5199.html

Right click the file IceSword120_en.zip and. Now click Extract here. It will create a new folder called IceSword120_en

Once IceSword is extracted, with all browser and Explorer windows closed, open the folder and run IceSword
  • Once IceSword is open, click the Win32 Service Function on the left Menu Bar
    If any red entries are found, click the blue Log Tab at the top of the screen and save the log to a place where you can easily find it with the name ISservice-list.txt. Let me know if there are any RED entries in the list and if so which ones they are.
  • Now, Click IceSword's Process Function on the left Menu Bar
    If any red entries are found, click the blue Log tab at the top of the screen and save the log to a place where you can easily find it with the name ISprocesslist.txt. Let me know if there are any RED entries in the list and if so which ones they are.
  • Next go to Startup on the left Menu Bar and click it. In the list that opens up please find the entries HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run under Path. Among these entries look in the column Name for reganal32. Note down the exactly what it says in the column Data. Let me know if there are any RED entries in the list and if so which ones they are.
  • Now go to the right side of the window again and click File.
    • A list will open up on the right side of the window. In the list please scroll down to Local Disk(C: ) and if there is a plus sign + in front of it please click it.
    • Scroll down to Windows and click the plus sign +.
    • Find System32 and click the +. (It will be close to bottom. Use the scroll bar to move to bottom. You probaly will need to use the scrollbar at the bottom to move the list so that you can see what you are looking for.)
    • In the main part of the window you will see a list. Try to find reganal32.exe in the list.
    • If you find the file right click it and click Copy to..... A window called Input opens up.
    • On the right side find My Computer and click it.
    • Click Local Disk (C: )
    • In the File Name box please enter reganal32.exe.
    • Click Save. Let me know if the file was showing in RED.
    • Please post ISservicelist.text and/or ISprocesslist.txt in your next post together with the the text in the Data column. Let me know if you could find and copy reganal32.exe and if you saw any entries in RED.

Make sure AVGAntiSpyware is up to date before running the next step, and read the instructions carefully, to ensure a report is produced.

Run a scan with AVG.
  • Click on Scanner
    • Click on the Settings tab, and set the following settings.
      • How to act
        • Click on Recommended actions, and set to Quarantine.
      • How to scan
        • Check all options.
      • Possibly unwanted software.
        • Check all options.
      • Reports
        • Check Do not automatically generate reports after every scan.
      • What to scan
        • Check Scan every file.
    • Click on the Scan tab.
      • Click on Complete System Scan and the scan will begin.
      • When the scan has finished
        • Make sure that Set all elements to: shows Quarantine, if not click on the link and choose Quarantine from the popup menu.
        • At the bottom of the window click on the Apply all Actions button.

Note: Don't save the report before you hit the Apply action button.

Close AVG Anti-Spyware.

AVG will save a report in the following location C:\Program Files\Grisoft\AVG anti-spyware 7.5\Reports


Post back with the following.

Combofix log
Icesword report
AVG report
new HijackThis log
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 286 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware