Lots of virus/malware problems [Archive]

View Full Version : Lots of virus/malware problems

mpena23

2007-05-25, 16:12

I've run spybot, it can't delete everything, even on restart
I don't know how I let it get this bad
Scan Results: 285977 files scanned. 117 viruses were detected.

File Infection Status Path
!update.exe Win32/Clspring.GS deleted C:\Documents and Settings\Matthew Pena\Local Settings\Temp\
1.dllb Win32/Dewnuttin.A deleted C:\Documents and Settings\Matthew Pena\Local Settings\Temp\
5.dllb Win32/Tibs!generic deleted C:\Documents and Settings\Matthew Pena\Local Settings\Temp\
aqvxt42.game Win32/Dewnuttin.A deleted C:\Documents and Settings\Matthew Pena\Local Settings\Temp\
ma1x1ddv.game Win32/SilentCaller.V deleted C:\Documents and Settings\Matthew Pena\Local Settings\Temp\
mst155.tmp Win32/Aflac.D deleted C:\Documents and Settings\Matthew Pena\Local Settings\Temp\
tmp16.tmp.exe Win32/Vundo.CI deleted C:\Documents and Settings\Matthew Pena\Local Settings\Temp\
tmp19.tmp.exe Win32/SillyDl.CPH deleted C:\Documents and Settings\Matthew Pena\Local Settings\Temp\
tmp1A.tmp.exe Win32/Vundo.CI deleted C:\Documents and Settings\Matthew Pena\Local Settings\Temp\
tmp1C.tmp.exe Win32/SillyDl.CPH deleted C:\Documents and Settings\Matthew Pena\Local Settings\Temp\
tmp24.tmp.exe Win32/SillyDl.CPH deleted C:\Documents and Settings\Matthew Pena\Local Settings\Temp\
tmp27.tmp.exe Win32/Darksma.AC deleted C:\Documents and Settings\Matthew Pena\Local Settings\Temp\
tmp29.tmp.exe Win32/Vundo.CM deleted C:\Documents and Settings\Matthew Pena\Local Settings\Temp\
tmp2C.tmp.exe Win32/SillyDl.CPH deleted C:\Documents and Settings\Matthew Pena\Local Settings\Temp\
tmp2D0.tmp.exe Win32/SillyDl.CPH deleted C:\Documents and Settings\Matthew Pena\Local Settings\Temp\
tmp30E.tmp.exe Win32/SillyDl.CPH deleted C:\Documents and Settings\Matthew Pena\Local Settings\Temp\
tmp34.tmp.exe Win32/Vundo.CM deleted C:\Documents and Settings\Matthew Pena\Local Settings\Temp\
tmp37F.tmp.exe Win32/SillyDl.CPH deleted C:\Documents and Settings\Matthew Pena\Local Settings\Temp\
tmp38F.tmp.exe Win32/Darksma.AF deleted C:\Documents and Settings\Matthew Pena\Local Settings\Temp\
tmp396.tmp.exe Win32/Vundo.CM deleted C:\Documents and Settings\Matthew Pena\Local Settings\Temp\
tmp3CF.tmp.exe Win32/SillyDl.CPH deleted C:\Documents and Settings\Matthew Pena\Local Settings\Temp\
tmp41.tmp.exe Win32/SillyDl.CPH deleted C:\Documents and Settings\Matthew Pena\Local Settings\Temp\
tmp431.tmp.exe Win32/Vundo.CM deleted C:\Documents and Settings\Matthew Pena\Local Settings\Temp\
tmp43A.tmp.exe Win32/Darksma.AC deleted C:\Documents and Settings\Matthew Pena\Local Settings\Temp\
tmp45.tmp.exe Win32/Vundo.CM deleted C:\Documents and Settings\Matthew Pena\Local Settings\Temp\
tmp46.tmp.exe Win32/Darksma.AC deleted C:\Documents and Settings\Matthew Pena\Local Settings\Temp\
tmp4F.tmp.exe Win32/SillyDl.CPH deleted C:\Documents and Settings\Matthew Pena\Local Settings\Temp\
tmp51.tmp.exe Win32/Darksma.AB deleted C:\Documents and Settings\Matthew Pena\Local Settings\Temp\
tmp55.tmp.exe Win32/SillyDl.CPH deleted C:\Documents and Settings\Matthew Pena\Local Settings\Temp\
tmp58.tmp.exe Win32/Darksma.AF deleted C:\Documents and Settings\Matthew Pena\Local Settings\Temp\
tmp59.tmp.exe Win32/Vundo.CM deleted C:\Documents and Settings\Matthew Pena\Local Settings\Temp\
tmp5A.tmp.exe Win32/SillyDl.CPH deleted C:\Documents and Settings\Matthew Pena\Local Settings\Temp\
tmp5B.tmp.exe Win32/Darksma.AF deleted C:\Documents and Settings\Matthew Pena\Local Settings\Temp\
tmp5D.tmp.exe Win32/Vundo.CM deleted C:\Documents and Settings\Matthew Pena\Local Settings\Temp\
tmp6A.tmp.exe Win32/SillyDl.CPH deleted C:\Documents and Settings\Matthew Pena\Local Settings\Temp\
tmp6F.tmp.exe Win32/Vundo.CI deleted C:\Documents and Settings\Matthew Pena\Local Settings\Temp\
tmp70.tmp.exe Win32/Darksma.AC deleted C:\Documents and Settings\Matthew Pena\Local Settings\Temp\
tmpE3.tmp.exe Win32/SillyDl.CPH deleted C:\Documents and Settings\Matthew Pena\Local Settings\Temp\
install_ct.exe Win32/Propo deleted C:\Documents and Settings\Matthew Pena\Local Settings\Temp\~compoundinst0\
alt[1].exe Win32/Sintun deleted C:\Documents and Settings\Matthew Pena\Local Settings\Temporary Internet Files\Content.IE5\0TA7WP6N\
negas[1].htm JS/MS06-014!exploit deleted C:\Documents and Settings\Matthew Pena\Local Settings\Temporary Internet Files\Content.IE5\217CTK3Y\
us0032[1].anr Win32/MS05-002!exploit deleted C:\Documents and Settings\Matthew Pena\Local Settings\Temporary Internet Files\Content.IE5\217CTK3Y\
version[1].jar>BaaaaBaa.class Java/ByteVerify!exploit cannot cure C:\Documents and Settings\Matthew Pena\Local Settings\Temporary Internet Files\Content.IE5\217CTK3Y\
version[1].jar>VaaaaaaaBaa.class Java/ByteVerify!exploit cannot cure C:\Documents and Settings\Matthew Pena\Local Settings\Temporary Internet Files\Content.IE5\217CTK3Y\
version[1].jar>Baaaaa.class Java/Shinwow.BJ cannot cure C:\Documents and Settings\Matthew Pena\Local Settings\Temporary Internet Files\Content.IE5\217CTK3Y\
arr[1].ani Win32/MS07-017!exploit cannot cure C:\Documents and Settings\Matthew Pena\Local Settings\Temporary Internet Files\Content.IE5\45YJ89A7\
404-7[1].htm JS/MS05-054!exploit cannot cure C:\Documents and Settings\Matthew Pena\Local Settings\Temporary Internet Files\Content.IE5\4XY3GD6F\
animan[1].class Java/ByteVerify!exploit cannot cure C:\Documents and Settings\Matthew Pena\Local Settings\Temporary Internet Files\Content.IE5\4XY3GD6F\
count[1].jar>BlackBox.class Java/ByteVerify!exploit cannot cure C:\Documents and Settings\Matthew Pena\Local Settings\Temporary Internet Files\Content.IE5\4XY3GD6F\
count[1].jar>VerifierBug.class Java/ByteVerify!exploit cannot cure C:\Documents and Settings\Matthew Pena\Local Settings\Temporary Internet Files\Content.IE5\4XY3GD6F\
count[1].jar>Dummy.class Java/ByteVerify!exploit cannot cure C:\Documents and Settings\Matthew Pena\Local Settings\Temporary Internet Files\Content.IE5\4XY3GD6F\
count[1].jar>Beyond.class Java/Shinwow.AT cannot cure C:\Documents and Settings\Matthew Pena\Local Settings\Temporary Internet Files\Content.IE5\4XY3GD6F\
count[1].jar>BlackBox.class Java/ByteVerify!exploit cannot cure C:\Documents and Settings\Matthew Pena\Local Settings\Temporary Internet Files\Content.IE5\85YN09IZ\
count[1].jar>VerifierBug.class Java/ByteVerify!exploit cannot cure C:\Documents and Settings\Matthew Pena\Local Settings\Temporary Internet Files\Content.IE5\85YN09IZ\
count[1].jar>Dummy.class Java/ByteVerify!exploit cannot cure C:\Documents and Settings\Matthew Pena\Local Settings\Temporary Internet Files\Content.IE5\85YN09IZ\
count[1].jar>Beyond.class Java/Shinwow.AT cannot cure C:\Documents and Settings\Matthew Pena\Local Settings\Temporary Internet Files\Content.IE5\85YN09IZ\
lientnstaller15_02[1] Win32/SillyDl.CPH cannot cure C:\Documents and Settings\Matthew Pena\Local Settings\Temporary Internet Files\Content.IE5\980FHPCX\
crtdcghcn[1].jar>BaaaaBaa.class Java/ByteVerify!exploit cannot cure C:\Documents and Settings\Matthew Pena\Local Settings\Temporary Internet Files\Content.IE5\CHIJK5QJ\
crtdcghcn[1].jar>VaaaaaaaBaa.class Java/ByteVerify!exploit cannot cure C:\Documents and Settings\Matthew Pena\Local Settings\Temporary Internet Files\Content.IE5\CHIJK5QJ\
crtdcghcn[1].jar>Baaaaa.class Java/Shinwow.BJ cannot cure C:\Documents and Settings\Matthew Pena\Local Settings\Temporary Internet Files\Content.IE5\CHIJK5QJ\
crtdcghcn[2].jar>BaaaaBaa.class Java/ByteVerify!exploit cannot cure C:\Documents and Settings\Matthew Pena\Local Settings\Temporary Internet Files\Content.IE5\CHIJK5QJ\
crtdcghcn[2].jar>VaaaaaaaBaa.class Java/ByteVerify!exploit cannot cure C:\Documents and Settings\Matthew Pena\Local Settings\Temporary Internet Files\Content.IE5\CHIJK5QJ\
crtdcghcn[2].jar>Baaaaa.class Java/Shinwow.BJ cannot cure C:\Documents and Settings\Matthew Pena\Local Settings\Temporary Internet Files\Content.IE5\CHIJK5QJ\
pee[1].exe Win32/Pecoan.S cannot cure C:\Documents and Settings\Matthew Pena\Local Settings\Temporary Internet Files\Content.IE5\CHIJK5QJ\
smysmymr20070406[1] Win32/Vundo.CM cannot cure C:\Documents and Settings\Matthew Pena\Local Settings\Temporary Internet Files\Content.IE5\CHIJK5QJ\
404-6[1].htm JS/MS05-054!exploit cannot cure C:\Documents and Settings\Matthew Pena\Local Settings\Temporary Internet Files\Content.IE5\D2F1PI46\
!update-4395[1].0000 Win32/Clspring.GS cannot cure C:\Documents and Settings\Matthew Pena\Local Settings\Temporary Internet Files\Content.IE5\G5EN4DQR\
new605[1].htm JS/MS06-014!exploit cannot cure C:\Documents and Settings\Matthew Pena\Local Settings\Temporary Internet Files\Content.IE5\G5EN4DQR\
slide605[1].htm JS/CVE-2006-3730!exploit cannot cure C:\Documents and Settings\Matthew Pena\Local Settings\Temporary Internet Files\Content.IE5\G5EN4DQR\
404-4[1].htm JS/MS05-054!exploit cannot cure C:\Documents and Settings\Matthew Pena\Local Settings\Temporary Internet Files\Content.IE5\GJ2NU8GU\
123[1].htm Win32/MS07-017!exploit cannot cure C:\Documents and Settings\Matthew Pena\Local Settings\Temporary Internet Files\Content.IE5\SP6FC9EB\
hh[1].htm VBS/MS06-014!exploit cannot cure C:\Documents and Settings\Matthew Pena\Local Settings\Temporary Internet Files\Content.IE5\SP6FC9EB\
z-014-3[1].htm JS/MS06-014!exploit cannot cure C:\Documents and Settings\Matthew Pena\Local Settings\Temporary Internet Files\Content.IE5\SP6FC9EB\
count[1].jar>BlackBox.class Java/ByteVerify!exploit cannot cure C:\Documents and Settings\Matthew Pena\Local Settings\Temporary Internet Files\Content.IE5\W1MFWDU3\
count[1].jar>VerifierBug.class Java/ByteVerify!exploit cannot cure C:\Documents and Settings\Matthew Pena\Local Settings\Temporary Internet Files\Content.IE5\W1MFWDU3\
count[1].jar>Dummy.class Java/ByteVerify!exploit cannot cure C:\Documents and Settings\Matthew Pena\Local Settings\Temporary Internet Files\Content.IE5\W1MFWDU3\
count[1].jar>Beyond.class Java/Shinwow.AT cannot cure C:\Documents and Settings\Matthew Pena\Local Settings\Temporary Internet Files\Content.IE5\W1MFWDU3\
setup(2)[1].exe Win32/Bancos!generic cannot cure C:\Documents and Settings\Matthew Pena\Local Settings\Temporary Internet Files\Content.IE5\W1MFWDU3\
Dc12.exe Win32/Bancos!generic cannot cure C:\RECYCLER\S-1-5-21-3546262936-51874078-734244975-1006\
A0115520.dll Win32/Vundo.CM cannot cure C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1847\
A0115521.dll Win32/Vundo.CM cannot cure C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1847\
A0118525.exe Win32/SillyDl.BAX cannot cure C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1864\
A0120525.exe Win32/Clspring!generic cannot cure C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1864\
cbywvt.dll Win32/Vundo.CM cannot cure C:\WINDOWS\
goezdin.exe Win32/SillyDl.CTT cannot cure C:\WINDOWS\
offun.exe Win32/Notiex.F cannot cure C:\WINDOWS\
pmkljh.dll Win32/Vundo.CM cannot cure C:\WINDOWS\
sys011266124061-.exe Win32/SillyDl.BAX cannot cure C:\WINDOWS\
alt.exe.exe Win32/Sintun cannot cure C:\WINDOWS\SYSTEM32\
dlh9jkd1q1.exe Win32/Dewnuttin.A cannot cure C:\WINDOWS\SYSTEM32\
dlh9jkd1q5.exe Win32/Tibs!generic cannot cure C:\WINDOWS\SYSTEM32\
core.sys Win32/Tesllar.A cannot cure C:\WINDOWS\SYSTEM32\DRIVERS\
mstridge9.sys Win32/Smamate cannot cure C:\WINDOWS\SYSTEM32\DRIVERS\
drvkoj.dll Win32/Aflac.D cannot cure C:\WINDOWS\SYSTEM32\
drvlif.dll Win32/Aflac.D cannot cure C:\WINDOWS\SYSTEM32\
max1d164v.exe Win32/SilentCaller.V cannot cure C:\WINDOWS\SYSTEM32\
pee.exe.exe Win32/Pecoan.S cannot cure C:\WINDOWS\SYSTEM32\
qthtpive.dll Win32/Darksma.X cannot cure C:\WINDOWS\SYSTEM32\
sqvx5gamet2.exe Win32/Dewnuttin.A cannot cure C:\WINDOWS\SYSTEM32\
d5ll.exe Win32/Tesllar.A cannot cure C:\WINDOWS\SYSTEM32\T4\
tmp27.tmp.dll Win32/Darksma.AC cannot cure C:\WINDOWS\SYSTEM32\
tmp29.tmp.dll Win32/Darksma.AF cannot cure C:\WINDOWS\SYSTEM32\
tmp30D.tmp.dll Win32/Darksma.AS cannot cure C:\WINDOWS\SYSTEM32\
tmp38F.tmp.dll Win32/Darksma.AF cannot cure C:\WINDOWS\SYSTEM32\
tmp43A.tmp.dll Win32/Darksma.AC cannot cure C:\WINDOWS\SYSTEM32\
tmp46.tmp.dll Win32/Darksma.AC cannot cure C:\WINDOWS\SYSTEM32\
tmp51.tmp.dll Win32/Darksma.AB cannot cure C:\WINDOWS\SYSTEM32\
tmp58.tmp.dll Win32/Darksma.AF cannot cure C:\WINDOWS\SYSTEM32\
tmp5B.tmp.dll Win32/Darksma.AF cannot cure C:\WINDOWS\SYSTEM32\
tmp70.tmp.dll Win32/Darksma.AC cannot cure C:\WINDOWS\SYSTEM32\
tmpDA.tmp.dll Win32/Darksma.AS cannot cure C:\WINDOWS\SYSTEM32\
vtstrqo.dll Win32/Darksma.AJ cannot cure C:\WINDOWS\SYSTEM32\
wincom32.ini Win32/Pecoan cannot cure C:\WINDOWS\SYSTEM32\
wincom32.sys Win32/Pecoan.S cannot cure C:\WINDOWS\SYSTEM32\
windev-c7a-2437.sys Win32/Tibs cannot cure C:\WINDOWS\SYSTEM32\
mst23.tmp Win32/Aflac.D cannot cure C:\WINDOWS\Temp\
uninst108.exe Win32/SillyDl.AWB cannot cure C:\WINDOWS\

hJ log in next post

Thanks in advance for help!

mpena23

2007-05-25, 16:13

Logfile of HijackThis v1.99.1
Scan saved at 8:05:02 AM, on 5/25/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Matthew Pena\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [AS00_Netgear] C:\Program Files\NETGEAR\Wireless Smart Configuration\Utility\NetgearAG.exe -hide
O4 - HKLM\..\Run: [notwv] C:\WINDOWS\notwv.exe
O4 - HKLM\..\Run: [sbinwtup] C:\WINDOWS\sbinwtup.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\iShareIt\ishareit.exe /SYSTRAY
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [2chkdsk] rundll32.exe "C:\WINDOWS\gebxvt.dll",setvm
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\khiiih.dll",realset
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000272.exe 61A847B5BBF72813329B385475FB01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [sys011266124061-] C:\WINDOWS\sys011266124061-.exe
O4 - HKLM\..\Run: [goezdinA] C:\WINDOWS\goezdinA.exe
O4 - HKLM\..\Run: [Configuration Manager] C:\WINDOWS\cfg32.exe
O4 - HKLM\..\Run: [{87-7A-AE-E3-ZN}] c:\windows\system32\mpdsrego.exe CHD001
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\System32\drvkoj.dll,startup
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\System32\owinqndu.exe CHD001
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\System\MOSearch\Bin\mosearch.exe
O4 - HKLM\..\RunOnce: [SpyBotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA5971] command /c del "C:\Program Files\NewDotNet\newdotnet6_38.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4209] cmd /c del "C:\Program Files\NewDotNet\newdotnet6_38.dll_old"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [mshtml] C:\WINDOWS\System32\mshtml.exe
O4 - HKCU\..\Run: [196_150_ni] C:\WINDOWS\System32\196_150_ni.exe
O4 - HKCU\..\Run: [197_150_ni_4] C:\WINDOWS\System32\197_150_ni_4.exe
O4 - HKCU\..\Run: [wininet] "C:\WINDOWS\System32\wininet.exe"
O4 - HKCU\..\Run: [ctl3dv2] "C:\WINDOWS\System32\ctl3dv2.exe"
O4 - HKCU\..\Run: [tx_htm32] "C:\WINDOWS\System32\tx_htm32.exe"
O4 - HKCU\..\Run: [rcdscan] "C:\WINDOWS\System32\rcdscan.exe"
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [Aida] "C:\PROGRA~1\COMMON~1\CROSOF~1\netdde.exe" -vt yazb
O4 - HKCU\..\Run: [Bdu] C:\WINDOWS\SYSTEM32\?racle\l?gonui.exe
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - HKCU\..\Run: [Brave-Sentry] C:\Program Files\BraveSentry\BraveSentry.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB5006] command /c del "C:\Program Files\NewDotNet\newdotnet6_38.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD452] cmd /c del "C:\Program Files\NewDotNet\newdotnet6_38.dll_old"
O4 - Startup: TA_Start.lnk = C:\WINDOWS\SYSTEM32\dwdsregt.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\SYSTEM32\owinqndu.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: Wireless Connection Manager.lnk = C:\Program Files\D-Link\D-Link RangeBooster N DWA-542\wirelesscm.exe
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\games\Bodog Poker\BPGame.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Canasta by pogo - http://canasta.pogo.com/applet-5.9.4.22/canasta/canasta-ob-assets.cab
O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/games/clients/y/xt0_x.cab
O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt3_x.cab
O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht1_x.cab
O16 - DPF: Yahoo! MahJong - http://download.games.yahoo.com/games/clients/y/ot0_x.cab
O16 - DPF: Yahoo! MLB StatTracker - http://aud13.sports.sc5.yahoo.com/java/y/mlbst8408_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
O16 - DPF: Yahoo! Trivia - http://download.games.yahoo.com/games/clients/y/tvt0_x.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {04063354-A10E-4427-A1EC-F3CC81587BC6} (Mines Control) - http://mirror.worldwinner.com/games/v40/mines/mines.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://mirror.worldwinner.com/games/v44/pool/pool.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-12.cab
O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} (NeoterisSetup Control) - https://connect.jpmorganchase.com/dana-cached/setup/NeoterisSetup.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104w.bay104.mail.live.com/mail/resources/MsnPUpld.cab
O16 - DPF: {5EE92643-21CE-4949-903F-39439DCC3944} (Shapetris Control) - http://mirror.worldwinner.com/games/v42/shape/shape.cab
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://mirror.worldwinner.com/games/shared/dephlp.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1180096760625
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs1b.instantservice.com/jars/customerxsigned35.cab
O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717} (Cubis Control) - http://mirror.worldwinner.com/games/v55/cubis/cubis.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://mirror.worldwinner.com/games/v40/hangman/hangman.cab
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://eq2beta.station.sony.com/beta_reg/soesysinfo.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.60/code/iPIX-ImageWell-ipix.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://mirror.worldwinner.com//games/v47/h2hpool/h2hpool.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Atheros Configuration Service (ACS) - Atheros - C:\Program Files\D-Link\D-Link RangeBooster N DWA-542\acs.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TWF0dGhldyBQZW5h\command.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe
O23 - Service: netdi - Unknown owner - C:\WINDOWS\System32\netdi.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\goezdin.exe

Mr_JAk3

2007-05-27, 12:52

Hello and welcome to the Forums :)

You have a MASSIVE malware collection there.

I must warn that one or more of the identified infections is a backdoor trojan :sick:

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451)
When Should I Format, How Should I Reinstall (http://www.dslreports.com/faq/10063)

I can help you in the cleaning if you don't want to reformat but there is a possibility that we can't get you 100% clean.

Please let us know what you have decided to do in your next post:bigthumb:

tashi

2007-06-04, 10:13

This topic has been moved to archives to prevent others with similar issues posting to it.

If you need the thread re-opened, please send me a private message (pm) and provide a link.

Applies only to the original poster, anyone else with similar problems please start your own topic.