View Full Version : Getting BSOD and random files installed
seretogis
2007-05-26, 04:45
For some reason, whenever I close IE or any application or whatever, sometimes I'll get a blue screen of death. It doesn't happen always, for it can happen after 5 minutes, or even a few hours of being on my PC.
I'll also get random files installed on my PC in my system32 folder, such as totour.exe and others. I can clean these out but they are always back when I restart.
The following steps I have tried:
Safe-mode, ad-ware, spybot, trend micro onlinescanner, microsoft's online scanner, AVG... and while trend micro can detect 2 problems, they cannot remove them due to being in use.
Here is my hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 7:20:10 PM, on 5/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\ABIT\ABIT uGuru\GuruClock.exe
C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
C:\Program Files\ABIT\ABIT uGuru\uGuru_Event_Receiver.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccUpdUI.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [GuruClock] C:\Program Files\ABIT\ABIT uGuru\GuruClock.exe
O4 - HKLM\..\Run: [ABIT uGuru] C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} (KX-HCM10 Control) - http://131.243.78.110/kxhcm10.ocx
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1073F96C-ECBA-4181-ACF5-5D1EA8C243E9}: NameServer = 207.69.188.186 207.69.188.185
O17 - HKLM\System\CS1\Services\Tcpip\..\{1073F96C-ECBA-4181-ACF5-5D1EA8C243E9}: NameServer = 207.69.188.186 207.69.188.185
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
If you can, please help! I'm desperate...
Hello seretogis and welcome to the Forums :)
Let's do a little research... What are the names of these random files?
1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
seretogis
2007-05-27, 19:01
Hello! :D
ComboFix Log:
"Owner" - 2007-05-27 9:40:48 Service Pack 2
ComboFix 07-05.27.V - Running from: "C:\Documents and Settings\Owner\My Documents\"
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
"C:\WINDOWS\system32\windev-peers.ini"
"C:\cp1041.nls"
Infected copy of C:\WINDOWS\system32\drivers\ndis.sys was found & disinfected
Restored copy from - "C:\WINDOWS\system32\dllcache\ndis.sys"
((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_NTLDR.SYS
-------\LEGACY_WINCOM32
-------\ntldr.sys
((((((((((((((((((((((((((((((( Files Created from 2007-04-27 to 2007-05-27 ))))))))))))))))))))))))))))))))))
2007-05-25 22:18 75,088 --a------ C:\WINDOWS\system32\drivers\tmtdi.sys
2007-05-25 22:18 32,528 --a------ C:\WINDOWS\system32\drivers\tmpreflt.sys
2007-05-25 22:18 199,440 --a------ C:\WINDOWS\system32\drivers\tmxpflt.sys
2007-05-25 22:18 1,052,472 --a------ C:\WINDOWS\system32\drivers\vsapint.sys
2007-05-25 22:17 <DIR> d-------- C:\Program Files\Trend Micro
2007-05-25 17:58 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trend Micro
2007-05-20 23:34 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-05-19 21:43 <DIR> d-------- C:\Program Files\Ashampoo
2007-05-18 23:51 <DIR> d-------- C:\Program Files\XoftSpySE
2007-05-18 13:47 <DIR> d-------- C:\Program Files\Lavasoft
2007-05-11 10:54 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-05-10 21:37 823,296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-05-10 21:37 823,296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-05-10 21:37 802,816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-05-10 21:37 740,442 --a------ C:\WINDOWS\system32\DivX.dll
2007-05-08 21:57 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-05-06 22:58 <DIR> d-------- C:\Documents and Settings\Owner\.housecall6.6
2007-05-06 22:58 <DIR> d-------- C:\DOCUME~1\Owner\.housecall6.6
2007-05-03 13:36 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\SecondLife
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-05-27 16:39:37 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\HouseCall 6.6
2007-05-26 18:27:00 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Azureus
2007-05-23 09:54:32 -------- d-----w C:\Program Files\Windows Live Safety Center
2007-05-22 19:08:15 -------- d-----w C:\Program Files\World of Warcraft
2007-05-20 02:24:47 -------- d-----w C:\Program Files\MSN Messenger
2007-05-20 02:24:47 -------- d-----w C:\Program Files\Messenger Plus! Live
2007-05-19 01:08:13 -------- d-----w C:\Program Files\Winamp
2007-05-18 20:47:53 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Lavasoft
2007-05-18 20:47:34 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-05-14 23:07:57 -------- d-----w C:\Program Files\DivX
2007-05-07 20:14:23 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-04-26 05:01:59 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\MusicIP
2007-04-23 00:15:29 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-04-23 00:15:18 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-04-23 00:15:18 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-04-23 00:02:34 73,728 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-04-23 00:02:34 196,608 -c--a-w C:\WINDOWS\system32\dtu100.dll
2007-04-23 00:02:33 53,248 -c--a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-04-23 00:02:31 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-04-23 00:02:31 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-04-23 00:02:31 344,064 -c--a-w C:\WINDOWS\system32\dpus11.dll
2007-04-23 00:02:31 294,912 -c--a-w C:\WINDOWS\system32\dpu10.dll
2007-04-23 00:02:31 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-04-23 00:01:47 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-04-23 00:01:46 124,472 ----a-w C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2007-04-22 09:07:31 108,144 -c--a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-04-22 09:07:31 -------- d--h--r C:\DOCUME~1\Owner\APPLIC~1\SecuROM
2007-04-18 20:29:20 -------- d-----w C:\Program Files\Azureus
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 05:47:36 33,624 -c--a-w C:\WINDOWS\system32\wups.dll
2007-04-17 05:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 05:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 05:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 05:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 05:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 05:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 05:45:20 43,352 -c--a-w C:\WINDOWS\system32\wups2.dll
2007-04-17 05:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-04-17 05:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2007-04-17 05:33:10 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Screenshot Sender
2007-04-12 04:19:42 -------- d-----w C:\Program Files\AIM
2007-04-12 00:12:50 1,082 ----a-w C:\WINDOWS\checkip.dat
2007-04-03 05:06:29 646,392 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-03-23 13:07:56 1,683,280 -c----w C:\WINDOWS\system32\XpsSvcs.dll
2007-03-23 13:07:54 583,504 -c----w C:\WINDOWS\system32\XPSSHHDR.dll
2007-03-23 03:25:02 124,928 -c----w C:\WINDOWS\system32\prntvpt.dll
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 -c--a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-03-07 23:51:00 129,784 -c----w C:\WINDOWS\system32\pxafs.dll
2006-11-24 03:01:54 848 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
2006-11-24 03:01:54 56 -csh--r C:\WINDOWS\system32\CEF65CEFDF.sys
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" []
"CTHelper"="CTHELPER.EXE" []
"CTxfiHlp"="CTXFIHLP.EXE" [2006-06-01 11:34 C:\WINDOWS\system32\CTXFIHLP.EXE]
"GuruClock"="C:\Program Files\ABIT\ABIT uGuru\GuruClock.exe" [2004-10-06 15:15]
"ABIT uGuru"="C:\Program Files\ABIT\ABIT uGuru\uGuru.exe" [2005-01-11 17:21]
"nwiz"="nwiz.exe" [2006-10-22 13:22 C:\WINDOWS\system32\nwiz.exe]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 14:48]
"DeadAIM"="C:\Program Files\AIM\\DeadAIM.ocm" [2004-04-10 23:51]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2006-10-07 05:20]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-17 12:19]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 13:22]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"STYLEXP"="C:\Program Files\TGTSoft\StyleXP\StyleXP.exe" [2006-01-30 09:23]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"=1 (0x1)
"NoDispCPL"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)
"NoDispSettingsPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)
"NoResolveSearch"=1 (0x1)
"NoResolveTrack"=0 (0x0)
"NoPropertiesMyComputer"=0 (0x0)
"NoViewContextMenu"=0 (0x0)
"NoFileAssociate"=0 (0x0)
"NoFind"=0 (0x0)
"NoRun"=0 (0x0)
"NoClose"=0 (0x0)
"StartMenuLogoff"=0 (0x0)
"NoSMHelp"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSimpleStartMenu"=0 (0x0)
"LinkResolveIgnoreLinkInfo"=0 (0x0)
"NoRecentDocsHistory"=0 (0x0)
"ClearRecentDocsOnExit"=0 (0x0)
"HideClock"=0 (0x0)
"NoTrayItemsDisplay"=0 (0x0)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 07:13]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Registration Heroes of Might & Magic 5.LNK]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Registration Heroes of Might & Magic 5.LNK
backup=C:\WINDOWS\pss\Registration Heroes of Might & Magic 5.LNKStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
C:\Program Files\Logitech\Video\ISStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
C:\Program Files\Logitech\Video\LogiTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System update]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{070a15af-4446-11db-a965-00508dd93bda}]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{96d159a8-79e5-11da-bb61-806d6172696f}]
Contents of the 'Scheduled Tasks' folder
2007-05-26 17:38:49 C:\WINDOWS\tasks\XoftSpySE.job
********************************************************************
catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-27 09:42:35
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
********************************************************************
Completion time: 2007-05-27 9:46:19 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-27 09:45
--- E O F ---
As of right now, my AVG has a ton of files quarantine. If these files are 'cleaned' or 'deleted', they come back right after restart. The files that are quarantined are named: kciof.dll, bwetj.dll, njxvd.dll, besldjmvw.dll, uxvshbajypkiu.dll, u.dll, mapcxgpph.dll, isrqqgg.dll, _delete_on_reboot__j_._dll_, j.dll, jmbdesjiq.dll, rlkjuxjsehhfv.dll, bppubxgts.dll, rxbwg.dll, totour.exe which are all found in the system32 folder.
When I run xoftSpySE, it constantly finds the following cookies, even if I don't run IE or anything: 3 "Adbureau cookie", 1 "reference cookie" all located in my cookies folder.
ComboFox also has a log of quarantined files. Did you want to see that too? I appreciate this help!
Hi again, we'll continue :)
No need for the other combo log
You should print these instructions or save these to a text file. Follow these instructions carefully.
Open AVG Anti-Spyware
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Do NOT run yet.
==================
Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.zip) and save it to your desktop.
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
In Safe Mode, right click the SDFix.zip folder and choose Extract All,
Open the extracted folder and double click RunThis.bat to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list. Fix the O6 entries too if you haven't locked Internet Explorer settings on purpose.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Select Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.
================
When you're ready, please post the following logs to here:
- AVG's report
- a fresh HijackThis log
-Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt
seretogis
2007-05-28, 02:33
Hello again! :D
Hijackthis Log:
Logfile of HijackThis v1.99.1
Scan saved at 5:28:17 PM, on 5/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\ABIT\ABIT uGuru\GuruClock.exe
C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\ABIT\ABIT uGuru\uGuru_Event_Receiver.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [GuruClock] C:\Program Files\ABIT\ABIT uGuru\GuruClock.exe
O4 - HKLM\..\Run: [ABIT uGuru] C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} (KX-HCM10 Control) - http://131.243.78.110/kxhcm10.ocx
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1073F96C-ECBA-4181-ACF5-5D1EA8C243E9}: NameServer = 207.69.188.186 207.69.188.185
O17 - HKLM\System\CS1\Services\Tcpip\..\{1073F96C-ECBA-4181-ACF5-5D1EA8C243E9}: NameServer = 207.69.188.186 207.69.188.185
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
SDFix:
SDFix: Version 1.85
Run by Owner - Sun 05/27/2007 - 16:56:01.21
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\DOCUME~1\Owner\MYDOCU~1\SDFix
Safe Mode:
Checking Services:
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting...
Normal Mode:
Checking Files:
No Trojan Files Found
Removing Temp Files...
ADS Check:
Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.
Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.
Final Check:
Remaining Services:
------------------
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
Remaining Files:
---------------
Checking For Files with Hidden Attributes:
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\CEF65CEFDF.sys
C:\WINDOWS\system32\KGyGaAvL.sys
C:\WINDOWS\system32\config\default.tmp.LOG
C:\WINDOWS\system32\config\SAM.tmp.LOG
C:\WINDOWS\system32\config\SECURITY.tmp.LOG
C:\WINDOWS\system32\config\software.tmp.LOG
C:\WINDOWS\system32\config\system.tmp.LOG
Finished
AVG Scan Report:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 5:22:54 PM 5/27/2007
+ Scan result:
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\ndis.sys.vir -> Not-A-Virus.SpamTool.Win32.Agent.u : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3AE6663D-8F87-4FC0-8549-122256A66FD5}\RP583\A0198602.sys -> Not-A-Virus.SpamTool.Win32.Agent.u : Cleaned with backup (quarantined).
::Report end
And I have a lot more items quarentined from a scan I did a few days ago. I mentioned the file names of these virus' in my second post. :O
Hello :)
Looks better...Any issues?
we'll run another scanner
Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/virusscanner)
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.
seretogis
2007-05-28, 21:10
Wow! It looks like this scanner found a lot :(
KASPERSKY ONLINE SCANNER REPORT
Monday, May 28, 2007 12:04:30 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 28/05/2007
Kaspersky Anti-Virus database records: 333239
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
D:\
Scan Statistics
Total number of scanned objects 42007
Number of viruses found 5
Number of infected objects 13 / 0
Number of suspicious objects 0
Duration of the scan process 00:24:25
Infected Object Name Virus Name Last Action
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\6C9C.tmp.bac_a04020 Infected: Trojan-Proxy.Win32.Agent.ls skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\8D89.tmp.bac_a04020 Infected: Trojan-Proxy.Win32.Agent.ls skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\crypts.dll.bac_a04020 Infected: Trojan-Downloader.Win32.Agent.ber skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\fzikjttkvdk.dll.bac_a04020 Infected: Trojan.Win32.Agent.afg skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\ogpkrpldhpkna.dll.bac_a04020 Infected: Trojan.Win32.Agent.afg skipped
C:\Documents and Settings\Owner\Application Data\Aim\pyxkgnat\JetEnduroWA\cert8.db Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Aim\pyxkgnat\JetEnduroWA\key3.db Object is locked skipped
C:\Documents and Settings\Owner\Application Data\HouseCall 6.6\Backup\6540.tmp.bac_a02468 Infected: Trojan-Proxy.Win32.Agent.ls skipped
C:\Documents and Settings\Owner\Application Data\HouseCall 6.6\Backup\98BB.tmp.bac_a02468 Infected: Trojan-Proxy.Win32.Agent.ls skipped
C:\Documents and Settings\Owner\Application Data\HouseCall 6.6\Backup\crypts.dll.bac_a02468 Infected: Trojan-Downloader.Win32.Agent.ber skipped
C:\Documents and Settings\Owner\Application Data\HouseCall 6.6\Backup\EE3B.tmp.bac_a02468 Infected: Trojan-Proxy.Win32.Agent.ls skipped
C:\Documents and Settings\Owner\Application Data\HouseCall 6.6\Backup\mstask64.dll.bac_a00872 Infected: Trojan-Spy.Win32.Delf.ex skipped
C:\Documents and Settings\Owner\Application Data\HouseCall 6.6\Backup\xjz2007[1].bmp.bac_a00420 Infected: Exploit.Win32.IMG-ANI.ac skipped
C:\Documents and Settings\Owner\Application Data\HouseCall 6.6\Backup\__delete_on_reboot__u_x_v_s_h_b_a_j_y_p_k_i_u_._d_l_l_.bac_a00420 Infected: Trojan.Win32.Agent.afg skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db.shadow Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\dark_insurgent@hotmail.com\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\dark_insurgent@hotmail.com\SharingMetadata\pending.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\dark_insurgent@hotmail.com\SharingMetadata\Working\database_88D8_6C98_D86C_8672\dfsr.db Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\dark_insurgent@hotmail.com\SharingMetadata\Working\database_88D8_6C98_D86C_8672\fsr.log Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\dark_insurgent@hotmail.com\SharingMetadata\Working\database_88D8_6C98_D86C_8672\fsrtmp.log Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\dark_insurgent@hotmail.com\SharingMetadata\Working\database_88D8_6C98_D86C_8672\tmp.edb Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows Live Contacts\dark_insurgent@hotmail.com\real\members.stg Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows Live Contacts\dark_insurgent@hotmail.com\shadow\members.stg Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF761D.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF7628.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF8E94.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF8E9F.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~ROMFN_0000021C Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\4.tmp Infected: Trojan.Win32.Agent.afg skipped
C:\Program Files\World of Warcraft\Logs\gx.log Object is locked skipped
C:\Program Files\World of Warcraft\Logs\Sound.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{3AE6663D-8F87-4FC0-8549-122256A66FD5}\RP584\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
Nothing bad there as the files were inside the quarantine.
How is the computer running at the moment?
seretogis
2007-05-30, 00:34
Everything seems to be running a lot smoother now. Although I did notice that everytime I restart my computer, immediately as I log on the internet (without even opening ANY explorers) I will get some advertisement cookies in my cookies folder.
I have not noticed any Blue Screens of Death so far, though!
Hi again, it is looking clean now :)
Now you can clean AVG's Quarantine:
Open AVG Anti-Spyware
Click Infections
Click Quarantine tab
Click Select all
Click Remove finally
Close the program
You can remove the tools we used.
=============
Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:
Clear your system restore (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx)
This will clear the system restore folders from possible malware that was left behind during the cleaning process.
Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.
Use Ad-Aware (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Download and install Ad-Aware. Update it and scan your computer regularly with it.
Use AVG Anti-Spyware (http://www.ewido.net/en/)
Download and install AVG Anti-Spyware. Update it and scan your computer regularly with it.
Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.
Install SpywareBlaster (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
SpywareBlaster will prevent spyware from being installed.
Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.
Use Firefox browser (http://www.mozilla.org)
Firefox is faster and more secure browser than Internet Explorer.
Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly. How to enable Automatic Updates? (http://www.bleepingcomputer.com/tutorials/tutorial35.html)
Keep your antivirus (http://forum.malwareremoval.com/viewtopic.php?p=53#53) and firewall (http://forum.malwareremoval.com/viewtopic.php?p=56#56) up-to-date
Scan your computer regularly with you antivirus software.
Read this article by TonyKlein (http://forums.spybot.info/showthread.php?t=279)
So how did I get infected in the first place?
Stand Up and Be Counted ! (http://www.malwarecomplaints.info/index.php)
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Stay clean and be safe ;)