View Full Version : Help with Win32/Adialer.OP
ShoaibS15
2007-11-27, 12:20
Hello guys, this is my first thread here on this site. I really do need your help though. I was using my pc, and suddenly my download speed died on me, and my HD showed that I had no space available when I really have like 180 GB left. Then my desktop disappeared and when I used "alt+ctrl+del", it just gave me an error, so I couldn't even properly restart. So I manually shut down the computer and restarted, and found everything back to normal, except that in Windows Defender, it shows that I have this virus "Trojan: Win32/Adialer.OP". Now, I don't know what to do about this one, and can't find any removal help for it, so any help here would be much appreciated.
I've tried to do the Kasperskyscan but it keeps telling me that the update process FAILED. so I don't know what to do with that. I would, again, appreciate anyhelp, thanks in advance... I will add in here the HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:17:40 AM, on 11/27/2007
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16546)
Boot mode: Normal
Running processes:
C:\Program Files (x86)\Lexmark 2500 Series\lxddmon.exe
C:\Program Files (x86)\Lexmark 2500 Series\lxddamon.exe
C:\Program Files (x86)\DAEMON Tools\daemon.exe
C:\Program Files (x86)\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files (x86)\Nero\PhotoShow 5\data\Xtras\mssysmgr.exe
C:\Program Files (x86)\MagicDisc\MagicDisc.exe
C:\Program Files (x86)\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files (x86)\Gigabyte\ET5\GUI.exe
C:\Program Files (x86)\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files (x86)\AltBinz\altbinz.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files (x86)\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn0\yt.dll
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files (x86)\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [EasyTuneV] "C:\Program Files (x86)\Gigabyte\ET5\ETcall.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [CatalystRegistration] "C:\Program Files (x86)\ATI\CatalystRegistration\dolce.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files (x86)\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files (x86)\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files (x86)\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files (x86)\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Windows Update] C:\Windows\system32\imapi32.exe
O4 - HKCU\..\Run: [Nero PhotoShow Media Manager] C:\PROGRA~2\Nero\PHOTOS~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: MagicDisc.lnk = C:\Program Files (x86)\MagicDisc\MagicDisc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: English<->Arabic - C:\Program Files (x86)\LingvoSoft\LingvoSoft Talking Dictionary 2007 (English-Arabic) for Windows\Plugins\IE.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files (x86)\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: English<->Arabic - {A1CDDEFB-581F-C648-9744-4CD90CC52092} - C:\Program Files (x86)\LingvoSoft\LingvoSoft Talking Dictionary 2007 (English-Arabic) for Windows\Plugins\IE.htm
O9 - Extra 'Tools' menuitem: English<->Arabic - {A1CDDEFB-581F-C648-9744-4CD90CC52092} - C:\Program Files (x86)\LingvoSoft\LingvoSoft Talking Dictionary 2007 (English-Arabic) for Windows\Plugins\IE.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {22E5D91F-89E6-4405-AD9C-0AF27BA6F06B} (HidInputMonitorX Control) - file:///F:/components/hidinputmonitorx.ocx
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files (x86)\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F63D44B-6274-4D60-8AB1-CAA7116B8AF3} (A9Helper.A9) - file:///F:/components/A9.ocx
O16 - DPF: {7030CC6C-1A88-4591-BB5A-651B9F7F0C30} (WMVHDRatingCtrl Class) - file:///F:/components/wmvhdrating.ocx
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~2\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Ati External Event Utility - Unknown owner - C:\Windows\system32\Ati2evxx.exe (file missing)
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: lxdd_device - - C:\Windows\system32\lxddcoms.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files (x86)\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NMIndexingService - Nero AG - C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files (x86)\Viewpoint\Common\ViewpointService.exe
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
--
End of file - 11245 bytes
ShoaibS15
2007-11-28, 01:53
Hello guys, I was still waiting for some help. I'm not sure if this thread was looked at or not. Actually, I'm worried about restarting or turnign off my PC, because I don't want to do it and then realize that it has messed up the PC more. Please help.
shelf life
2007-12-02, 16:42
hi,
i dont see a resident antivirus app in the log.
i would get one, install, update and do a full scan:
http://free.grisoft.com/doc/2/us/frt/0
shelf life
ShoaibS15
2007-12-03, 11:16
hi,
i dont see a resident antivirus app in the log.
i would get one, install, update and do a full scan:
http://free.grisoft.com/doc/2/us/frt/0
shelf life
I was able to get the kaspersky to work, and have saved a log, and have also followed your advice and downloaded the antivirus. I've run a scan on that also. Please get back to me soon, thanks.
shelf life
2007-12-04, 01:53
hi ShoaibS15,
ok good. ok post the online scan report if its not to big. what about AVG anti-virus, did it find anything during the scan?
shelf life
ShoaibS15
2007-12-04, 04:04
hi ShoaibS15,
ok good. ok post the online scan report if its not to big. what about AVG anti-virus, did it find anything during the scan?
shelf life
Hi,
Well AVG found the same viruses that the online scan found. The online scan log i'll post here, was taken before the AVG scan. Neither scan found the virus I originally mentioned in this thread, but Windows Defender is only showing that one virus. I guess AVG deleted certain files and "vaulted" a few of them. The online scan is as follows:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, November 29, 2007 2:20:50 AM
Operating System: Microsoft Windows Vista, (Build 6000)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 28/11/2007
Kaspersky Anti-Virus database records: 467242
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
Scan Statistics:
Total number of scanned objects: 337977
Number of viruses found: 22
Number of infected objects: 67
Number of suspicious objects: 0
Duration of the scan process: 02:37:38
Infected Object Name / Virus Name / Last Action
C:\$Recycle.Bin\S-1-5-21-3738139478-1067500169-3215437317-1000\$ROVSKSG\Nero PhotoShow Express\nero_photoshow_express_5_setup.exe/data0017 Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\$Recycle.Bin\S-1-5-21-3738139478-1067500169-3215437317-1000\$ROVSKSG\Nero PhotoShow Express\nero_photoshow_express_5_setup.exe NSIS: infected - 1 skipped
C:\$Recycle.Bin\S-1-5-21-3738139478-1067500169-3215437317-1000\$ROVSKSG\Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\kcfcnacj.exe Infected: Trojan-Downloader.Win32.Agent.fke skipped
C:\nbhsamd.exe Infected: Trojan-Dropper.Win32.Agent.csv skipped
C:\oaif.exe Infected: Trojan.Win32.Agent.cxs skipped
C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\logs\sw_ae-20071126-203158.log Object is locked skipped
C:\Program Files (x86)\Nero\Nero8\Nero BackItUp\BIUA8BC.txt Object is locked skipped
C:\Program Files (x86)\Nero\PhotoShow 5\data\Xtras\nero_photoshow_express_5_setup.exe/data0017 Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\Program Files (x86)\Nero\PhotoShow 5\data\Xtras\nero_photoshow_express_5_setup.exe NSIS: infected - 1 skipped
C:\ProgramData\GTek\GTUpdate\AUpdate\EasyLinkAdvisor\Current\SharedData.dat Object is locked skipped
C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.54.Crwl Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.54.gthr Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSStmp.log Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010001.ci Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010001.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010001.wsb Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010002.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010003.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010004.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010005.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010006.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010007.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010008.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010010.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010012.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010013.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010014.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010015.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010016.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010018.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010019.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\INDEX.000 Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.000 Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\Used0000.000 Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.000 Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk1.gthr Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk2.gthr Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.Ntfy92.gthr Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\tmp.edb Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc\NtfAEB5.tmp Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc\NtfAEB6.tmp Object is locked skipped
C:\ProgramData\Microsoft\Windows Defender\Support\MPLog-11022006-074131.log Object is locked skipped
C:\ProgramData\Nero\Nero8\Nero BackItUp\Cache\NeroBackItUpScheduler3.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\Users\Shoaib\AppData\Local\Alt.Binz\download\How_To_Fix_A_Scratched_CD\How To Fix A Scratched CD\How To Fix A Scratched CD.exe/kasperskyhk.dll Infected: not-a-virus:Monitor.Win32.Perflogger.ca skipped
C:\Users\Shoaib\AppData\Local\Alt.Binz\download\How_To_Fix_A_Scratched_CD\How To Fix A Scratched CD\How To Fix A Scratched CD.exe/kasperskywb.dll Infected: not-a-virus:Monitor.Win32.Perflogger.ca skipped
C:\Users\Shoaib\AppData\Local\Alt.Binz\download\How_To_Fix_A_Scratched_CD\How To Fix A Scratched CD\How To Fix A Scratched CD.exe/kaspersky.exe Infected: not-a-virus:Monitor.Win32.Perflogger.ad skipped
C:\Users\Shoaib\AppData\Local\Alt.Binz\download\How_To_Fix_A_Scratched_CD\How To Fix A Scratched CD\How To Fix A Scratched CD.exe/rinst.exe Infected: not-a-virus:Monitor.Win32.Perflogger.cb skipped
C:\Users\Shoaib\AppData\Local\Alt.Binz\download\How_To_Fix_A_Scratched_CD\How To Fix A Scratched CD\How To Fix A Scratched CD.exe RAR: infected - 4 skipped
C:\Users\Shoaib\AppData\Local\Alt.Binz\download\How_To_Fix_A_Scratched_CD\How To Fix A Scratched CD\How To Fix A Scratched CD.exe RapSFX: infected - 4 skipped
C:\Users\Shoaib\AppData\Local\Alt.Binz\download\How_To_Fix_A_Scratched_CD\How To Fix A Scratched CD.zip/How To Fix A Scratched CD.exe/kasperskyhk.dll Infected: not-a-virus:Monitor.Win32.Perflogger.ca skipped
C:\Users\Shoaib\AppData\Local\Alt.Binz\download\How_To_Fix_A_Scratched_CD\How To Fix A Scratched CD.zip/How To Fix A Scratched CD.exe/kasperskywb.dll Infected: not-a-virus:Monitor.Win32.Perflogger.ca skipped
C:\Users\Shoaib\AppData\Local\Alt.Binz\download\How_To_Fix_A_Scratched_CD\How To Fix A Scratched CD.zip/How To Fix A Scratched CD.exe/kaspersky.exe Infected: not-a-virus:Monitor.Win32.Perflogger.ad skipped
C:\Users\Shoaib\AppData\Local\Alt.Binz\download\How_To_Fix_A_Scratched_CD\How To Fix A Scratched CD.zip/How To Fix A Scratched CD.exe/rinst.exe Infected: not-a-virus:Monitor.Win32.Perflogger.cb skipped
C:\Users\Shoaib\AppData\Local\Alt.Binz\download\How_To_Fix_A_Scratched_CD\How To Fix A Scratched CD.zip/How To Fix A Scratched CD.exe Infected: not-a-virus:Monitor.Win32.Perflogger.cb skipped
C:\Users\Shoaib\AppData\Local\Alt.Binz\download\How_To_Fix_A_Scratched_CD\How To Fix A Scratched CD.zip ZIP: infected - 5 skipped
C:\Users\Shoaib\AppData\Local\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Users\Shoaib\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT Object is locked skipped
C:\Users\Shoaib\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db Object is locked skipped
C:\Users\Shoaib\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat Object is locked skipped
C:\Users\Shoaib\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012007112920071130\index.dat Object is locked skipped
C:\Users\Shoaib\AppData\Local\Microsoft\Windows\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Users\Shoaib\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H70FKYZQ\bind[2].htm Object is locked skipped
C:\Users\Shoaib\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Users\Shoaib\AppData\Local\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Users\Shoaib\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 Object is locked skipped
C:\Users\Shoaib\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2 Object is locked skipped
C:\Users\Shoaib\AppData\Local\Microsoft\Windows\UsrClass.dat{e6a5f925-72b5-11dc-a70e-001a4d526787}.TM.blf Object is locked skipped
C:\Users\Shoaib\AppData\Local\Microsoft\Windows\UsrClass.dat{e6a5f925-72b5-11dc-a70e-001a4d526787}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Users\Shoaib\AppData\Local\Microsoft\Windows\UsrClass.dat{e6a5f925-72b5-11dc-a70e-001a4d526787}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Users\Shoaib\AppData\Local\Microsoft\Windows Defender\FileTracker\{E37FBD3C-3611-4207-93D9-0FC60FBBD07A} Object is locked skipped
C:\Users\Shoaib\AppData\Local\Temp\FXSAPIDebugLogFile.txt Object is locked skipped
C:\Users\Shoaib\AppData\Local\Temp\gosDA9C.tmp Infected: Trojan.Win32.Dialer.qn skipped
C:\Users\Shoaib\AppData\Local\Temp\RarSFX0\rinst.exe Infected: not-a-virus:Monitor.Win32.Perflogger.cb skipped
C:\Users\Shoaib\AppData\Local\Temp\~DF966C.tmp Object is locked skipped
C:\Users\Shoaib\AppData\Local\Temp\~DFA0A1.tmp Object is locked skipped
C:\Users\Shoaib\AppData\Local\Temp\~DFC55C.tmp Object is locked skipped
C:\Users\Shoaib\AppData\Roaming\GTek\GTUpdate\AUpdate\EasyLinkAdvisor\gdql_lsa_LinksysAgent.log Object is locked skipped
C:\Users\Shoaib\AppData\Roaming\GTek\GTUpdate\AUpdate\EasyLinkAdvisor\glog.log Object is locked skipped
C:\Users\Shoaib\AppData\Roaming\GTek\GTUpdate\AUpdate\EasyLinkAdvisor\LinksysAgent.log Object is locked skipped
C:\Users\Shoaib\AppData\Roaming\GTek\GTUpdate\AUpdate\EasyLinkAdvisor\LinksysAgent_GTActions.log Object is locked skipped
C:\Users\Shoaib\AppData\Roaming\Microsoft\Windows\Cookies\index.dat Object is locked skipped
C:\Users\Shoaib\ntuser.dat Object is locked skipped
C:\Users\Shoaib\ntuser.dat.LOG1 Object is locked skipped
C:\Users\Shoaib\ntuser.dat.LOG2 Object is locked skipped
C:\Users\Shoaib\ntuser.dat{5b02b8a4-93b9-11dc-8520-001a4d526787}.TM.blf Object is locked skipped
C:\Users\Shoaib\ntuser.dat{5b02b8a4-93b9-11dc-8520-001a4d526787}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Users\Shoaib\ntuser.dat{5b02b8a4-93b9-11dc-8520-001a4d526787}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Volume Information\ •0d¡ .{00021401-0000-0000-C000-000000000046}\6689616875387959.{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}\New Folder\Games.exe Infected: Virus.Win32.Tenga.a skipped
C:\Windows\CSC\v2.0.6\pq Object is locked skipped
C:\Windows\Debug\PASSWD.LOG Object is locked skipped
C:\Windows\Debug\sam.log Object is locked skipped
C:\Windows\Debug\WIA\wiatrace.log Object is locked skipped
C:\Windows\Downloaded Program Files\gsda.dll Infected: not-a-virus:Downloader.Win32.SpyGame skipped
C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WindowsUpdate.log Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1 Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG2 Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{a7bdf3e5-6a85-11db-b5ae-f1534be43d84}.TM.blf Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{a7bdf3e5-6a85-11db-b5ae-f1534be43d84}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{a7bdf3e5-6a85-11db-b5ae-f1534be43d84}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1 Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG2 Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{a7bdf3e1-6a85-11db-b5ae-f1534be43d84}.TM.blf Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{a7bdf3e1-6a85-11db-b5ae-f1534be43d84}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{a7bdf3e1-6a85-11db-b5ae-f1534be43d84}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\Windows\System32\imapi32.exe Infected: Backdoor.Win32.Shark.ai skipped
C:\Windows\System32\LogFiles\Scm\SCM.EVM Object is locked skipped
C:\Windows\System32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\Windows\System32\nnnnkhf.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.arm skipped
C:\Windows\System32\winujj32.dll Infected: Trojan.Win32.Dialer.qn skipped
C:\Windows\System32\xpdx.sys Infected: Trojan.Win32.Agent.cxs skipped
C:\Windows\SysWOW64\imapi32.exe Infected: Backdoor.Win32.Shark.ai skipped
C:\Windows\SysWOW64\nnnnkhf.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.arm skipped
C:\Windows\SysWOW64\winujj32.dll Infected: Trojan.Win32.Dialer.qn skipped
C:\Windows\SysWOW64\xpdx.sys Infected: Trojan.Win32.Agent.cxs skipped
C:\Windows\Tasks\SCHEDLGU.TXT Object is locked skipped
C:\Windows\WindowsUpdate.log Object is locked skipped
E:\copy.exe Infected: Worm.Win32.Perlovga.a skipped
E:\host.exe Infected: Trojan-Dropper.Win32.Small.apl skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP193\A0034446.exe Infected: Worm.Win32.Perlovga.a skipped
E:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP193\A0034447.exe Infected: Trojan-Dropper.Win32.Small.apl skipped
E:\Trip to the Southeast\Vids\shaaz\ubs\videoplayers\divx\divx Installer\DivXPlayerPro63-Setup.exe/stream/data0006 Infected: Trojan.Win32.Agent.ba skipped
E:\Trip to the Southeast\Vids\shaaz\ubs\videoplayers\divx\divx Installer\DivXPlayerPro63-Setup.exe/stream/data0007/data0002 Infected: Trojan.Win32.Krepper.ag skipped
E:\Trip to the Southeast\Vids\shaaz\ubs\videoplayers\divx\divx Installer\DivXPlayerPro63-Setup.exe/stream/data0007/data0003/stream/data0001 Infected: not-a-virus:AdWare.Win32.Webdir.a skipped
E:\Trip to the Southeast\Vids\shaaz\ubs\videoplayers\divx\divx Installer\DivXPlayerPro63-Setup.exe/stream/data0007/data0003/stream Infected: not-a-virus:AdWare.Win32.Webdir.a skipped
E:\Trip to the Southeast\Vids\shaaz\ubs\videoplayers\divx\divx Installer\DivXPlayerPro63-Setup.exe/stream/data0007/data0003 Infected: not-a-virus:AdWare.Win32.Webdir.a skipped
E:\Trip to the Southeast\Vids\shaaz\ubs\videoplayers\divx\divx Installer\DivXPlayerPro63-Setup.exe/stream/data0007/data0004/data0004 Infected: Trojan-Downloader.Win32.IstBar.er skipped
E:\Trip to the Southeast\Vids\shaaz\ubs\videoplayers\divx\divx Installer\DivXPlayerPro63-Setup.exe/stream/data0007/data0004 Infected: Trojan-Downloader.Win32.IstBar.er skipped
E:\Trip to the Southeast\Vids\shaaz\ubs\videoplayers\divx\divx Installer\DivXPlayerPro63-Setup.exe/stream/data0007 Infected: Trojan-Downloader.Win32.IstBar.er skipped
E:\Trip to the Southeast\Vids\shaaz\ubs\videoplayers\divx\divx Installer\DivXPlayerPro63-Setup.exe/stream Infected: Trojan-Downloader.Win32.IstBar.er skipped
E:\Trip to the Southeast\Vids\shaaz\ubs\videoplayers\divx\divx Installer\DivXPlayerPro63-Setup.exe NSIS: infected - 9 skipped
Scan process completed.
shelf life
2007-12-05, 00:50
hi,
ok thanks for the info. i would delete the files in the AVG anti-virus vault, repeat a scan with your avg and also do a online scan here:
F-secure scan:
http://support.f-secure.com/enu/home/ols.shtml
uses Internet Explorer only
click on the "start scanning button" near bottom of page.
click to accept/install the ActiveX applet
"accept" the License Agreement, click "full system scan"
Once the download of files completes,the scan will begin automatically.
The scan may take some time to finish.
When the scan completes, click the Automatic cleaning (recommended) button.
Click the Show Report button and Copy&Paste the entire report in your next reply along with a current HijackThis log.
------------------------------------------
you have 2 hard drives C and E? make sure avg is scanning all your drives if so.
shelf life
ShoaibS15
2007-12-06, 16:32
Hi...
Well I did exactly what you said, still found some viruses. I'll put down the F-Secure first and then the HJT.
Scanning Report
Wednesday, December 05, 2007 17:25:12 - 18:59:55
Computer name: SHOAIB-PC
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ E:\
Result: 11 malware found
IS/Autorun (virus)
E:\AUTORUN.INF (Submitted)
Malware.BHMQ (virus)
C:\WINDOWS\SYSWOW64\BASSMOD.DLL (Submitted)
C:\WINDOWS\SYSTEM32\BASSMOD.DLL (Submitted)
Trojan.Win32.Agent.cxs (virus)
C:\WINDOWS\SYSWOW64\XPDX.SYS (Renamed & Submitted)
C:\WINDOWS\SYSTEM32\XPDX.SYS
W32/DLoader.AKWR (virus)
C:\WINDOWS\DOWNLOADED PROGRAM FILES\GSDA.DLL (Submitted)
W32/Malware.ACDL (virus)
E:\TRIP TO THE SOUTHEAST\VIDS\SHAAZ\VIRTUAL DJ PRO 3.4\VIRTUAL.DJ.V3.4-PATCH.EXE (Submitted)
W32/Malware.BHJU.dropper (virus)
E:\TRIP TO THE SOUTHEAST\VIDS\SHAAZ\UBS\VIDEOPLAYERS\ZOOM PLAYER\ZOOM PLAYER 4.51 CRACK.EXE (Submitted)
W32/Malware.YBH (virus)
C:\USERS\SHOAIB\APPDATA\LOCAL\ALT.BINZ\DOWNLOAD\LINGVOSOFT_TALKING_DICTIONARY.2007_ENGLISH_ARABIC_V4.0.22_WINALL\LINGVOSOFT.TALKING.DICTIONARY.2007.ENGLISH.ARABIC.V4.0.22.WINALL-CHICNCREAM\LINGVOSOFT.DICTIONARY.2007-PATCH.EXE (Submitted)
W32/SubSeven.2_1 (virus)
E:\S72.2\PACKET32.DLL (Submitted)
W32/SubSeven.ADQ (virus)
E:\S72.2\ICQMAPI.DLL (Submitted)
Statistics
Scanned:
Files: 93571
System: 0
Not scanned: 0
Actions:
Disinfected: 0
Renamed: 1
Deleted: 0
None: 10
Submitted: 10
Files not scanned:
Options
Scanning engines:
F-Secure AVP: 7.0.171, 2007-12-05
F-Secure Blacklight: 1.0.64
F-Secure Libra: 2.4.2, 2007-11-28
F-Secure Orion: 1.2.37, 2007-12-05
F-Secure Pegasus: 1.19.0, 2007-11-03
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD LSP MAP MHT MIF PHP POT WMF NWS TAR
Use Advanced heuristics
HJT Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:06:57 PM, on 12/5/2007
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16546)
Boot mode: Normal
Running processes:
C:\Program Files (x86)\Lexmark 2500 Series\lxddmon.exe
C:\Program Files (x86)\Lexmark 2500 Series\lxddamon.exe
C:\Program Files (x86)\DAEMON Tools\daemon.exe
C:\Program Files (x86)\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files (x86)\Nero\PhotoShow 5\data\Xtras\mssysmgr.exe
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files (x86)\MagicDisc\MagicDisc.exe
C:\Program Files (x86)\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Grisoft\AVG7\avgcc.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\AltBinz\altbinz.exe
C:\PROGRA~2\Yahoo!\MESSEN~1\YServer.exe
C:\Users\Shoaib\AppData\Local\Temp\OnlineScanner\Anti-Virus\OnlineScanner.exe
C:\Users\Shoaib\AppData\Local\Temp\OnlineScanner\Anti-Virus\fssm32.exe
C:\Program Files (x86)\Opera\Opera.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn0\yt.dll
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files (x86)\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [EasyTuneV] "C:\Program Files (x86)\Gigabyte\ET5\ETcall.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [CatalystRegistration] "C:\Program Files (x86)\ATI\CatalystRegistration\dolce.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files (x86)\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files (x86)\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files (x86)\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~2\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files (x86)\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files (x86)\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Windows Update] C:\Windows\system32\imapi32.exe
O4 - HKCU\..\Run: [Nero PhotoShow Media Manager] C:\PROGRA~2\Nero\PHOTOS~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~2\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~2\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~2\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: MagicDisc.lnk = C:\Program Files (x86)\MagicDisc\MagicDisc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: English<->Arabic - C:\Program Files (x86)\LingvoSoft\LingvoSoft Talking Dictionary 2007 (English-Arabic) for Windows\Plugins\IE.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files (x86)\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: English<->Arabic - {A1CDDEFB-581F-C648-9744-4CD90CC52092} - C:\Program Files (x86)\LingvoSoft\LingvoSoft Talking Dictionary 2007 (English-Arabic) for Windows\Plugins\IE.htm
O9 - Extra 'Tools' menuitem: English<->Arabic - {A1CDDEFB-581F-C648-9744-4CD90CC52092} - C:\Program Files (x86)\LingvoSoft\LingvoSoft Talking Dictionary 2007 (English-Arabic) for Windows\Plugins\IE.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {22E5D91F-89E6-4405-AD9C-0AF27BA6F06B} (HidInputMonitorX Control) - file:///F:/components/hidinputmonitorx.ocx
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files (x86)\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F63D44B-6274-4D60-8AB1-CAA7116B8AF3} (A9Helper.A9) - file:///F:/components/A9.ocx
O16 - DPF: {7030CC6C-1A88-4591-BB5A-651B9F7F0C30} (WMVHDRatingCtrl Class) - file:///F:/components/wmvhdrating.ocx
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
O16 - DPF: {A4069847-C342-48E2-9257-01A24E5C78EA} (F-Secure Online Scanner 3.2) - http://support.f-secure.com/ols3beta/fscax.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~2\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Ati External Event Utility - Unknown owner - C:\Windows\system32\Ati2evxx.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~2\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~2\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~2\Grisoft\AVG7\avgrssvc.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: lxdd_device - - C:\Windows\system32\lxddcoms.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files (x86)\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NMIndexingService - Nero AG - C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files (x86)\Viewpoint\Common\ViewpointService.exe
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
--
End of file - 12546 bytes
shelf life
2007-12-08, 03:32
hi ShoaibS15,
do you have two hard drives? a C and E?
rather than go after these manually lets try another different online scanner this time. this one: it will also attempt to delete any "bad" files:
ESET online scanner:
http://www.eset.com/onlinescan/
uses Internet Explorer only
check "YES" to accept terms
click start button
allow the ActiveX component to install
click the start button. the Scanner will update.
check both "Remove found threats" and "Scan unwanted applications"
click scan
when done you can find the scan log at:C:\Program Files\EsetOnlineScanner\log.txt
please copy/paste that log in next reply.
ShoaibS15
2007-12-09, 18:50
Okay, sorry for the late response. I was busy with family things. Going to your question, yes I have two hard drives. I am running that online scan now... I'll post results later today. Thanks.
ShoaibS15
2007-12-10, 01:45
The scanner found 7 viruses supposedly. Here is the log from ESet:
# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2711 (20071207)
# vers_arch_module=1.059 (20071108)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=715695f95cea7143bd09e074adb3f1b8
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2007-12-09 06:20:54
# local_time=2007-12-09 12:20:54 (-0600, Central Standard Time)
# country="United States"
# osver=6.0.6000 NT
# scanned=764349
# found=7
# scan_time=5266
C:\Users\Shoaib\AppData\Local\Temp\removalfile.bat Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\Users\Shoaib\AppData\Local\Temp\RarSFX0\rinst.exe Win32/Spy.PerfKey.NAA trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Windows\Downloaded Program Files\gsda.dll Win32/TrojanDownloader.SpyGame.A trojan (unable to clean - deleted) 00000000000000000000000000000000
E:\autorun.inf INF/Autorun virus (unable to clean - deleted) 00000000000000000000000000000000
E:\Trip to the Southeast\Vids\shaaz\ubs\videoplayers\divx\divx Installer\DivXPlayerPro63-Setup.exe multiple infiltrations (deleted) 00000000000000000000000000000000
E:\Trip to the Southeast\Vids\shaaz\ubs\videoplayers\divx\divx Installer\DivXPlayerPro63-Setup.exe »NSIS »gristrx.exe Win32/Agent.BA trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
E:\Trip to the Southeast\Vids\shaaz\ubs\videoplayers\divx\divx Installer\DivXPlayerPro63-Setup.exe »NSIS »unistl63.exe Win32/Krepper.AG trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
shelf life
2007-12-11, 00:41
hi ShoaibS15,
ok thanks for the info. you see whats left, we can manually look for these files and delete them, mainly the last two that says "error while cleaning" it looks like a installation file thats embedded with a trojan:
DivXPlayerPro63-
see if you can find that file and delete it.
shelf life
ShoaibS15
2007-12-12, 00:20
hi ShoaibS15,
ok thanks for the info. you see whats left, we can manually look for these files and delete them, mainly the last two that says "error while cleaning" it looks like a installation file thats embedded with a trojan:
DivXPlayerPro63-
see if you can find that file and delete it.
shelf life
Thanks... I did delete that file... but I don't know where to go from here... Should I send you anymore logs? If so tell me which ones. Thanks agaain for all your help.
shelf life
2007-12-12, 05:38
hi,
thanks for the info. one more download to run:
Download rustbfix.exe ...and save it to your desktop:
http://www.uploads.ejvindh.net/rustbfix.exe
Double click on rustbfix.exe to run the tool. If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically. After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt). Post the content of these logfiles in reply please.
lets repeat the online Eset scan also.
shelf life
ShoaibS15
2007-12-12, 19:41
Hi,
I did exactly what you asked so far, and from what I can see, it looks like I'm getting good results; but I'm not exactly sure.
ESet Scan:
# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2718 (20071212)
# vers_arch_module=1.059 (20071108)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=715695f95cea7143bd09e074adb3f1b8
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2007-12-12 01:06:28
# local_time=2007-12-12 07:06:28 (-0600, Central Standard Time)
# country="United States"
# osver=6.0.6000 NT
# scanned=767339
# found=0
# scan_time=5667
The "rustbfix" results:
************************* Rustock.b-fix v. 1.01 -- By ejvindh *************************
Wed 12/12/2007 11:39:57.97
No Rustock.b-rootkits found
******************************* End of Logfile ********************************
Please let me know if there is anything else I can do.
shelf life
2007-12-13, 02:03
hi ShoaibS15,
it looks like I'm getting good results
yes i think you are also.
------------------------------------------
you can remove combofix like this:
go to start run and type in combofix /u
then enter. there is a space after the "x"
you can delete the Rustbfix folder found here:
Local Disk (C)
last you can make a new restore point:
One of the features of Windows ME or XP is the System Restore option, however if a malware infects a computer with this operating system it can be backed up in the System Restore folder. Therefore, clearing the restore points is agood idea after malware is removed.
To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.
(winXP)
1. Turn off System Restore. (deletes old possibly infected restore point)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.(new restore points on a clean system)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK, then reboot
----------------------------------------
you can get some prevention tips in the first link below also.
happy safe surfing
shelf life