PDA

View Full Version : PWS.LDPinchIE and Other Fun



xardoz
2008-11-22, 03:44
I am working on a friends machine. He must have thought it a good idea to click on every bad link on the internet. That being said, I have run SpyBot and AVG in both regular and safemode not allowing the machine internet connection. I keep getting more positive hit with both programs....

Here is the HiJackThis Log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:28:08 PM, on 11/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\Program Files\AVG\AVG8\avgscanx.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Documents and Settings\User\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {59473508-e685-425c-84fa-d64887db848f} - C:\WINDOWS\system32\siwusidi.dll (file missing)
O2 - BHO: C:\WINDOWS\system32\jsne87fidgf.dll - {C5BF49A2-94F3-42BD-F434-3604812C897D} - C:\WINDOWS\system32\jsne87fidgf.dll (file missing)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [GoToMyPC] "C:\Program Files\Citrix\GoToMyPC\g2svc.exe" -logon
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [vivofireta] Rundll32.exe "C:\WINDOWS\system32\nilugetu.dll",s
O4 - HKLM\..\Run: [xsjfn83jkemfofght] C:\DOCUME~1\User\LOCALS~1\Temp\winlogin.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKLM\..\Policies\Explorer\Run: [Lsass Service] C:\Documents and Settings\User\Application Data\Microsoft\Windows\lsass.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\hapameva.dll,avgrsstx.dll
O20 - Winlogon Notify: c003f4d0 - c003F4D0.mat (file missing)
O20 - Winlogon Notify: lmctdzyz - lmctdzyz.dll (file missing)
O20 - Winlogon Notify: sys32 - sys32.dll (file missing)
O22 - SharedTaskScheduler: mcb7uehuj3n8weuhejsw - {C5BF49A2-94F3-42BD-F434-3604812C897D} - C:\WINDOWS\system32\jsne87fidgf.dll (file missing)
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: FCI - Unknown owner - C:\WINDOWS\system32\svchost.exe:ext.exe (file missing)
O23 - Service: GoToMyPC - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToMyPC\g2svc.exe
O23 - Service: ICF (icf) - Unknown owner - C:\WINDOWS\system32\svchost.exe:ext.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: lmab_device - Unknown owner - C:\WINDOWS\system32\LMabcoms.exe
O23 - Service: NBService - Unknown owner - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe (file missing)
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\SupportSoft\bin\ssrc.exe

--
End of file - 6167 bytes

peku006
2008-11-23, 11:09
Hello and Welcome to Safer Networking,

My name is peku006 and I will be helping you to remove any infection(s) that you may have.
I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

Please observe these rules while we work:


If you don't know, stop and ask! Don't keep going on.
Please reply to this thread. Do not start a new topic.
Please continue to respond until I give you the "All Clear"

If you follow these instructions, everything should go smoothly.

This is a fairly long instruction, but you can do it. Just take it one step at a time. If there is any step where you need help, please post back and ask.

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible.
Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

1 - Clean temp files

Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

if you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

if you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.


Click Exit on the Main menu to close the program


2- Download and Install SDFix
Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

3 - Boot into Safe Mode

Reboot your computer in Safe Mode.

If the computer is running, shut down Windows, and then turn off the power.
Wait 30 seconds, and then turn the computer on.
Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Ensure that the Safe Mode option is selected.
Press Enter. The computer then begins to start in Safe mode.
Login on your usual account.

4- Run SDFix

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).

5 - Scan With ComboFix

Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

6 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

7 - Status Check
Please reply with

1. the SDFix.Report.txt (C:\SDFix\report.txt)
2. the ComboFix log(C:\ComboFix.txt)
3. a fresh HijackThis log

Thanks peku006

xardoz
2008-11-23, 21:01
Thank you for the reply/directions.
Here are the results.

xardoz
2008-11-23, 21:06
Thought I had all three reports....

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:58:13 AM, on 11/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\User\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [GoToMyPC] "C:\Program Files\Citrix\GoToMyPC\g2svc.exe" -logon
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: GoToMyPC - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToMyPC\g2svc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: lmab_device - Unknown owner - C:\WINDOWS\system32\LMabcoms.exe
O23 - Service: NBService - Unknown owner - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe (file missing)
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\SupportSoft\bin\ssrc.exe

--
End of file - 4781 bytes

peku006
2008-11-23, 21:50
Hi xardoz

1 - Download and run OTMoveIt3

Download OTMoveIt3 by OldTimer from here (http://oldtimer.geekstogo.com/OTMoveIt3.exe) and save it to your desktop
Launch OTMoveIt3.exe and copy the text from the codebox below into the lefthand box below "Paste Instructions for Items to be Moved"


:files
c:\windows\system32\kelarozo.exe
c:\windows\system32\gopulali.exe
c:\windows\system32\ceg.sdr
c:\windows\system32\QI19
c:\documents and settings\User\Application Data\IUpd721
c:\temp
c:\documents and settings\User\Application Data\NI.GSCNS
c:\windows\system32\drivers\b3cabbd1.sys
c:\windows\system32\rgv.xl
c:\windows\system32\fe.sp
c:\windows\system32\def.help
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

Double-check that the input matches the code box above and then click the MoveIt! button to start the script. If you're prompted about rebooting allow the request.
Once OTMoveIt finishes, a log will be located at C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss. (mmddyyyy_hhmmss is a timestamp from when the log was created)
Include this log in your next reply

2 - Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) and save it to your desktop.
alternate download link 1 (http://malwarebytes.gt500.org/mbam-setup.exe)
alternate download link 2 (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)

Double-click on Download_mbam-setup.exe to install the application.
When the installation begins, follow the prompts and do not make any changes to default settings.
When installation has finished, make sure you leave both of these checked:
Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware
Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
If an update is found, the program will automatically update itself.
Press the OK button to close that box and continue.
If you encounter any problems while downloading the updates, manually download them from here (http://www.malwarebytes.org/mbam/database/mbam-rules.exe) and just double-click on mbam-rules.exe to install.
On the Scanner tab:

Make sure the "Perform full scan" option is selected.
Then click on the Scan button.
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button
The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:

Click on the Show Results button to see a list of any malware that was found.
Make sure that everything is checked, and click Remove Selected.
When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
The log can also be found here:

C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

3 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

4 - Status Check
Please reply with

1. the OTMoveIt3 log
2. the Malwarebytes' Anti-Malware Log
3. a fresh HijackThis log
How is the computer running now?

Thanks peku006

xardoz
2008-11-24, 01:27
Can I run AVG ot SpyBot again?


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:22:01 PM, on 11/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\slserv.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\User\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [GoToMyPC] "C:\Program Files\Citrix\GoToMyPC\g2svc.exe" -logon
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: GoToMyPC - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToMyPC\g2svc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: lmab_device - Unknown owner - C:\WINDOWS\system32\LMabcoms.exe
O23 - Service: NBService - Unknown owner - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe (file missing)
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\SupportSoft\bin\ssrc.exe

--
End of file - 4737 bytes



Malwarebytes' Anti-Malware 1.30
Database version: 1410
Windows 5.1.2600 Service Pack 2

11/23/2008 3:21:03 PM
mbam-log-2008-11-23 (15-21-03).txt

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 76530
Time elapsed: 19 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\c:\documents and settings\user\start menu\programs\antispyknight\ (Rogue.AntispyKnight) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\nvrsol32.dll.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C3F421A2-D34D-4696-BDBD-CDF25D490652}\RP543\A0057949.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C3F421A2-D34D-4696-BDBD-CDF25D490652}\RP544\A0058033.dll (Trojan.Downloader) -> Quarantined and deleted successfully.



========== FILES ==========
c:\windows\system32\kelarozo.exe moved successfully.
c:\windows\system32\gopulali.exe moved successfully.
c:\windows\system32\ceg.sdr moved successfully.
c:\windows\system32\QI19 moved successfully.
c:\documents and settings\User\Application Data\IUpd721\Logs moved successfully.
c:\documents and settings\User\Application Data\IUpd721 moved successfully.
c:\Temp\NT32 moved successfully.
c:\Temp moved successfully.
c:\documents and settings\User\Application Data\NI.GSCNS moved successfully.
c:\windows\system32\drivers\b3cabbd1.sys moved successfully.
c:\windows\system32\rgv.xl moved successfully.
c:\windows\system32\fe.sp moved successfully.
c:\windows\system32\def.help moved successfully.
File move failed. c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat scheduled to be moved on reboot.
File move failed. c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat scheduled to be moved on reboot.

OTMoveIt3 by OldTimer - Version 1.0.7.1 log created on 11232008_145120

Files moved on Reboot...
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat moved successfully.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat moved successfully.

peku006
2008-11-24, 10:53
Hi xardoz

Can I run AVG ot SpyBot again?
Yes, after online scan.......

1 - Update Java

Please download JavaRa (http://prm753.bchea.org/click/click.php?id=9) and unzip it to your desktop.

Double-click on JavaRa.exe to start the program.
Click on Remove Older Versions to remove the older versions of Java installed on your computer.
Click Yes when prompted. When JavaRa is done, a notice will appear that a log file has been produced. Click OK.
A log file will pop up. Please save it to a convenient location.


Download the latest version of Java Runtime Environment (JRE) 6 Update 10 (http://java.sun.com/javase/downloads/index.jsp).

Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
Click on Continue.
Click on the link to download Windows Offline Installation and save it to your desktop. Do NOT use the Sun Download Manager..
Close any programs you may have running - especially your web browser.
Then from your desktop double-click on the download to install the newest version.


3 - Kaspersky Online Scan

Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Mail databases Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply.

2 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

3 - Status Check
Please reply with


1. the Kaspersky online scanner report
2. a fresh HijackThis log

Thanks peku006

xardoz
2008-11-25, 06:41
I was called out of the state for three days, please wait.... :oops:

xardoz
2008-11-28, 17:07
Here are the results


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:01:23 AM, on 11/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\slserv.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\User\Desktop\HiJackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: lmab_device - Unknown owner - C:\WINDOWS\system32\LMabcoms.exe
O23 - Service: NBService - Unknown owner - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe (file missing)
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\SupportSoft\bin\ssrc.exe

--
End of file - 4779 bytes



--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, November 27, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, November 27, 2008 15:19:34
Records in database: 1421479
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - Folder:
C:\

Scan statistics:
Files scanned: 35137
Threat name: 3
Infected objects: 6
Suspicious objects: 0
Duration of the scan: 01:04:17


File name / Threat name / Threats count
C:\Documents and Settings\User\Desktop\SmitfraudFix.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\user32.dll.vir Infected: Trojan.Win32.Patched.bb 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\_user32_.dll.zip Infected: Trojan.Win32.Patched.bb 1
C:\SDFix\backups\backups.zip Infected: Trojan-Mailfinder.Win32.Mailbot.dj 2
C:\WINDOWS\system32\dllcache\user32.dll Infected: Trojan.Win32.Patched.bb 1

The selected area was scanned.

peku006
2008-11-28, 19:19
Hi xardoz

I'd like you to check a file for Viruses.

Go to VirusTotal (http://www.virustotal.com) or Jotti's (http://virusscan.jotti.org/)

C:\WINDOWS\system32\dllcache\user32.dll

Copy/Paste the first file on the list into the white Upload a file box.
Click Send/Submit, and the file will upload to VirusTotal/Jotti, where it will be scanned by several anti-virus programmes.
After a while, a window will open, with details of what the scans found.
Note details of any viruses found.


Please reply with

the Jotti/Virustotal results

Thanks peku006

xardoz
2008-11-28, 21:39
Antivirus Version Last Update Result
AhnLab-V3 2008.11.28.2 2008.11.28 Win-Trojan/User32Hk
AntiVir 7.9.0.36 2008.11.28 -
Authentium 5.1.0.4 2008.11.28 -
Avast 4.8.1281.0 2008.11.28 Win32:Patched-DV
AVG 8.0.0.199 2008.11.28 -
BitDefender 7.2 2008.11.28 -
CAT-QuickHeal 10.00 2008.11.28 -
ClamAV 0.94.1 2008.11.28 -
DrWeb 4.44.0.09170 2008.11.28 -
eSafe 7.0.17.0 2008.11.27 -
eTrust-Vet 31.6.6234 2008.11.28 Win32/Pruserinf
Ewido 4.0 2008.11.28 -
F-Prot 4.4.4.56 2008.11.27 -
F-Secure 8.0.14332.0 2008.11.28 Trojan.Win32.Patched.bb
Fortinet 3.117.0.0 2008.11.28 -
GData 19 2008.11.28 Win32:Patched-DV
Ikarus T3.1.1.45.0 2008.11.28 -
K7AntiVirus 7.10.537 2008.11.28 -
Kaspersky 7.0.0.125 2008.11.28 Trojan.Win32.Patched.bb
McAfee 5448 2008.11.28 -
McAfee+Artemis 5447 2008.11.27 potentially unwanted program Patched User32
Microsoft 1.4104 2008.11.28 -
NOD32 3650 2008.11.28 -
Norman 5.80.02 2008.11.28 -
Panda 9.0.0.4 2008.11.28 W32/Patched.D
PCTools 4.4.2.0 2008.11.28 -
Prevx1 V2 2008.11.28 -
Rising 21.05.42.00 2008.11.28 Trojan.Win32.Patched.bi
SecureWeb-Gateway 6.7.6 2008.11.28 -
Sophos 4.36.0 2008.11.28 Troj/User32Hk-A
Sunbelt 3.1.1832.2 2008.11.27 -
Symantec 10 2008.11.28 -
TheHacker 6.3.1.1.166 2008.11.28 -
TrendMicro 8.700.0.1004 2008.11.28 Mal_Patch-1
VBA32 3.12.8.9 2008.11.28 -
ViRobot 2008.11.28.1491 2008.11.28 -
VirusBuster 4.5.11.0 2008.11.28 -
Additional information
File size: 577536 bytes
MD5...: 4a9f00e551d0c03f4029634301a4c521
SHA1..: b74eb62869d87f18132549ffb773631b6bc45e7b
SHA256: 6541b7807e9360b127569e287b368fba281d9379368c899e61085cce59b52b7c
SHA512: 5c8e2c8d13e8e9d064d59920f9b0b79fc97f55c96e502cb0cc7cb5601fefc95c
93ab7c8d33608e6b937c1f5d5e1daff88a68f3bfc36279a15ad36bcbe9585aec
ssdeep: 6144:Q6WQ/QyvNp4mrjxp7bHrt9YvG2A+hKea4PE1KE0e2Rxb8p+dMJ2mQbi9meD
x2mZN:1vjxp7bHHYly4M1yxQn+i9vYMlL
PEiD..: -
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x7e42e966
timedatestamp.....: 0x45f02d7c (Thu Mar 08 15:36:28 2007)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x5efe7 0x5f000 6.64 409d78c10e92dd9591970ed264561978
.data 0x60000 0x1180 0xc00 2.39 1e6fe31ca0bbc6ed365eeb3a400e689f
.rsrc 0x62000 0x2a098 0x2a200 4.97 f46eb5bfb44b42d4462f4514bd102213
.reloc 0x8d000 0x2de8 0x2e00 6.78 29147feab00159bf20d090a34b6e2b09

( 3 imports )
> GDI32.dll: GetClipRgn, ExtSelectClipRgn, GetHFONT, GetMapMode, SetGraphicsMode, GetClipBox, CreateRectRgn, CreateRectRgnIndirect, SetLayout, GetBoundsRect, ExcludeClipRect, PlayEnhMetaFile, CreatePen, Ellipse, CreateEllipticRgn, GdiFixUpHandle, GetTextCharacterExtra, SetTextCharacterExtra, GetCurrentObject, GetViewportOrgEx, SetViewportOrgEx, PolyPatBlt, CreateBrushIndirect, SetBoundsRect, CopyEnhMetaFileW, CopyMetaFileW, GetPaletteEntries, CreatePalette, SetPaletteEntries, bInitSystemAndFontsDirectoriesW, bMakePathNameW, cGetTTFFromFOT, GetPixel, ExtTextOutA, GetTextCharsetInfo, QueryFontAssocStatus, GetCharWidthInfo, GetCharWidthA, GetTextFaceW, GetCharABCWidthsA, GetCharABCWidthsW, SetBrushOrgEx, CreateFontIndirectW, EnumFontsW, GetTextFaceAliasW, GetTextMetricsW, GetTextColor, GetBkMode, GetViewportExtEx, GetWindowExtEx, GdiGetCharDimensions, GdiGetCodePage, GetTextCharset, GdiPrinterThunk, GdiAddFontResourceW, TranslateCharsetInfo, SaveDC, OffsetWindowOrgEx, RestoreDC, ExtTextOutW, GetObjectType, GetDIBits, CreateDIBSection, SetStretchBltMode, SelectPalette, RealizePalette, SetDIBits, CreateDCW, CreateDIBitmap, CreateCompatibleBitmap, SetBitmapBits, DeleteDC, GdiValidateHandle, GdiProcessSetup, CreateSolidBrush, GetStockObject, CreateCompatibleDC, GdiConvertBitmapV5, GdiCreateLocalEnhMetaFile, GdiCreateLocalMetaFilePict, GetRgnBox, CombineRgn, OffsetRgn, MirrorRgn, EnableEUDC, GdiConvertToDevmodeW, GetTextExtentPointA, GetTextExtentPointW, CreateBitmap, SetLayoutWidth, PatBlt, TextOutA, TextOutW, BitBlt, GdiConvertAndCheckDC, StretchBlt, SetRectRgn, GdiReleaseDC, GdiConvertEnhMetaFile, GdiConvertMetaFilePict, DeleteEnhMetaFile, DeleteMetaFile, DeleteObject, GetDIBColorTable, GetDeviceCaps, StretchDIBits, GetLayout, SetBkColor, SetTextColor, GetObjectW, GetBkColor, SetBkMode, SelectObject, IntersectClipRect, GetTextAlign, SetTextAlign, GdiDllInitialize
> KERNEL32.dll: LocalSize, LocalUnlock, SizeofResource, LoadResource, FindResourceExW, FindResourceExA, GetModuleHandleW, DisableThreadLibraryCalls, GetCurrentThreadId, IsDBCSLeadByteEx, SearchPathW, ExpandEnvironmentStringsW, LoadLibraryExW, GlobalAddAtomW, GetSystemDirectoryW, GetComputerNameW, GetCurrentProcess, GetCurrentThread, ExitThread, GetExitCodeThread, CreateThread, HeapReAlloc, GlobalHandle, FoldStringW, Sleep, GetStringTypeW, GetStringTypeA, GetCPInfo, HeapSize, CloseHandle, UnmapViewOfFile, MapViewOfFile, CreateFileMappingW, GetFileSize, ReadFile, SetFileTime, GetFileTime, GetSystemWindowsDirectoryW, CopyFileW, MoveFileW, DeleteFileW, CreateProcessW, AddAtomA, AddAtomW, GetAtomNameW, GetAtomNameA, IsValidLocale, ConvertDefaultLocale, CompareStringW, GetCurrentDirectoryW, SetCurrentDirectoryW, lstrlenW, GetLogicalDrives, FindClose, FindNextFileW, FindFirstFileW, GetThreadLocale, VirtualFree, ProcessIdToSessionId, GetCurrentProcessId, InterlockedCompareExchange, IsDBCSLeadByte, LCMapStringW, QueryPerformanceCounter, QueryPerformanceFrequency, GetTickCount, lstrlenA, GlobalFindAtomA, GetModuleFileNameA, GetModuleHandleA, GlobalAddAtomA, DelayLoadFailureHook, LoadLibraryA, GetSystemTimeAsFileTime, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, LocalLock, LocalReAlloc, GetACP, GetOEMCP, InterlockedIncrement, InterlockedDecrement, SetLastError, GlobalFindAtomW, GlobalAlloc, MultiByteToWideChar, GlobalReAlloc, GetLastError, GetProcAddress, LoadLibraryW, FreeLibrary, lstrcpynW, CreateFileW, WritePrivateProfileStringW, lstrcmpiW, SetEvent, WaitForMultipleObjectsEx, WideCharToMultiByte, GlobalFlags, GetLocaleInfoW, GlobalFree, GetModuleFileNameW, GlobalGetAtomNameW, GlobalGetAtomNameA, InterlockedExchange, DeleteAtom, LocalAlloc, GlobalDeleteAtom, LocalFree, GlobalSize, GlobalLock, GlobalUnlock, GetUserDefaultLCID, HeapAlloc, HeapFree, lstrcpyW, lstrcatW, GetPrivateProfileStringW, RegisterWaitForInputIdle
> ntdll.dll: NtQueryVirtualMemory, RtlUnwind, RtlNtStatusToDosError, NlsAnsiCodePage, RtlAllocateHeap, qsort, RtlMultiByteToUnicodeSize, LdrFlushAlternateResourceModules, RtlPcToFileHeader, wcsrchr, NtRaiseHardError, RtlIsNameLegalDOS8Dot3, strrchr, sscanf, NtQueryKey, NtEnumerateValueKey, RtlRunEncodeUnicodeString, RtlRunDecodeUnicodeString, _wcsicmp, CsrAllocateCaptureBuffer, CsrCaptureMessageBuffer, CsrFreeCaptureBuffer, NtOpenThreadToken, NtOpenProcessToken, NtQueryInformationToken, CsrClientCallServer, memmove, NtCallbackReturn, RtlUnicodeToMultiByteSize, RtlActivateActivationContextUnsafeFast, RtlDeactivateActivationContextUnsafeFast, RtlInitializeCriticalSection, NtQuerySystemInformation, swprintf, RtlDeleteCriticalSection, RtlImageNtHeader, CsrClientConnectToServer, NtYieldExecution, NtCreateKey, NtSetValueKey, NtDeleteValueKey, RtlQueryInformationActiveActivationContext, RtlReleaseActivationContext, RtlFreeHeap, wcsncpy, wcscmp, wcstoul, wcscat, RtlInitAnsiString, RtlAnsiStringToUnicodeString, RtlCreateUnicodeStringFromAsciiz, RtlFreeUnicodeString, NtOpenDirectoryObject, _chkstk, wcscpy, wcsncat, NtSetSecurityObject, NtQuerySecurityObject, NtQueryInformationProcess, wcstol, wcslen, RtlFindActivationContextSectionString, RtlMultiByteToUnicodeN, RtlUnicodeToMultiByteN, RtlLeaveCriticalSection, RtlEnterCriticalSection, RtlOpenCurrentUser, NtEnumerateKey, NtOpenKey, NtClose, NtQueryValueKey, RtlInitUnicodeString, RtlUnicodeStringToInteger

( 732 exports )
ActivateKeyboardLayout, AdjustWindowRect, AdjustWindowRectEx, AlignRects, AllowForegroundActivation, AllowSetForegroundWindow, AnimateWindow, AnyPopup, AppendMenuA, AppendMenuW, ArrangeIconicWindows, AttachThreadInput, BeginDeferWindowPos, BeginPaint, BlockInput, BringWindowToTop, BroadcastSystemMessage, BroadcastSystemMessageA, BroadcastSystemMessageExA, BroadcastSystemMessageExW, BroadcastSystemMessageW, BuildReasonArray, CalcMenuBar, CallMsgFilter, CallMsgFilterA, CallMsgFilterW, CallNextHookEx, CallWindowProcA, CallWindowProcW, CascadeChildWindows, CascadeWindows, ChangeClipboardChain, ChangeDisplaySettingsA, ChangeDisplaySettingsExA, ChangeDisplaySettingsExW, ChangeDisplaySettingsW, ChangeMenuA, ChangeMenuW, CharLowerA, CharLowerBuffA, CharLowerBuffW, CharLowerW, CharNextA, CharNextExA, CharNextW, CharPrevA, CharPrevExA, CharPrevW, CharToOemA, CharToOemBuffA, CharToOemBuffW, CharToOemW, CharUpperA, CharUpperBuffA, CharUpperBuffW, CharUpperW, CheckDlgButton, CheckMenuItem, CheckMenuRadioItem, CheckRadioButton, ChildWindowFromPoint, ChildWindowFromPointEx, CliImmSetHotKey, ClientThreadSetup, ClientToScreen, ClipCursor, CloseClipboard, CloseDesktop, CloseWindow, CloseWindowStation, CopyAcceleratorTableA, CopyAcceleratorTableW, CopyIcon, CopyImage, CopyRect, CountClipboardFormats, CreateAcceleratorTableA, CreateAcceleratorTableW, CreateCaret, CreateCursor, CreateDesktopA, CreateDesktopW, CreateDialogIndirectParamA, CreateDialogIndirectParamAorW, CreateDialogIndirectParamW, CreateDialogParamA, CreateDialogParamW, CreateIcon, CreateIconFromResource, CreateIconFromResourceEx, CreateIconIndirect, CreateMDIWindowA, CreateMDIWindowW, CreateMenu, CreatePopupMenu, CreateSystemThreads, CreateWindowExA, CreateWindowExW, CreateWindowStationA, CreateWindowStationW, CsrBroadcastSystemMessageExW, CtxInitUser32, DdeAbandonTransaction, DdeAccessData, DdeAddData, DdeClientTransaction, DdeCmpStringHandles, DdeConnect, DdeConnectList, DdeCreateDataHandle, DdeCreateStringHandleA, DdeCreateStringHandleW, DdeDisconnect, DdeDisconnectList, DdeEnableCallback, DdeFreeDataHandle, DdeFreeStringHandle, DdeGetData, DdeGetLastError, DdeGetQualityOfService, DdeImpersonateClient, DdeInitializeA, DdeInitializeW, DdeKeepStringHandle, DdeNameService, DdePostAdvise, DdeQueryConvInfo, DdeQueryNextServer, DdeQueryStringA, DdeQueryStringW, DdeReconnect, DdeSetQualityOfService, DdeSetUserHandle, DdeUnaccessData, DdeUninitialize, DefDlgProcA, DefDlgProcW, DefFrameProcA, DefFrameProcW, DefMDIChildProcA, DefMDIChildProcW, DefRawInputProc, DefWindowProcA, DefWindowProcW, DeferWindowPos, DeleteMenu, DeregisterShellHookWindow, DestroyAcceleratorTable, DestroyCaret, DestroyCursor, DestroyIcon, DestroyMenu, DestroyReasons, DestroyWindow, DeviceEventWorker, DialogBoxIndirectParamA, DialogBoxIndirectParamAorW, DialogBoxIndirectParamW, DialogBoxParamA, DialogBoxParamW, DisableProcessWindowsGhosting, DispatchMessageA, DispatchMessageW, DisplayExitWindowsWarnings, DlgDirListA, DlgDirListComboBoxA, DlgDirListComboBoxW, DlgDirListW, DlgDirSelectComboBoxExA, DlgDirSelectComboBoxExW, DlgDirSelectExA, DlgDirSelectExW, DragDetect, DragObject, DrawAnimatedRects, DrawCaption, DrawCaptionTempA, DrawCaptionTempW, DrawEdge, DrawFocusRect, DrawFrame, DrawFrameControl, DrawIcon, DrawIconEx, DrawMenuBar, DrawMenuBarTemp, DrawStateA, DrawStateW, DrawTextA, DrawTextExA, DrawTextExW, DrawTextW, EditWndProc, EmptyClipboard, EnableMenuItem, EnableScrollBar, EnableWindow, EndDeferWindowPos, EndDialog, EndMenu, EndPaint, EndTask, EnterReaderModeHelper, EnumChildWindows, EnumClipboardFormats, EnumDesktopWindows, EnumDesktopsA, EnumDesktopsW, EnumDisplayDevicesA, EnumDisplayDevicesW, EnumDisplayMonitors, EnumDisplaySettingsA, EnumDisplaySettingsExA, EnumDisplaySettingsExW, EnumDisplaySettingsW, EnumPropsA, EnumPropsExA, EnumPropsExW, EnumPropsW, EnumThreadWindows, EnumWindowStationsA, EnumWindowStationsW, EnumWindows, EqualRect, ExcludeUpdateRgn, ExitWindowsEx, FillRect, FindWindowA, FindWindowExA, FindWindowExW, FindWindowW, FlashWindow, FlashWindowEx, FrameRect, FreeDDElParam, GetActiveWindow, GetAltTabInfo, GetAltTabInfoA, GetAltTabInfoW, GetAncestor, GetAppCompatFlags, GetAppCompatFlags2, GetAsyncKeyState, GetCapture, GetCaretBlinkTime, GetCaretPos, GetClassInfoA, GetClassInfoExA, GetClassInfoExW, GetClassInfoW, GetClassLongA, GetClassLongW, GetClassNameA, GetClassNameW, GetClassWord, GetClientRect, GetClipCursor, GetClipboardData, GetClipboardFormatNameA, GetClipboardFormatNameW, GetClipboardOwner, GetClipboardSequenceNumber, GetClipboardViewer, GetComboBoxInfo, GetCursor, GetCursorFrameInfo, GetCursorInfo, GetCursorPos, GetDC, GetDCEx, GetDesktopWindow, GetDialogBaseUnits, GetDlgCtrlID, GetDlgItem, GetDlgItemInt, GetDlgItemTextA, GetDlgItemTextW, GetDoubleClickTime, GetFocus, GetForegroundWindow, GetGUIThreadInfo, GetGuiResources, GetIconInfo, GetInputDesktop, GetInputState, GetInternalWindowPos, GetKBCodePage, GetKeyNameTextA, GetKeyNameTextW, GetKeyState, GetKeyboardLayout, GetKeyboardLayoutList, GetKeyboardLayoutNameA, GetKeyboardLayoutNameW, GetKeyboardState, GetKeyboardType, GetLastActivePopup, GetLastInputInfo, GetLayeredWindowAttributes, GetListBoxInfo, GetMenu, GetMenuBarInfo, GetMenuCheckMarkDimensions, GetMenuContextHelpId, GetMenuDefaultItem, GetMenuInfo, GetMenuItemCount, GetMenuItemID, GetMenuItemInfoA, GetMenuItemInfoW, GetMenuItemRect, GetMenuState, GetMenuStringA, GetMenuStringW, GetMessageA, GetMessageExtraInfo, GetMessagePos, GetMessageTime, GetMessageW, GetMonitorInfoA, GetMonitorInfoW, GetMouseMovePointsEx, GetNextDlgGroupItem, GetNextDlgTabItem, GetOpenClipboardWindow, GetParent, GetPriorityClipboardFormat, GetProcessDefaultLayout, GetProcessWindowStation, GetProgmanWindow, GetPropA, GetPropW, GetQueueStatus, GetRawInputBuffer, GetRawInputData, GetRawInputDeviceInfoA, GetRawInputDeviceInfoW, GetRawInputDeviceList, GetReasonTitleFromReasonCode, GetRegisteredRawInputDevices, GetScrollBarInfo, GetScrollInfo, GetScrollPos, GetScrollRange, GetShellWindow, GetSubMenu, GetSysColor, GetSysColorBrush, GetSystemMenu, GetSystemMetrics, GetTabbedTextExtentA, GetTabbedTextExtentW, GetTaskmanWindow, GetThreadDesktop, GetTitleBarInfo, GetTopWindow, GetUpdateRect, GetUpdateRgn, GetUserObjectInformationA, GetUserObjectInformationW, GetUserObjectSecurity, GetWinStationInfo, GetWindow, GetWindowContextHelpId, GetWindowDC, GetWindowInfo, GetWindowLongA, GetWindowLongW, GetWindowModuleFileName, GetWindowModuleFileNameA, GetWindowModuleFileNameW, GetWindowPlacement, GetWindowRect, GetWindowRgn, GetWindowRgnBox, GetWindowTextA, GetWindowTextLengthA, GetWindowTextLengthW, GetWindowTextW, GetWindowThreadProcessId, GetWindowWord, GrayStringA, GrayStringW, HideCaret, HiliteMenuItem, IMPGetIMEA, IMPGetIMEW, IMPQueryIMEA, IMPQueryIMEW, IMPSetIMEA, IMPSetIMEW, ImpersonateDdeClientWindow, InSendMessage, InSendMessageEx, InflateRect, InitializeLpkHooks, InitializeWin32EntryTable, InsertMenuA, InsertMenuItemA, InsertMenuItemW, InsertMenuW, InternalGetWindowText, IntersectRect, InvalidateRect, InvalidateRgn, InvertRect, IsCharAlphaA, IsCharAlphaNumericA, IsCharAlphaNumericW, IsCharAlphaW, IsCharLowerA, IsCharLowerW, IsCharUpperA, IsCharUpperW, IsChild, IsClipboardFormatAvailable, IsDialogMessage, IsDialogMessageA, IsDialogMessageW, IsDlgButtonChecked, IsGUIThread, IsHungAppWindow, IsIconic, IsMenu, IsRectEmpty, IsServerSideWindow, IsWinEventHookInstalled, IsWindow, IsWindowEnabled, IsWindowInDestroy, IsWindowUnicode, IsWindowVisible, IsZoomed, KillSystemTimer, KillTimer, LoadAcceleratorsA, LoadAcceleratorsW, LoadBitmapA, LoadBitmapW, LoadCursorA, LoadCursorFromFileA, LoadCursorFromFileW, LoadCursorW, LoadIconA, LoadIconW, LoadImageA, LoadImageW, LoadKeyboardLayoutA, LoadKeyboardLayoutEx, LoadKeyboardLayoutW, LoadLocalFonts, LoadMenuA, LoadMenuIndirectA, LoadMenuIndirectW, LoadMenuW, LoadRemoteFonts, LoadStringA, LoadStringW, LockSetForegroundWindow, LockWindowStation, LockWindowUpdate, LockWorkStation, LookupIconIdFromDirectory, LookupIconIdFromDirectoryEx, MBToWCSEx, MB_GetString, MapDialogRect, MapVirtualKeyA, MapVirtualKeyExA, MapVirtualKeyExW, MapVirtualKeyW, MapWindowPoints, MenuItemFromPoint, MenuWindowProcA, MenuWindowProcW, MessageBeep, MessageBoxA, MessageBoxExA, MessageBoxExW, MessageBoxIndirectA, MessageBoxIndirectW, MessageBoxTimeoutA, MessageBoxTimeoutW, MessageBoxW, ModifyMenuA, ModifyMenuW, MonitorFromPoint, MonitorFromRect, MonitorFromWindow, MoveWindow, MsgWaitForMultipleObjects, MsgWaitForMultipleObjectsEx, NotifyWinEvent, OemKeyScan, OemToCharA, OemToCharBuffA, OemToCharBuffW, OemToCharW, OffsetRect, OpenClipboard, OpenDesktopA, OpenDesktopW, OpenIcon, OpenInputDesktop, OpenWindowStationA, OpenWindowStationW, PackDDElParam, PaintDesktop, PaintMenuBar, PeekMessageA, PeekMessageW, PostMessageA, PostMessageW, PostQuitMessage, PostThreadMessageA, PostThreadMessageW, PrintWindow, PrivateExtractIconExA, PrivateExtractIconExW, PrivateExtractIconsA, PrivateExtractIconsW, PrivateSetDbgTag, PrivateSetRipFlags, PtInRect, QuerySendMessage, QueryUserCounters, RealChildWindowFromPoint, RealGetWindowClass, RealGetWindowClassA, RealGetWindowClassW, ReasonCodeNeedsBugID, ReasonCodeNeedsComment, RecordShutdownReason, RedrawWindow, RegisterClassA, RegisterClassExA, RegisterClassExW, RegisterClassW, RegisterClipboardFormatA, RegisterClipboardFormatW, RegisterDeviceNotificationA, RegisterDeviceNotificationW, RegisterHotKey, RegisterLogonProcess, RegisterMessagePumpHook, RegisterRawInputDevices, RegisterServicesProcess, RegisterShellHookWindow, RegisterSystemThread, RegisterTasklist, RegisterUserApiHook, RegisterWindowMessageA, RegisterWindowMessageW, ReleaseCapture, ReleaseDC, RemoveMenu, RemovePropA, RemovePropW, ReplyMessage, ResolveDesktopForWOW, ReuseDDElParam, ScreenToClient, ScrollChildren, ScrollDC, ScrollWindow, ScrollWindowEx, SendDlgItemMessageA, SendDlgItemMessageW, SendIMEMessageExA, SendIMEMessageExW, SendInput, SendMessageA, SendMessageCallbackA, SendMessageCallbackW, SendMessageTimeoutA, SendMessageTimeoutW, SendMessageW, SendNotifyMessageA, SendNotifyMessageW, SetActiveWindow, SetCapture, SetCaretBlinkTime, SetCaretPos, SetClassLongA, SetClassLongW, SetClassWord, SetClipboardData, SetClipboardViewer, SetConsoleReserveKeys, SetCursor, SetCursorContents, SetCursorPos, SetDebugErrorLevel, SetDeskWallpaper, SetDlgItemInt, SetDlgItemTextA, SetDlgItemTextW, SetDoubleClickTime, SetFocus, SetForegroundWindow, SetInternalWindowPos, SetKeyboardState, SetLastErrorEx, SetLayeredWindowAttributes, SetLogonNotifyWindow, SetMenu, SetMenuContextHelpId, SetMenuDefaultItem, SetMenuInfo, SetMenuItemBitmaps, SetMenuItemInfoA, SetMenuItemInfoW, SetMessageExtraInfo, SetMessageQueue, SetParent, SetProcessDefaultLayout, SetProcessWindowStation, SetProgmanWindow, SetPropA, SetPropW, SetRect, SetRectEmpty, SetScrollInfo, SetScrollPos, SetScrollRange, SetShellWindow, SetShellWindowEx, SetSysColors, SetSysColorsTemp, SetSystemCursor, SetSystemMenu, SetSystemTimer, SetTaskmanWindow, SetThreadDesktop, SetTimer, SetUserObjectInformationA, SetUserObjectInformationW, SetUserObjectSecurity, SetWinEventHook, SetWindowContextHelpId, SetWindowLongA, SetWindowLongW, SetWindowPlacement, SetWindowPos, SetWindowRgn, SetWindowStationUser, SetWindowTextA, SetWindowTextW, SetWindowWord, SetWindowsHookA, SetWindowsHookExA, SetWindowsHookExW, SetWindowsHookW, ShowCaret, ShowCursor, ShowOwnedPopups, ShowScrollBar, ShowStartGlass, ShowWindow, ShowWindowAsync, SoftModalMessageBox, SubtractRect, SwapMouseButton, SwitchDesktop, SwitchToThisWindow, SystemParametersInfoA, SystemParametersInfoW, TabbedTextOutA, TabbedTextOutW, TileChildWindows, TileWindows, ToAscii, ToAsciiEx, ToUnicode, ToUnicodeEx, TrackMouseEvent, TrackPopupMenu, TrackPopupMenuEx, TranslateAccelerator, TranslateAcceleratorA, TranslateAcceleratorW, TranslateMDISysAccel, TranslateMessage, TranslateMessageEx, UnhookWinEvent, UnhookWindowsHook, UnhookWindowsHookEx, UnionRect, UnloadKeyboardLayout, UnlockWindowStation, UnpackDDElParam, UnregisterClassA, UnregisterClassW, UnregisterDeviceNotification, UnregisterHotKey, UnregisterMessagePumpHook, UnregisterUserApiHook, UpdateLayeredWindow, UpdatePerUserSystemParameters, UpdateWindow, User32InitializeImmEntryTable, UserClientDllInitialize, UserHandleGrantAccess, UserLpkPSMTextOut, UserLpkTabbedTextOut, UserRealizePalette, UserRegisterWowHandlers, VRipOutput, VTagOutput, ValidateRect, ValidateRgn, VkKeyScanA, VkKeyScanExA, VkKeyScanExW, VkKeyScanW, WCSToMBEx, WINNLSEnableIME, WINNLSGetEnableStatus, WINNLSGetIMEHotkey, WaitForInputIdle, WaitMessage, Win32PoolAllocationStats, WinHelpA, WinHelpW, WindowFromDC, WindowFromPoint, keybd_event, mouse_event, wsprintfA, wsprintfW, wvsprintfA, wvsprintfW

peku006
2008-11-29, 14:09
Hi xardoz

put the Windows CD in the drive then doing the following:

Click Start > Run, type CMD and click OK.
At the command line type (assumes your hard drive is the C drive and your CD drive is the D drive):
expand d:\i386\user32.dl_ c:\windows\system32\user32.dll
Type Exit to Close the Command Prompt

After that reboot

run Kaspersky Online Scan and post back its report

Thanks peku006

xardoz
2008-11-30, 20:15
The system wont let it overwrite the existing file nor can I manually delete it.

peku006
2008-11-30, 20:59
Hi xardoz


can I manually delete it
No, it´s important system file

Please download OTScanIt.exe (http://download.bleepingcomputer.com/oldtimer/OTScanIt.exe) from Bleeping Computer by OldTimer and save it to your desktop.
Double click on OTScanIt.exe to run it.
Click on Extract. Once done, you will be prompted. Click OK and click Close.
Double click on the OTScanIt folder. Double click on OTScanIt.exe to run it.
Under Drivers section, select Non-Microsoft.
Click on the Run Scan button at the top left hand corner.
OTScanIt will start running. Once done, Notepad will open. Please post the contents of this Notepad file in your next reply.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Thanks peku006

xardoz
2008-11-30, 21:18
Here you go, thank you for your continuing help...



OTScanIt logfile created on: 11/30/2008 11:14:53 AM
OTScanIt by OldTimer - Version 1.0.19.0 Folder = C:\Documents and Settings\User\Desktop\OTScanIt
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1015.17 Mb Total Physical Memory | 636.49 Mb Available Physical Memory | 62.70% Memory free
2.39 Gb Paging File | 2.10 Gb Available in Paging File | 87.89% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 153.38 Gb Total Space | 145.13 Gb Free Space | 94.62% Space Free | Partition Type: NTFS
Drive D: | 586.62 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive E: | 962.07 Mb Total Space | 511.21 Mb Free Space | 53.14% Space Free | Partition Type: FAT32
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MAIN
Current User Name: User
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user
Whitelist: On

[Processes - Non-Microsoft Only]
slserv.exe -> %SystemRoot%\system32\slserv.exe -> [Ver = 2.80.00(24Apr2000) | Size = 45056 bytes | Modified Date = 5/12/2004 6:32:38 PM | Attr = ]

[Win32 Services - Non-Microsoft Only]
(lmab_device) lmab_device [Win32_Own | On_Demand | Stopped] -> %SystemRoot%\system32\LMabcoms.exe -> [Ver = 1.154.35.0 | Size = 491520 bytes | Modified Date = 6/14/2005 12:40:54 PM | Attr = ]
(NBService) NBService [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Nero\Nero 7\Nero BackItUp\NBService.exe -> File not found
(NMIndexingService) NMIndexingService [Win32_Own | Disabled | Stopped] -> %CommonProgramFiles%\Ahead\Lib\NMIndexingService.exe -> File not found
(SLService) SmartLinkService [Win32_Own | Auto | Running] -> %SystemRoot%\system32\slserv.exe -> [Ver = 2.80.00(24Apr2000) | Size = 45056 bytes | Modified Date = 5/12/2004 6:32:38 PM | Attr = ]

[Driver Services - Non-Microsoft Only]
(ADIHdAudAddService) ADI UAA Function Driver for High Definition Audio Service [Kernel | On_Demand | Stopped] -> %SystemRoot%\System32\drivers\ADIHdAud.sys -> File not found
(AEAudioService) AEAudio Service [Kernel | On_Demand | Stopped] -> %SystemRoot%\System32\drivers\AEAudio.sys -> File not found
(AtcL001) NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\atl01_xp.sys -> Attansic Technology corporation. [Ver = 1.7.3790.7 | Size = 35840 bytes | Modified Date = 10/31/2006 10:10:06 AM | Attr = ]
(AtcL002) NDIS Miniport Driver for Atheros L2 Fast Ethernet Controller [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\l251x86.sys -> Atheros Communications, Inc. [Ver = 2.5.7.12 built by: WinDDK | Size = 30720 bytes | Modified Date = 2/20/2008 12:27:00 PM | Attr = ]
(b3cabbd1) b3cabbd1 [Kernel | System | Stopped] -> %SystemRoot%\System32\drivers\b3cabbd1.sys -> File not found
(Mtlmnt5) Mtlmnt5 [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\mtlmnt5.sys -> [Ver = 4.00.01 | Size = 231224 bytes | Modified Date = 5/12/2004 5:35:08 PM | Attr = ]
(Mtlstrm) Mtlstrm [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\mtlstrm.sys -> [Ver = 4.00.01 | Size = 1395296 bytes | Modified Date = 5/12/2004 5:28:06 PM | Attr = ]
(MTsensor) ATK0110 ACPI UTILITY [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\ASACPI.sys -> [Ver = 1043, 2, 15, 37 | Size = 5810 bytes | Modified Date = 8/12/2004 6:56:20 PM | Attr = R ]
(RecAgent) RecAgent [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\RecAgent.sys -> [Ver = 4.00.01 | Size = 14408 bytes | Modified Date = 5/12/2004 5:38:02 PM | Attr = ]
(SenFiltService) SenFilt Service [Kernel | On_Demand | Stopped] -> %SystemRoot%\System32\drivers\Senfilt.sys -> File not found
(Slntamr) SmartLink AMR_PCI Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\slntamr.sys -> [Ver = 4.00.01 | Size = 652360 bytes | Modified Date = 5/12/2004 5:41:32 PM | Attr = ]
(SlNtHal) SlNtHal [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\slnthal.sys -> [Ver = 4.00.01 | Size = 100384 bytes | Modified Date = 5/12/2004 5:29:50 PM | Attr = ]
(SlWdmSup) SlWdmSup [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\slwdmsup.sys -> [Ver = 4.00.01 | Size = 13232 bytes | Modified Date = 5/12/2004 5:21:18 PM | Attr = ]

[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
Adobe Reader Speed Launcher -> %ProgramFiles%\Adobe\Reader 8.0\Reader\reader_sl.exe ["C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"] -> Adobe Systems Incorporated [Ver = 8.0.0.0 | Size = 39792 bytes | Modified Date = 1/11/2008 9:16:38 PM | Attr = ]
AVG8_TRAY -> %ProgramFiles%\AVG\AVG8\avgtray.exe [C:\PROGRA~1\AVG\AVG8\avgtray.exe] -> AVG Technologies CZ, s.r.o. [Ver = 8.0.0.172 | Size = 1234712 bytes | Modified Date = 11/20/2008 7:15:48 PM | Attr = ]
High Definition Audio Property Page Shortcut -> %SystemRoot%\system32\HdAShCut.exe [HDAShCut.exe] -> Windows (R) Server 2003 DDK provider [Ver = 5.10.01.5012 built by: WinDDK | Size = 61952 bytes | Modified Date = 10/27/2004 2:21:30 PM | Attr = ]
HotKeysCmds -> %SystemRoot%\system32\hkcmd.exe [C:\WINDOWS\system32\hkcmd.exe] -> Intel Corporation [Ver = 6.14.10.4814 | Size = 155648 bytes | Modified Date = 3/30/2007 12:00:16 PM | Attr = ]
IgfxTray -> %SystemRoot%\system32\igfxtray.exe [C:\WINDOWS\system32\igfxtray.exe] -> Intel Corporation [Ver = 6.14.10.4814 | Size = 131072 bytes | Modified Date = 3/30/2007 12:00:02 PM | Attr = ]
Persistence -> %SystemRoot%\system32\igfxpers.exe [C:\WINDOWS\system32\igfxpers.exe] -> Intel Corporation [Ver = 6.14.10.4814 | Size = 131072 bytes | Modified Date = 3/30/2007 11:59:36 AM | Attr = ]
RTHDCPL -> %SystemRoot%\RTHDCPL.exe [RTHDCPL.EXE] -> Realtek Semiconductor Corp. [Ver = 2.1.1.4 | Size = 16062464 bytes | Modified Date = 12/17/2006 8:00:00 AM | Attr = R ]
SkyTel -> %SystemRoot%\SkyTel.exe [SkyTel.EXE] -> Realtek Semiconductor Corp. [Ver = 1.0.0.0 | Size = 2879488 bytes | Modified Date = 5/15/2006 8:00:00 AM | Attr = R ]
SunJavaUpdateSched -> %ProgramFiles%\Java\jre6\bin\jusched.exe ["C:\Program Files\Java\jre6\bin\jusched.exe"] -> Sun Microsystems, Inc. [Ver = 6.0.100.33 | Size = 136600 bytes | Modified Date = 11/27/2008 11:30:19 AM | Attr = ]
< All Users Startup Folder > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup ->
< User Startup Folder > -> C:\Documents and Settings\User\Start Menu\Programs\Startup ->
< SecurityProviders [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders ->
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
*Shell* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell ->
Explorer.exe -> %SystemRoot%\explorer.exe -> Microsoft Corporation [Ver = 6.00.2900.3156 (xpsp_sp2_gdr.070613-1234) | Size = 1033216 bytes | Modified Date = 6/13/2007 2:23:07 AM | Attr = ]
*MultiFile Done* -> ->
*UserInit* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit ->
C:\WINDOWS\system32\userinit.exe -> %SystemRoot%\system32\userinit.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 24576 bytes | Modified Date = 2/28/2006 4:00:00 AM | Attr = ]
*MultiFile Done* -> ->
*UIHost* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UIHost ->
logonui.exe -> %SystemRoot%\system32\logonui.exe -> Microsoft Corporation [Ver = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Size = 514560 bytes | Modified Date = 2/28/2006 4:00:00 AM | Attr = ]
*MultiFile Done* -> ->
*VMApplet* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet ->
rundll32 shell32 -> %SystemRoot%\system32\shell32.dll -> Microsoft Corporation [Ver = 6.00.2900.3241 (xpsp_sp2_qfe.071025-1245) | Size = 8460288 bytes | Modified Date = 10/25/2007 7:34:01 PM | Attr = ]
Control_RunDLL "sysdm.cpl" -> %SystemRoot%\system32\sysdm.cpl -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 298496 bytes | Modified Date = 2/28/2006 4:00:00 AM | Attr = ]
*MultiFile Done* -> ->
< Winlogon settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ ->
igfxcui -> %SystemRoot%\system32\igfxdev.dll -> Intel Corporation [Ver = 6.14.10.4814 | Size = 204800 bytes | Modified Date = 3/30/2007 11:59:06 AM | Attr = ]
< CurrentVersion Policy Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 227 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDrives -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveAutoRun -> 67108863 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\dontdisplaylastusername -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\legalnoticecaption -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\legalnoticetext -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\shutdownwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\undockwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableRegistryTools -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\HideLegacyLogonScripts -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\HideLogoffScripts -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\RunLogonScriptSync -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\RunStartupScriptSync -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\HideStartupScripts -> 0 ->
< CurrentVersion Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDrives -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\HideLegacyLogonScripts -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\HideLogoffScripts -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\HideStartupScripts -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\RunLogonScriptSync -> 1 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\RunStartupScriptSync -> 0 ->
< CDROM Autorun Setting > [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom] ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\ -> ->
*DependOnGroup* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\DependOnGroup ->
SCSI miniport -> -> File not found
*MultiFile Done* -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\ErrorControl -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Group -> SCSI CDROM Class ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Start -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Tag -> 2 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Type -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\DisplayName -> CD-ROM Driver ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\ImagePath -> %SystemRoot%\system32\drivers\cdrom.sys [system32\DRIVERS\cdrom.sys] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 49536 bytes | Modified Date = 2/28/2006 4:00:00 AM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\AutoRun -> 1 ->
*AutoRunAlwaysDisable* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\AutoRunAlwaysDisable ->
NEC MBR-7 -> -> File not found
NEC MBR-7.4 -> -> File not found
PIONEER CHANGR DRM-1804X -> -> File not found
PIONEER CD-ROM DRM-6324X -> -> File not found
PIONEER CD-ROM DRM-624X -> -> File not found
TORiSAN CD-ROM CDR_C36 -> -> File not found
*MultiFile Done* -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\Enum\ -> ->
< Drives with AutoRun files > -> ->
AUTORUN.INF [[AutoRun] | open=setup.exe | icon=setup.exe,0 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |  | ] -> D:\AUTORUN.INF [ CDFS ] -> [Ver = | Size = 110 bytes | Modified Date = 2/28/2006 4:00:00 AM | Attr = R ]
< HOSTS File > (27 bytes and 1 lines) -> C:\WINDOWS\System32\drivers\etc\Hosts ->
127.0.0.1 localhost
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> ->
HKEY_LOCAL_MACHINE\: Main\\Default_Page_URL -> http://go.microsoft.com/fwlink/?LinkId=69157 ->
HKEY_LOCAL_MACHINE\: Main\\Default_Search_URL -> http://go.microsoft.com/fwlink/?LinkId=54896 ->
HKEY_LOCAL_MACHINE\: Main\\Local Page -> %SystemRoot%\system32\blank.htm ->
HKEY_LOCAL_MACHINE\: Main\\Search Page -> http://go.microsoft.com/fwlink/?LinkId=54896 ->
HKEY_LOCAL_MACHINE\: Main\\Start Page -> http://go.microsoft.com/fwlink/?LinkId=69157 ->
HKEY_LOCAL_MACHINE\: Search\\CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm ->
HKEY_LOCAL_MACHINE\: Search\\SearchAssistant -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm ->
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> ->
HKEY_CURRENT_USER\: Main\\Local Page -> C:\WINDOWS\system32\blank.htm ->
HKEY_CURRENT_USER\: Main\\Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKEY_CURRENT_USER\: Main\\Start Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome ->
HKEY_CURRENT_USER\: ProxyEnable -> 0 ->
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 5189 domain(s) found. ->
50 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 36 range(s) found. ->
< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 5210 domain(s) found. ->
51 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 73 range(s) found. ->
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ ->
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Java\jre6\bin\ssv.dll [Java(tm) Plug-In SSV Helper] -> Sun Microsystems, Inc. [Ver = 6.0.100.33 | Size = 320920 bytes | Modified Date = 11/27/2008 11:30:19 AM | Attr = ]
{DBC80044-A445-435b-BC74-9C25C1C588A9} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Java\jre6\bin\jp2ssv.dll [Java(tm) Plug-In 2 SSV Helper] -> Sun Microsystems, Inc. [Ver = 6.0.100.33 | Size = 34816 bytes | Modified Date = 11/27/2008 11:30:19 AM | Attr = ]
{E7E6F031-17CE-4C07-BC86-EABFE594F69C} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [JQSIEStartDetectorImpl Class] -> Sun Microsystems, Inc. [Ver = 6.0.100.33 | Size = 73728 bytes | Modified Date = 11/27/2008 11:30:20 AM | Attr = ]
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar ->
{A057A204-BACC-4D26-9990-79A187E2698E} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\AVG\AVG8\avgtoolbar.dll [AVG Security Toolbar] -> AVG, Technologies CZ, s.r.o [Ver = 5.0.2.400 | Size = 2055960 bytes | Modified Date = 11/20/2008 7:15:53 PM | Attr = ]
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ ->
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}:{53707962-6F74-2D53-2644-206D7942484F} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [Spybot - Search & Destroy Configuration] -> Safer Networking Limited [Ver = 1, 6, 0, 12 | Size = 1562448 bytes | Modified Date = 7/7/2008 9:41:58 AM | Attr = ]
< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ ->
PluginsPageFriendlyName -> Microsoft ActiveX Gallery ->
PluginsPage -> http://activex.microsoft.com/controls/find.asp?ext=%s&mime=%s ->
< DNS Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ ->
{C050E34F-D0A1-4ACF-AF63-4A93DCD35885} -> (Atheros L2 Fast Ethernet 10/100 Base-T Controller) ->
< Protocol Handlers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ ->
ipp: [HKEY_LOCAL_MACHINE] -> No CLSID value
linkscanner:{F274614C-63F8-47D5-A4D1-FBDDE494F8D1} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\AVG\AVG8\avgpp.dll[XPLPPFilter Class] -> AVG Technologies CZ, s.r.o. [Ver = | Size = 79128 bytes | Modified Date = 11/20/2008 7:15:52 PM | Attr = ]
msdaipp: [HKEY_LOCAL_MACHINE] -> No CLSID value
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ ->
{8AD9C840-044E-11D1-B3E9-00805F499D93}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab[Java Plug-in 1.6.0_10] ->
{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab[Java Plug-in 1.6.0_10] ->
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab[Java Plug-in 1.6.0_10] ->
{D27CDB6E-AE6D-11CF-96B8-444553540000}[HKEY_LOCAL_MACHINE] -> http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab[Shockwave Flash Object] ->
< Module Usage Keys [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\ ->
Reg Error: Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\ not found. -> ->



[Files/Folders - Created Within 30 days]
$AVG8.VAULT$ -> %SystemDrive%\$AVG8.VAULT$ -> [Folder | Created Date = 11/20/2008 7:18:25 PM | Attr = H ]
Boot.bak -> %SystemDrive%\Boot.bak -> [Ver = | Size = 211 bytes | Created Date = 11/23/2008 10:48:59 AM | Attr = ]
cmdcons -> %SystemDrive%\cmdcons -> [Folder | Created Date = 11/23/2008 10:48:56 AM | Attr = RHS]
cmldr -> %SystemDrive%\cmldr -> [Ver = | Size = 260272 bytes | Created Date = 11/23/2008 10:48:58 AM | Attr = ]
Config.Msi -> %SystemDrive%\Config.Msi -> [Folder | Created Date = 11/6/2008 10:34:43 PM | Attr = HS]
Qoobox -> %SystemDrive%\Qoobox -> [Folder | Created Date = 11/23/2008 10:45:59 AM | Attr = ]
RECYCLER -> %SystemDrive%\RECYCLER -> [Folder | Created Date = 11/30/2008 9:52:49 AM | Attr = HS]
SDFix -> %SystemDrive%\SDFix -> [Folder | Created Date = 11/23/2008 10:22:59 AM | Attr = ]
_OTMoveIt -> %SystemDrive%\_OTMoveIt -> [Folder | Created Date = 11/23/2008 2:51:20 PM | Attr = ]
Avg -> %SystemRoot%\System32\drivers\Avg -> [Folder | Created Date = 11/20/2008 7:15:54 PM | Attr = ]
avi7.avg -> %SystemRoot%\System32\drivers\Avg\avi7.avg -> [Ver = | Size = 6061540 bytes | Created Date = 11/20/2008 7:15:54 PM | Attr = ]
incavi.avm -> %SystemRoot%\System32\drivers\Avg\incavi.avm -> [Ver = | Size = 30399624 bytes | Created Date = 11/20/2008 7:15:54 PM | Attr = ]
microavi.avg -> %SystemRoot%\System32\drivers\Avg\microavi.avg -> [Ver = | Size = 65537 bytes | Created Date = 11/21/2008 10:51:43 AM | Attr = ]
miniavi.avg -> %SystemRoot%\System32\drivers\Avg\miniavi.avg -> [Ver = | Size = 334743 bytes | Created Date = 11/20/2008 7:15:54 PM | Attr = ]
appmgmt -> %SystemRoot%\System32\appmgmt -> [Folder | Created Date = 11/19/2008 11:40:52 AM | Attr = ]
1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp ->
CatRoot_bak -> %SystemRoot%\System32\CatRoot_bak -> [Folder | Created Date = 11/27/2008 11:33:38 AM | Attr = ]
fes.ra -> %SystemRoot%\System32\fes.ra -> [Ver = | Size = 32768 bytes | Created Date = 11/6/2008 12:00:00 PM | Attr = ]
CSC -> %SystemRoot%\CSC -> [Folder | Created Date = 11/20/2008 9:13:30 PM | Attr = ]
4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp ->
ERDNT -> %SystemRoot%\ERDNT -> [Folder | Created Date = 11/23/2008 10:45:59 AM | Attr = ]
ERUNT -> %SystemRoot%\ERUNT -> [Folder | Created Date = 11/23/2008 10:23:57 AM | Attr = ]
fdsv.exe -> %SystemRoot%\fdsv.exe -> Smallfrogs Studio [Ver = 1, 2, 0, 22 | Size = 89504 bytes | Created Date = 11/23/2008 10:46:01 AM | Attr = ]
grep.exe -> %SystemRoot%\grep.exe -> [Ver = | Size = 80412 bytes | Created Date = 11/23/2008 10:46:01 AM | Attr = ]
Minidump -> %SystemRoot%\Minidump -> [Folder | Created Date = 11/6/2008 12:03:04 PM | Attr = ]
NIRCMD.exe -> %SystemRoot%\NIRCMD.exe -> NirSoft [Ver = 2.10 | Size = 28672 bytes | Created Date = 11/23/2008 10:46:01 AM | Attr = ]
sed.exe -> %SystemRoot%\sed.exe -> [Ver = | Size = 98816 bytes | Created Date = 11/23/2008 10:46:01 AM | Attr = ]
SWREG.exe -> %SystemRoot%\SWREG.exe -> SteelWerX [Ver = 3.0.0.0 | Size = 161792 bytes | Created Date = 11/23/2008 10:46:01 AM | Attr = ]
SWSC.exe -> %SystemRoot%\SWSC.exe -> SteelWerX [Ver = 2.0.0.5 | Size = 136704 bytes | Created Date = 11/23/2008 10:46:01 AM | Attr = ]
SWXCACLS.exe -> %SystemRoot%\SWXCACLS.exe -> SteelWerX [Ver = 1.0.1.1 | Size = 212480 bytes | Created Date = 11/23/2008 10:46:01 AM | Attr = ]
temp -> %SystemRoot%\temp -> [Folder | Created Date = 11/23/2008 10:55:57 AM | Attr = ]
VFIND.exe -> %SystemRoot%\VFIND.exe -> [Ver = | Size = 49152 bytes | Created Date = 11/23/2008 10:46:01 AM | Attr = ]
wininit.ini -> %SystemRoot%\wininit.ini -> [Ver = | Size = 100 bytes | Created Date = 11/20/2008 8:35:00 PM | Attr = ]
zip.exe -> %SystemRoot%\zip.exe -> [Ver = | Size = 68096 bytes | Created Date = 11/23/2008 10:46:01 AM | Attr = ]

[Files/Folders - Modified Within 30 days]
boot.ini -> %SystemDrive%\boot.ini -> [Ver = | Size = 281 bytes | Modified Date = 11/23/2008 10:48:59 AM | Attr = RHS]
avi7.avg -> %SystemRoot%\System32\drivers\Avg\avi7.avg -> [Ver = | Size = 6061540 bytes | Modified Date = 11/21/2008 10:51:43 AM | Attr = ]
incavi.avm -> %SystemRoot%\System32\drivers\Avg\incavi.avm -> [Ver = | Size = 30399624 bytes | Modified Date = 11/27/2008 2:46:57 PM | Attr = ]
microavi.avg -> %SystemRoot%\System32\drivers\Avg\microavi.avg -> [Ver = | Size = 65537 bytes | Modified Date = 11/27/2008 2:46:57 PM | Attr = ]
miniavi.avg -> %SystemRoot%\System32\drivers\Avg\miniavi.avg -> [Ver = | Size = 334743 bytes | Modified Date = 11/21/2008 10:51:43 AM | Attr = ]
hosts -> %SystemRoot%\System32\drivers\etc\hosts -> [Ver = | Size = 27 bytes | Modified Date = 11/23/2008 10:54:14 AM | Attr = ]
1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp ->
fes.ra -> %SystemRoot%\System32\fes.ra -> [Ver = | Size = 32768 bytes | Modified Date = 11/6/2008 12:00:00 PM | Attr = ]
FNTCACHE.DAT -> %SystemRoot%\System32\FNTCACHE.DAT -> [Ver = | Size = 127704 bytes | Modified Date = 11/23/2008 5:39:56 PM | Attr = ]
LexFiles.usr -> %SystemRoot%\System32\LexFiles.usr -> [Ver = | Size = 1517 bytes | Modified Date = 11/20/2008 9:53:58 AM | Attr = ]
pakuyome -> %SystemRoot%\System32\pakuyome -> [Ver = | Size = 6456 bytes | Modified Date = 11/23/2008 10:25:41 AM | Attr = H ]
perfc009.dat -> %SystemRoot%\System32\perfc009.dat -> [Ver = | Size = 71512 bytes | Modified Date = 11/30/2008 9:47:54 AM | Attr = ]
perfh009.dat -> %SystemRoot%\System32\perfh009.dat -> [Ver = | Size = 441954 bytes | Modified Date = 11/30/2008 9:47:54 AM | Attr = ]
PerfStringBackup.INI -> %SystemRoot%\System32\PerfStringBackup.INI -> [Ver = | Size = 522706 bytes | Modified Date = 11/30/2008 9:47:54 AM | Attr = ]
wpa.dbl -> %SystemRoot%\System32\wpa.dbl -> [Ver = | Size = 13646 bytes | Modified Date = 11/30/2008 9:44:17 AM | Attr = ]
4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp ->
bootstat.dat -> %SystemRoot%\bootstat.dat -> [Ver = | Size = 2048 bytes | Modified Date = 11/30/2008 9:43:47 AM | Attr = S]
imsins.BAK -> %SystemRoot%\imsins.BAK -> [Ver = | Size = 1393 bytes | Modified Date = 11/28/2008 3:01:04 AM | Attr = ]
NeroDigital.ini -> %SystemRoot%\NeroDigital.ini -> [Ver = | Size = 69 bytes | Modified Date = 11/6/2008 9:35:08 PM | Attr = ]
system.ini -> %SystemRoot%\system.ini -> [Ver = | Size = 227 bytes | Modified Date = 11/23/2008 10:54:19 AM | Attr = ]
wininit.ini -> %SystemRoot%\wininit.ini -> [Ver = | Size = 100 bytes | Modified Date = 11/20/2008 8:35:00 PM | Attr = ]
SA.DAT -> %SystemRoot%\tasks\SA.DAT -> [Ver = | Size = 6 bytes | Modified Date = 11/30/2008 9:43:50 AM | Attr = H ]
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\ -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader -> [Folder | Modified Date = 11/23/2008 3:02:44 PM | Attr = ]
qmgr0.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat -> [Ver = | Size = 4232 bytes | Modified Date = 11/27/2008 12:11:53 PM | Attr = ]
qmgr1.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat -> [Ver = | Size = 4617 bytes | Modified Date = 11/27/2008 12:11:53 PM | Attr = ]
C:\Documents and Settings\User\Local Settings\temp\jkos-User\binaries\ -> C:\Documents and Settings\User\Local Settings\temp\jkos-User\binaries -> [Folder | Modified Date = 11/27/2008 1:18:01 PM | Attr = ]
ScanningProcess.exe -> C:\Documents and Settings\User\Local Settings\temp\jkos-User\binaries\ScanningProcess.exe -> Kaspersky Lab. [Ver = 5, 0, 1, 86 | Size = 139264 bytes | Modified Date = 11/27/2008 11:39:17 AM | Attr = ]
13 C:\Documents and Settings\User\Local Settings\temp\jkos-User\binaries\*.tmp files -> C:\Documents and Settings\User\Local Settings\temp\jkos-User\binaries\*.tmp ->
C:\Documents and Settings\User\Local Settings\temp\jkos-User\binaries\ -> C:\Documents and Settings\User\Local Settings\temp\jkos-User\binaries -> [Folder | Modified Date = 11/27/2008 1:18:01 PM | Attr = ]
FSSync.dll -> C:\Documents and Settings\User\Local Settings\temp\jkos-User\binaries\FSSync.dll -> Kaspersky Lab [Ver = 6.0.5.678 | Size = 38400 bytes | Modified Date = 11/27/2008 11:39:17 AM | Attr = ]
ikave.dll -> C:\Documents and Settings\User\Local Settings\temp\jkos-User\binaries\ikave.dll -> [Ver = 5, 0, 1, 83 | Size = 65536 bytes | Modified Date = 11/27/2008 1:17:59 PM | Attr = ]
kave.dll -> C:\Documents and Settings\User\Local Settings\temp\jkos-User\binaries\kave.dll -> Kaspersky Lab. [Ver = 5, 0, 1, 86 | Size = 282624 bytes | Modified Date = 11/27/2008 1:17:59 PM | Attr = ]
kosglue-7.0.25.0.dll -> C:\Documents and Settings\User\Local Settings\temp\jkos-User\binaries\kosglue-7.0.25.0.dll -> Kaspersky Lab [Ver = 7.0.25.0 | Size = 729152 bytes | Modified Date = 11/27/2008 1:18:00 PM | Attr = ]
msvcm80.dll -> C:\Documents and Settings\User\Local Settings\temp\jkos-User\binaries\msvcm80.dll -> Microsoft Corporation [Ver = 8.00.50727.42 | Size = 479232 bytes | Modified Date = 11/27/2008 1:17:58 PM | Attr = ]
msvcp80.dll -> C:\Documents and Settings\User\Local Settings\temp\jkos-User\binaries\msvcp80.dll -> Microsoft Corporation [Ver = 8.00.50727.42 | Size = 548864 bytes | Modified Date = 11/27/2008 1:17:59 PM | Attr = ]
msvcr80.dll -> C:\Documents and Settings\User\Local Settings\temp\jkos-User\binaries\msvcr80.dll -> Microsoft Corporation [Ver = 8.00.50727.42 | Size = 626688 bytes | Modified Date = 11/27/2008 1:17:59 PM | Attr = ]
prLoader.dll -> C:\Documents and Settings\User\Local Settings\temp\jkos-User\binaries\prLoader.dll -> Kaspersky Lab [Ver = 6.0.2.678 | Size = 184320 bytes | Modified Date = 11/27/2008 11:39:18 AM | Attr = ]
prremote.dll -> C:\Documents and Settings\User\Local Settings\temp\jkos-User\binaries\prremote.dll -> Kaspersky Lab [Ver = 6.0.2.678 | Size = 90112 bytes | Modified Date = 11/27/2008 1:18:00 PM | Attr = ]
13 C:\Documents and Settings\User\Local Settings\temp\jkos-User\binaries\*.tmp files -> C:\Documents and Settings\User\Local Settings\temp\jkos-User\binaries\*.tmp ->
C:\Documents and Settings\User\Local Settings\temp\jkos-User\engine\bases\ -> C:\Documents and Settings\User\Local Settings\temp\jkos-User\engine\bases -> [Folder | Modified Date = 11/27/2008 1:18:50 PM | Attr = ]
sfdb.dat -> C:\Documents and Settings\User\Local Settings\temp\jkos-User\engine\bases\sfdb.dat -> [Ver = | Size = 74968 bytes | Modified Date = 11/27/2008 1:19:07 PM | Attr = ]
C:\Documents and Settings\User\Local Settings\temp\jkos-User\binaries\ -> C:\Documents and Settings\User\Local Settings\temp\jkos-User\binaries -> [Folder | Modified Date = 11/27/2008 1:18:01 PM | Attr = ]
_kave.ini -> C:\Documents and Settings\User\Local Settings\temp\jkos-User\binaries\_kave.ini -> [Ver = | Size = 102 bytes | Modified Date = 11/27/2008 1:17:59 PM | Attr = ]
13 C:\Documents and Settings\User\Local Settings\temp\jkos-User\binaries\*.tmp files -> C:\Documents and Settings\User\Local Settings\temp\jkos-User\binaries\*.tmp ->
C:\Documents and Settings\User\Local Settings\temp\jkos-User\engine\bases\ -> C:\Documents and Settings\User\Local Settings\temp\jkos-User\engine\bases -> [Folder | Modified Date = 11/27/2008 1:18:50 PM | Attr = ]
verdicts.ini -> C:\Documents and Settings\User\Local Settings\temp\jkos-User\engine\bases\verdicts.ini -> [Ver = | Size = 4184 bytes | Modified Date = 11/27/2008 12:31:22 PM | Attr = ]
C:\WINDOWS\Temp\ -> C:\WINDOWS\temp -> [Folder | Modified Date = 11/30/2008 11:15:07 AM | Attr = ]
Perflib_Perfdata_5b4.dat -> C:\WINDOWS\temp\Perflib_Perfdata_5b4.dat -> [Ver = | Size = 16384 bytes | Modified Date = 11/30/2008 9:43:51 AM | Attr = ]
Perflib_Perfdata_5bc.dat -> C:\WINDOWS\temp\Perflib_Perfdata_5bc.dat -> [Ver = | Size = 16384 bytes | Modified Date = 11/28/2008 3:08:22 AM | Attr = ]

< End of report >

peku006
2008-11-30, 21:35
Hi xardoz

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Double click on ComboFix.exe & follow the prompts

Please include the C:\ComboFix.txt in your next reply

Thanks peku006

xardoz
2008-12-01, 03:14
Here you go!


ComboFix 08-11-30.01 - User 2008-11-30 16:53:05.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.602 [GMT -8:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-11-01 to 2008-12-01 )))))))))))))))))))))))))))))))
.

2008-11-27 11:33 . 2008-11-27 12:12 <DIR> d-------- c:\windows\system32\CatRoot_bak
2008-11-27 11:30 . 2008-11-27 11:30 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-23 14:59 . 2008-11-23 14:59 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-23 14:59 . 2008-11-23 14:59 <DIR> d-------- c:\documents and settings\User\Application Data\Malwarebytes
2008-11-23 14:59 . 2008-11-23 14:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-23 14:59 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-23 14:59 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-23 14:51 . 2008-11-23 14:51 <DIR> d-------- C:\_OTMoveIt
2008-11-23 10:23 . 2008-11-23 10:24 <DIR> d-------- c:\windows\ERUNT
2008-11-23 10:22 . 2008-11-23 10:39 <DIR> d-------- C:\SDFix
2008-11-20 20:35 . 2008-11-20 20:35 100 --a------ c:\windows\wininit.ini
2008-11-20 19:32 . 2008-11-20 19:32 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-20 19:27 . 2008-11-20 19:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2008-11-20 19:18 . 2008-11-23 17:17 <DIR> d--h----- C:\$AVG8.VAULT$
2008-11-20 19:16 . 2008-11-20 19:16 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-11-20 19:15 . 2008-11-27 14:46 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-11-20 19:15 . 2008-11-20 19:15 <DIR> d-------- c:\program files\AVG
2008-11-20 19:15 . 2008-11-20 19:15 <DIR> d-------- c:\documents and settings\User\Application Data\AVGTOOLBAR
2008-11-20 19:15 . 2008-11-20 19:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-11-20 19:15 . 2008-11-20 19:15 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-11-20 19:15 . 2008-11-20 19:15 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-11-06 23:30 . 2008-11-19 11:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-06 16:08 . 2008-11-06 22:26 <DIR> d-------- c:\program files\Enigma Software Group
2008-11-06 12:00 . 2008-11-06 12:00 32,768 --a------ c:\windows\system32\fes.ra

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-27 19:30 --------- d-----w c:\program files\Java
2008-11-24 03:38 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-24 03:38 --------- d-----w c:\program files\Common Files\InstallShield
2008-11-21 03:33 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-21 03:28 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-21 03:28 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-11-10 17:22 14,336 ----a-w c:\windows\system32\svchost.exe
2008-11-07 06:59 --------- d-----w c:\program files\Common Files\Ahead
2008-11-07 06:59 --------- d-----w c:\documents and settings\All Users\Application Data\Nero
2008-11-06 19:59 577,536 ----a-w c:\windows\system32\user32.DLL
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-01 00:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys
2008-09-04 16:42 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-04-24 17:43 3,902,784 ----a-w c:\documents and settings\User\gosetup.exe
.

((((((((((((((((((((((((((((( snapshot@2008-11-23_10.55.09.35 )))))))))))))))))))))))))))))))))))))))))
.
- 2006-05-05 09:41:45 453,120 ------w c:\windows\Driver Cache\i386\mrxsmb.sys
+ 2008-10-24 11:10:42 453,632 ------w c:\windows\Driver Cache\i386\mrxsmb.sys
+ 2008-11-28 11:00:29 32,768 ----a-r c:\windows\Installer\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}\icon.exe
- 2006-05-05 09:41:45 453,120 -c----w c:\windows\system32\dllcache\mrxsmb.sys
+ 2008-10-24 11:10:42 453,632 -c----w c:\windows\system32\dllcache\mrxsmb.sys
- 2007-06-26 06:08:16 1,104,896 -c--a-w c:\windows\system32\dllcache\msxml3.dll
+ 2008-09-04 16:42:02 1,106,944 -c--a-w c:\windows\system32\dllcache\msxml3.dll
- 2007-03-16 01:16:42 236,928 -c----w c:\windows\system32\dllcache\WgaLogon.dll
+ 2008-09-06 07:30:42 241,704 -c----w c:\windows\system32\dllcache\wgaLogon.dll
- 2007-03-16 01:17:08 336,768 -c----w c:\windows\system32\dllcache\WgaTray.exe
+ 2008-09-06 07:29:58 917,032 -c----w c:\windows\system32\dllcache\WgaTray.exe
- 2008-10-15 10:08:32 127,704 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2008-11-24 01:39:56 127,704 ----a-w c:\windows\system32\FNTCACHE.DAT
- 2008-02-22 08:23:35 135,168 ----a-w c:\windows\system32\java.exe
+ 2008-11-27 19:30:19 144,792 ----a-w c:\windows\system32\java.exe
- 2008-02-22 08:23:39 135,168 ----a-w c:\windows\system32\javaw.exe
+ 2008-11-27 19:30:19 144,792 ----a-w c:\windows\system32\javaw.exe
- 2008-02-22 09:33:32 139,264 ----a-w c:\windows\system32\javaws.exe
+ 2008-11-27 19:30:19 148,888 ----a-w c:\windows\system32\javaws.exe
- 2008-03-21 01:06:36 1,480,232 ------w c:\windows\system32\LegitCheckControl.dll
+ 2008-09-06 07:30:06 1,480,232 ------w c:\windows\system32\LegitCheckControl.dll
+ 2008-11-04 00:10:25 17,318,336 ----a-w c:\windows\system32\MRT.exe
- 2007-05-15 22:43:10 1,320,800 ----a-w c:\windows\system32\msxml6.dll
+ 2008-08-30 04:06:44 1,350,664 ----a-w c:\windows\system32\msxml6.dll
- 2008-11-23 18:46:06 71,512 ----a-w c:\windows\system32\perfc009.dat
+ 2008-11-30 17:47:54 71,512 ----a-w c:\windows\system32\perfc009.dat
- 2008-11-23 18:46:06 441,954 ----a-w c:\windows\system32\perfh009.dat
+ 2008-11-30 17:47:54 441,954 ----a-w c:\windows\system32\perfh009.dat
- 2007-11-30 11:18:51 17,272 ------w c:\windows\system32\spmsg.dll
+ 2008-07-08 13:02:01 17,272 ------w c:\windows\system32\spmsg.dll
- 2007-03-16 01:16:42 236,928 ------w c:\windows\system32\WgaLogon.dll
+ 2008-09-06 07:30:42 241,704 ----a-w c:\windows\system32\WgaLogon.dll
- 2007-03-16 01:17:08 336,768 ------w c:\windows\system32\WgaTray.exe
+ 2008-09-06 07:29:58 917,032 ------w c:\windows\system32\WgaTray.exe
+ 2008-11-30 17:43:51 16,384 ----atw c:\windows\temp\Perflib_Perfdata_5b4.dat
+ 2008-10-01 00:42:08 1,286,152 ----a-w c:\windows\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9870.0_x-ww_a32d74cf\msxml4.dll
+ 2008-10-01 00:45:12 91,656 ----a-w c:\windows\WinSxS\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.1.0_x-ww_2a41bceb\msxml4r.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-02-28 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-27 136600]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-30 131072]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-30 155648]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-30 131072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-20 1234712]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-27 c:\windows\system32\HdAShCut.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-12-17 c:\windows\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-15 c:\windows\SkyTel.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\LMabcoms.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-11-20 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-11-20 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-20 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-11-20 76040]
R3 AtcL002;NDIS Miniport Driver for Atheros L2 Fast Ethernet Controller;c:\windows\system32\DRIVERS\l251x86.sys [2008-02-20 30720]
S1 b3cabbd1;b3cabbd1;c:\windows\system32\drivers\b3cabbd1.sys []
S3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:\windows\system32\DRIVERS\atl01_xp.sys [2007-04-25 35840]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\b154ti04.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.indiafm.com/
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-30 16:54:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-30 16:56:21
ComboFix-quarantined-files.txt 2008-12-01 00:56:17
ComboFix2.txt 2008-11-23 18:55:55

Pre-Run: 155,813,920,768 bytes free
Post-Run: 155,852,062,720 bytes free

156 --- E O F --- 2008-11-28 11:02:20

peku006
2008-12-01, 09:52
Hi xardoz
Looks better now....
let's run one online scan to be sure

1 - F-Secure Online Scan

Please go to F-Secure website (http://support.f-secure.com/ols3beta/start.html) to perform an online scan. Click on Start scanning at the bottom of the page.
You may be prompted to install an ActiveX before you are able to accept the License Agreement. If prompted, please install it. After installing, the Accept button will be available.
Click on Accept to accept the License Agreement.
Click on Custom Scan. Under Virus Scan Options, select the Scan whole system option.
Under Other Scan Options, select these options: Scan all files
Scan whole system for rootkits
Scan whole system for spyware
Scan inside archives
Use advanced heuristics Click Start.
It will start installing the scanner and virus definitions. Once the installation is done, it will start scanning automatically. This takes a while. Please be patient.
Click on I want decide item by item.
Under Actions, select None for all infections found.
Click Next.
Click on Show Report.
Please copy and paste this report in your next reply.
Click Finish.

2 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

3 - Status Check
Please reply with


1. the F-Secure online scanner report
2. a fresh HijackThis log
How is the computer running now?

[color=darkred]Thanks peku006[/color

xardoz
2008-12-02, 07:09
The computer seems fine, but I have not been using it until the all clear.

Scanning Report
Monday, December 01, 2008 17:31:07 - 20:53:16

Computer name: MAIN
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\
Result: 8 malware found
Password-protected-EXE (virus)

* C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudAntiMalwares.zip

Rogue:W32/XPAntivirus.GHL (virus)

* C:\SDFix\backups\backups.zip\backups\sysin.scr

TrackingCookie.2o7 (spyware)

* System

Trojan-Mailfinder.Win32.Mailbot.dj (virus)

* C:\SDFix\backups\backups.zip\backups\1169113219.exe
* C:\SDFix\backups\backups.zip\backups\psyche.exe

Trojan.Win32.Patched.bb (virus)

* C:\WINDOWS\system32\dllcache\user32.dll (Disinfected)
* C:\Qoobox\Quarantine\C\WINDOWS\system32\user32.dll.vir (Disinfected)
* C:\Qoobox\Quarantine\C\WINDOWS\system32\_user32_.dll.zip\user32.dll

Statistics
Scanned:

* Files: 110920
* System: 2804
* Not scanned: 176

Actions:

* Disinfected: 2
* Renamed: 0
* Deleted: 0
* None: 6
* Submitted: 0

Files not scanned:

* 0?x AGEFILE.SYS ZEXEC.HST
* ZFILE.HST
* ZMISC.HST
* C:\XTGOLD\ZEXEC.HST
* C:\XTGOLD\ZFILE.HST
* C:\XTGOLD\ZMISC.HST
* C:\WINDOWS\TEMP\PERFLIB_PERFDATA_5B4.DAT
* C:\WINDOWS\SYSTEM32\BIOS1.ROM
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.TMP.LOG
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG
* C:\WINDOWS\SYSTEM32\CATROOT2\EDB.LOG
* C:\WINDOWS\SYSTEM32\CATROOT2\TMP.EDB
* C:\DOCUMENTS AND SETTINGS\USER\NTUSER.DAT
* C:\DOCUMENTS AND SETTINGS\USER\NTUSER.DAT.LOG
* C:\DOCUMENTS AND SETTINGS\USER\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT
* C:\DOCUMENTS AND SETTINGS\USER\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT.LOG
* C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\NTUSER.DAT
* C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\NTUSER.DAT.LOG
* C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT
* C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT.LOG
* C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\NTUSER.DAT
* C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\NTUSER.DAT.LOG
* C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT
* C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT.LOG
* C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudAntiMalwares.zip\csrssc.exe
* C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudAntiMalwares.zip\sbRecovery.ini
* C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicroAntivirus.zip\sbRecovery.reg
* C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicroAntivirus.zip\sbRecovery.ini
* C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicroAntivirus1.zip\IUpd721.exe
* C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicroAntivirus1.zip\sbRecovery.ini
* C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsExplorer.zip\sbRecovery.reg
* C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsExplorer.zip\sbRecovery.ini
* C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterdisabled.zip\sbRecovery.reg
* C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterdisabled.zip\sbRecovery.ini
* C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterdisabled1.zip\sbRecovery.reg
* C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterdisabled1.zip\sbRecovery.ini
* C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterRegistryTools.zip\sbRecovery.reg
* C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterRegistryTools.zip\sbRecovery.ini
* C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecM   
* C:\PAGEFILE.SYS
* ZEXEC.HST
* ZFILE.HST
* ZMISC.HST
* C:\XTGOLD\ZEXEC.HST
* C:\XTGOLD\ZFILE.HST
* C:\XTGOLD\ZMISC.HST
* C:\WINDOWS\TEMP\PERFLIB_PERFDATA_5B4.DAT
* C:\WINDOWS\SYSTEM32\BIOS1.ROM
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.TMP.LOG
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG
* C:\WINDOWS\SYSTEM32\CATROOT2\EDB.LOG
* C:\WINDOWS\SYSTEM32\CATROOT2\TMP.EDB
* C:\DOCUMENTS AND SETTINGS\USER\NTUSER.DAT
* C:\DOCUMENTS AND SETTINGS\USER\NTUSER.DAT.LOG
* C:\DOCUMENTS AND SETTINGS\USER\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT
* C:\DOCUMENTS AND SETTINGS\USER\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT.LOG
* C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\NTUSER.DAT
* C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\NTUSER.DAT.LOG
* C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT
* C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT.LOG
* C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\NTUSER.DAT
* C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\NTUSER.DAT.LOG
* C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT
* C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT.LOG
* C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudAntiMalwares.zip\csrssc.exe
* C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudAntiMalwares.zip\sbRecovery.ini
* C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicroAntivirus.zip\sbRecovery.reg
* C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicroAntivirus.zip\sbRecovery.ini
* C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicroAntivirus1.zip\IUpd721.exe
* C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicroAntivirus1.zip\sbRecovery.ini
* C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsExplorer.zip\sbRecovery.reg
* C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsExplorer.zip\sbRecovery.ini
* C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterdisabled.zip\sbRecovery.reg
* C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterdisabled.zip\sbRecovery.ini
* C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterdisabled1.zip\sbRecovery.reg
* C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterdisabled1.zip\sbRecovery.ini
* C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterRegistryTools.zip\sbRecovery.reg
* C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterRegistryTools.zip\sbRecovery.ini
* C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityInternetExplorer.zip\sbRecovery.reg
* C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Reco3

Options
Scanning engines:

* F-Secure USS: 2.40.0
* F-Secure Blacklight: 2.4.1093
* F-Secure Hydra: 2.8.8110, 2008-12-02
* F-Secure Pegasus: 1.20.0, 2008-10-25
* F-Secure AVP: 7.0.171, 2008-12-01

Scanning options:

* Scan all files
* Scan inside archives
* Use Advanced heuristics


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:56:17 PM, on 12/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\slserv.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\User\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {664088B0-6AF3-4514-AF9D-A0DC3A3DF24A} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols3beta/fscax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: lmab_device - Unknown owner - C:\WINDOWS\system32\LMabcoms.exe
O23 - Service: NBService - Unknown owner - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe (file missing)
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\SupportSoft\bin\ssrc.exe

--
End of file - 4785 bytes

peku006
2008-12-02, 20:27
Hi xardoz

Insert the WinXP CD-ROM into the CD-ROM or DVD-ROM drive and then restart the computer. Select any options that are required to start the computer from the CD-ROM or DVD-ROM drive if you are prompted to do so.

When the “Welcome to Setup” screen appears, press R to start Recovery Console. (See the sidebar “Using The Recovery Console.”)

At the command prompt, type the following command, and then press ENTER:

cd windows\system32

To rename the User32.dll file, type the following command, and then press ENTER:

ren user32.dll user32.bak

To expand a new copy of the User32.dll file from the WinXP CD-ROM to the System32 folder, type the following command, and then press ENTER:

expand D:\i386\user32.dl_ c:\windows\system32\user32.dll,where D: is the drive letter for the drive that contains the WinXP CD-ROM, and c:\windows is the drive letter and folder where WinXP is installed.

Type exit, press ENTER, and then restart the computer. (NOTE: If WinXP still won’t boot, you may have to perform an in-place upgrade [also called a repair install]).

Run F-Secure Online Scan again......

xardoz
2008-12-04, 03:59
Hopefully this is the ONE! :rolleyes:

Scanning Report
Wednesday, December 03, 2008 08:55:11 - 17:11:33

Computer name: MAIN
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\
Result: 6 malware found
Password-protected-EXE (virus)

* C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudAntiMalwares.zip (Submitted)

Rogue:W32/XPAntivirus.GHL (virus)

* C:\SDFix\backups\backups.zip\backups\sysin.scr

TrackingCookie.2o7 (spyware)

* System

Trojan-Mailfinder.Win32.Mailbot.dj (virus)

* C:\SDFix\backups\backups.zip\backups\1169113219.exe
* C:\SDFix\backups\backups.zip\backups\psyche.exe

Trojan.Win32.Patched.bb (virus)

* C:\Qoobox\Quarantine\C\WINDOWS\system32\_user32_.dll.zip\user32.dll

Statistics
Scanned:

* Files: 111204
* System: 2812
* Not scanned: 174

Actions:

* Disinfected: 0
* Renamed: 0
* Deleted: 0
* None: 6
* Submitted: 1

Files not scanned:

x?H

Options
Scanning engines:

* F-Secure USS: 2.40.0
* F-Secure Hydra: 2.8.8110, 2008-12-03
* F-Secure AVP: 7.0.171, 2008-12-03
* F-Secure Pegasus: 1.20.0, 2008-10-25
* F-Secure Blacklight: 2.4.1093

Scanning options:

* Scan all files
* Scan inside archives
* Use Advanced heuristics

peku006
2008-12-04, 12:08
Hi
The scans are fine and it looks like your machine is clean :)

Next we remove all used tools.

Now lets uninstall ComboFix:

Click START then RUN
Now type Combofix /u in the runbox and click OK


Double-click OTMoveIt3.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.

Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

Here are some free programs I recommend that could help you improve your computer's security.

Spybot Search and Destroy 1.6
Download it from here (http://www.safer-networking.org/en/mirrors/index.html). Just choose a mirror and off you go.
Find here the tutorial on how to use Spybot properly here (http://www.bleepingcomputer.com/tutorials/tutorial43.html)

Install SpyWare Blaster 4.0
Download it from here (http://www.javacoolsoftware.com/spywareblaster.html)
Find here the tutorial on how to use Spyware Blaster here (http://www.bleepingcomputer.com/tutorials/tutorial49.html)

Install WinPatrol
Download it from here (http://www.winpatrol.com/download.html)
Here you can find information about how WinPatrol works here (http://www.winpatrol.com/features.html)

Install FireTrust SiteHound
You can find information and download it from here (http://www.firetrust.com/en/products/sitehound)

Install MVPS Hosts File from here (http://mvps.org/winhelp2002/hosts.htm)
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
Find Tutorial here : http://www.mvps.org/winhelp2002/hosts.htm

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector (http://secunia.com/software_inspector/)
F-secure Health Check (http://www.f-secure.com/weblog/archives/00001356.html)

Visit Microsoft often to get the latest updates for your computer.
http://www.update.microsoft.com

Please check out Tony Klein's article "How did I get infected in the first place?" (http://forums.spybot.info/showthread.php?t=279)

Read some information here (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html) how to prevent Malware.


Happy safe surfing! :bigthumb:

tashi
2008-12-06, 09:12
Thank you peku006. :)